Ensuring the security, privacy, and protection of patient's healthcare data is critical for all healthcare personnel and institutions. In this age of fast-evolving information technology, this is truer than ever before. In the past, healthcare workers often collected patient data for research and usually only omitted the patients' names. This is no longer permitted, now any protected health information (PHI) that can identify a patient or the patient's relatives, employers, or household members, must be omitted before being used for research. The health insurance portability and accountability act (HIPAA) public law 104-191, was enacted into federal law to ensure that that patient medical data remains private and secure.[1][2][3][4][5] There are two main sections of the law, the privacy rule which addresses the use and disclosure of individuals' health information, and the security rule which sets national standards for protecting the confidentiality, integrity, and availability of electronically protected health information.[6] The privacy rule specifies 18 elements that constitute PHI.[7] These identifiers include demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual. HIPPA was enacted to encompass three areas of patient care: 1. Portability of insurance or the ability of a patient/worker to move to another place of work and be certain that insurance coverage is not denied. 2. Detection and enforcement of fraud and accountability. 3. Simplify administrative procedures in health care and other professions (this is an area where communication and transmission of records are done electronically). With improved technology, the role of wearable technology and androids to disclose PHI is now under scrutiny.[8][9]. The penalties for failing to comply with HIPAA can be severe. To Whom Does HIPAA Apply? HIPAA applies to all healthcare institutions and healthcare workers, who submit claims electronically. For example, if you are a healthcare worker and transmit or even discuss PHI with others who are not involved with that patient's care, then you violate HIPAA. However, there is a HIPAA rule that permits disclosure of PHI without prior obtained consent for healthcare operations, treatment, and payment. This includes consultation between providers regarding a patient, referring a patient, and information required by law for public health safety and reporting. These exceptions cover the majority of clinical uses of PHI. Other disclosures demand explicit patient consent and apply to everyone in a healthcare facility, including: Providers. Nurses. Pharmacists. Administrative personnel. Foodservice. Clerical. Janitorial service. All other healthcare professionals. The HIPAA policies also apply to any interns and volunteers who work under supervision at a health clinic or hospital, third-party contractors, or business associates, including: External laboratories. External imaging services. Outside computer repairman. Accredited agencies that conduct patient surveys. Medical equipment companies. Pharmaceutical salespeople. Definition of PHI HIPAA broadly defines PHI as any health information that is transmitted or maintained in electronic media. It is also important to know that PHI is not only restricted to transmission on electronic media but also any oral communications of individually identifiable health information constitutes PHI. For example, if a surgery resident speaks about a surgical procedure in an elevator full of people, that can be a HIPAA violation if any PHI is mentioned. The majority of medical records in healthcare institutions and clinics meet the definition of PHI, some of which include: Admission profile. Billing records. Patient profile. Prescription records. Referrals. Discharge and follow up appointments. Hence all healthcare institutions and clinics must satisfy HIPAA standards for security and privacy.