Under the HIPAA Privacy Rule, which became enforceable in 2003 under the U.S. Office for Civil Rights, (some of) your identifiable health information is required to be protected from being shared or accessed without your permission. Your identifiable health data, called Protected Health Information (PHI), includes anything your doctor or other health care provider puts in your medical record, as well as any conversations your provider has with other doctors, nurses and other medical professionals. It also includes any of your billing information, as well as any identifiable information your health plan has about you in its computer systems [source: HHS].
Under the HIPAA Security Rule, how your personal information is electronically stored, shared and accessed is protected. Eligible electronic transactions include: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment status, referrals and authorizations, coordination of benefits and premium payment [source: Centers for Medicare & Medicaid Services]. Covered entities are legally obligated to follow the rules of HIPAA-covered transactions. They, and those they contract to do business with, are all required to sign a legal contract agreeing to protect your information before sharing or accessing your data -- whether it's an online transaction, accessing your records on a tablet or another electronic administrative transaction. Covered entities and their business associates are also responsible for having not only administrative safeguards such as documented policies and employee training for protecting electronic health data, but technical and physical safeguards as well, such as data backup, data encryption and security systems. They're also responsible for disclosing why there is a need to access your health information and what the intended purpose is -- every time.
Outside of covered entities, HIPAA law doesn't apply. That means your employer doesn't need to worry about keeping any of your health data private, nor do workers compensation providers, life insurance providers, school districts, state agencies (such as child protective services), law enforcement agencies and other municipal offices. The account manager who uses a computer to electronically verify your insurance eligibility is engaging in a HIPAA-protected action, and must comply with HIPPA confidentiality rules -- but HIPAA only applies when the transaction is electronic; if the account manager used the phone to verbally confirm your insurance eligibility, HIPAA rules wouldn't apply to the exchange of PHI.