The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required Congress to enact a health information privacy law (the “Privacy Rule”), which transpired in August 2002. The Privacy Rule, which became effective on April 14, 2003, is intended to protect the privacy of an individual’s health care information.

Under HIPAA, “covered entities” must manage “protected health information,” or “PHI,” in accordance with the Privacy Rule.

Yale is considered a hybrid entity, meaning that certain departments must follow the HIPAA regulations. Thus, any research taking place at a “covered entity” within the University, and involving PHI, must comply with the Privacy Rule.