skip navigation
Arizona Medical Board
Agency Name
Official Website of the
Arizona Medical Board
The Board's mission is to protect public health and safety.
Home > FAQs > HIPAA


What is Health Insurance Portability and Accountability Act (HIPAA)?

HIPAA is a 1996 Act of Congress that established privacy standards for the use and release of patients’ personal health information, referred to as “protected health information”. HIPAA sets national standards to facilitate the electronic exchange of health information. It also sets standards for protecting the privacy and security of health information transmitted electronically. Although HIPAA was enacted in 1996 the Privacy Rules clarifying HIPAA did not take effect until April 2003.

Who needs to comply with HIPAA?

Only “covered entities” are required to comply with HIPAA. A “covered entity” is a health plan, health care clearinghouse, and any health care provider who conducts certain health care transactions electronically, such as electronic billing and fund transfers.

Generally, what does HIPAA require the average health care provider to do?

For the average health care provider or health plan, the Privacy Rules require covered entities to:


  • Notify patients about their privacy rights and how their information can be used.
  • Adopt and implement privacy procedures for the practice, hospital, or plan.
  • Train employees so that they understand the privacy procedures.
  • Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed.
  • Secure patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Who can I contact if I want to report a HIPAA violation??

Anyone can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. Complaints to the Office of Civil Rights must: (1) be filed in writing, either on paper or electronically; (2) name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rules; and (3) be filed within 180 days of when you knew that the act or omission complained of occurred. Any alleged violation must have occurred on or after April 14, 2003 for OCR to have authority to investigate.

If the violation occurred in Arizona, contact:

Office for Civil Rights
U.S. Department of Health & Human Services
50 United Nations Plaza – Room 322
San Francisco, CA 94102
(415) 437-8310; (415) 437-8311 (TDD)
(415) 437-8329 FAX

For additional information, contact the Office of Civil Rights at (800) 368-1019.