Health Insurance Portability & Accountability Act
Protecting the use and disclosure of protected health information.Protecting Health Information
The Health Insurance Portability and Accountability Act was passed by Congress in 1996. The U.S. Department of Health and Human Services Office of Civil Rights (OCR) enforces the federal law.
The regulations established a Privacy Rule, Security Rule, and Enforcement Rule which regulate and protect the use and disclosure of protected health information. The regulation established a floor for the protection of protected health information. This means that when state laws are more protective of protected health information than the federal regulation, the state law controls instead of the federal law.
Several Tennessee privacy laws are more protective of citizen’s health information than federal law. The Tennessee Department of Health is a hybrid entity under the Health Insurance Portability and Accountability Act.
Contact the TDH Privacy Officer
Email: privacy.health@tn.gov
Privacy Hotline: (615) 253-5637 or 1-877-280-0054
Hybrid Designation
The Tennessee Department of Health operates as a hybrid entity under federal regulation. A hybrid entity is an organization that performs both covered and non-covered business operations under the federal law and has designated which offices operate as covered health care components. State confidentiality laws continue to apply to all Department Offices.
For more information regarding the Department's status as a hybrid entity under, click this link Hybrid Entity Designation.
Documentation
Frequently Asked Questions
- Health Care Providers
- Health Care Clearinghouse
- Health Plans
Protected Health Information is all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Individually identifiable health information is information, including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition;
- The provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual; and
- That identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Individually identifiable health information includes many common identifiers, such as name, address, birth date, and Social Security number.
A patient has the right to submit a complaint if they believe their health provider has:
- Improperly used or disclosed their PHI;
- Concerns about their HIPAA Privacy policies; or,
- Concerns about the provider’s compliance with its privacy policies.
The patient may file the complaint with either of the following:
- The provider’s Chief Privacy Officer; or,
- The US Department of Health and Human Services, Office of Civil Rights.
- Centers for Medicare and Medicaid Services
- Center for Medicare and Medicaid Services - Questions and Answers
- Office of Assistant Secretary for Planning and Evaluation - Administration Simplification Act
- Office of Civil Rights - View Privacy Rule, questions and answers
- Washington Press Corporation - Implementation Guides for Standard Transactions and information about Code Sets
This Page Last Updated: March 26, 2026 at 12:09 PM