HIPAA Resources

HIPAA Workbook for ASCs

ASCA developed the HIPAA Workbook for ASCs to help ASCs meet HIPAA requirements and reduce their HIPAA-associated risks. Visit ASCA's online store for more information.

What Is the Health Insurance Portability and Accountability Act (HIPAA)?

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to address multiple health care issues including administrative simplification. The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.

The administrative simplification provisions of HIPAA include requirements in four key areas.


The privacy provisions of the federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. The Department of Health and Human Services (HHS) has issued the regulation, "Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA. The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the privacy regulation.


The Security standard specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications

Breach Notification

Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.


The US Department of Health and Human Services’ Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules. OCR enforces HIPAA's requirements by investigating complaints filed with it, conducting compliance reviews to determine if covered entities are in compliance and performing education and outreach to foster compliance.

Additional information about HIPAA can be found on the US Department of Health & Human Services' website.