Health Information Technology   HIPAA  

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Privacy and Security   

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides provisions on the disclosure and use of an individual's health information.  The Maryland Health Care Commission  (MHCC) provides resources to assist the health care industry in complying with the HIPAA rules for privacy and security. Users of this information are encouraged to implement the HIPAA privacy and security standards in a manner that is reasonable and consistent with their organizational structure.  HIPAA protects the confidentiality of a person’s identifiable health information via electronic media. This regulation:

  • Gives patients control over the use of their health information;
  • Defines the boundaries for the use and disclosure of health records by covered entities, which can include a health plan, healthcare clearinghouse, and a healthcare provider;
  • Establishes standards that healthcare providers must comply with;
  • Limits the use of personal health information (PHI) and minimizes the chances of inappropriate disclosure;
  • Makes provisions for investigating compliance-related issues and holds violators accountable with civil or criminal penalties for violating the privacy of an individual PHI; and
  • Supports the cause of disclosing PHI without individual consent for individual healthcare needs, public benefit, and national interests.


The MHCC has developed the following documents that provide guidance in understanding and implementing HIPAA:

Key HITECH Changes to HIPAA

The Health Information Technology for Economic and Clinical Health Act (HITECH or Act) was passed by the federal government under the American Recovery and Reinvestment Act of 2009.  HITECH represents a historic investment in health information technology to improve the quality of health care delivery and patient care.  HITECH made changes to HIPAA, particularly with regards to strengthening the privacy and security ofPHI)and increasing the penalties for violations of HIPAA.  This chart summarizes key modifications to HIPAA by HITECH, which began to take effect in 2010. 

State versus Federal Comparison:  HIPAA Privacy Statute & Regulation

This document compares the similarities and differences in regulations addressing privacy of health care information between the Maryland Confidentiality Of Medical Records Act (MCRMA) and HIPAA.

The Centers for Medicare and Medicaid Services HIPAA Security Guidiance: Portable Devices and External Systems or Hardware

This document provides information on how a covered entity and Business Associate may protect electronic protected health information (EPHI) when accessed or used offsite, or outside the organization’s physical environment.  These guidelines on the remote access to or use of EPHI places emphasis on: risk analysis and risk management strategies; policies and procedures for safeguarding EPHI; and security awareness and training on the policies and procedures for safeguarding EPHI. 

The American Recovery and Reinvestment Act of 2009 Updates to HIPAA Flyer

           The American Recovery and Reinvestment Acto of 2009 (ARRA) signed into law on February 17, 2009 by President Barack Obama,   is an economic stimulus bill.  This flyer lists the key privacy and security changes to HIPAA as a result of ARRA.

HIPAA Privacy Rule Accounting of Disclosures under HITECH

The flyer summarizes the changes with the passage of the HITECH Act to the HIPAA Privacy Rule that require covered entities, including Business Associates, provide to an individual an accounting regarding disclosure of one’s PHI that are likely to impact their personal and legal interests, and the right for an individual to receive a report that indicates who has accessed their electronic PHI.

More Information available at:


Last Updated: 3/13/2018