Tighter patient privacy laws under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) took effect on April 14, 2003. The law requires all "covered entities" (i.e., healthcare providers, plans and clearinghouses) to ensure the privacy and security of Personal Health Information (PHI).
This includes any information that relates to an individual's physical and mental health, or to the provision or payment of healthcare. Employers that administer self-insured health plans are considered covered entities. Even an employer who operates a first-aid room staffed by health professionals can be considered covered under HIPAA, according to an article in the Association of Records Managers & Administrators Information Management Journal.