The HIPAA law: All you need to know

What is HIPAA?

The Health Insurance Portability and Accountability Act is a US federal law designed to safeguard the privacy and security of protected health information (PHI). It establishes clear rules for how healthcare organizations and their partners handle patients’ sensitive data.

A HIPAA-covered entity is a healthcare provider, health insurer, its business associate, or any organization that deals with PHI, whether in paper or electronic form. If your business interacts with patient health data, you’re required to comply.

HIPAA is enforced by the Office for Civil Rights (OCR) under the Department of Health and Human Services. HIPAA usually takes precedence over state laws protecting medical information — unless a state law offers stricter protections.

What is the purpose of HIPAA?

The Health Insurance Portability and Accountability Act was designed to set federal standards for protecting health information while ensuring healthcare organizations have access to the data they need for effective care.

HIPAA was created to address key issues in healthcare, with three main objectives:

• Ensuring people maintain health insurance between jobs
• Standardizing electronic billing practices
• Providing rules for handling protected health information

Ultimately, HIPAA bridges the gap between protecting individual rights and modernizing healthcare operations.

What entities are covered by HIPAA?

HIPAA applies to organizations and individuals that handle protected health information (PHI) as part of their operations. These include:

• Healthcare providers. Doctors, hospitals, clinics, and pharmacies
• Health plans. Health, dental, vision, and prescription drug insurers as well as health maintenance organizations (HMOs) and government programs like Medicare and Medicaid
• Healthcare clearinghouses. Organizations that process health information between providers and insurers, like billing services
• Business associates. Non-members of a covered entity’s workforce that use individually identifiable health information to perform services for the covered entity

To comply with HIPAA requirements, every covered entity must implement safeguards for protecting PHI. This includes adhering to the HIPAA Privacy Rule, the HIPAA Security Rule, and other standards set by the US Department of Health and Human Services.

What information does HIPAA protect?

The HIPAA Privacy Rule safeguards all individually identifiable health information handled or shared by a covered entity, including:

• Personal identifiers. Names, Social Security numbers
• Contact information. Geographical identifiers, phone and fax numbers, email addresses
• Health information. An individual’s past, present, or future physical or mental health condition
• Medical and health-related identifiers. Medical record numbers, health insurance beneficiary numbers
• Financial identifiers. Account numbers
• Identification numbers. Certificate and license numbers
• Biometric data. Fingerprints, retinal scans, and voice prints
• Technological identifiers. Device information, IP addresses, website URLs
• Visual identifiers. Full-face photographs
• Vehicle information. License plates

The Privacy Rule does not cover education records and records that a covered entity maintains in its capacity as an employer.

What is HIPAA compliance?

HIPAA compliance is adherence to the US Health Insurance Portability and Accountability Act (HIPAA). It requires companies that work with protected health information to implement and follow physical, network, and process security measures.

To achieve compliance, a covered entity needs to focus on these key areas:

• Administrative safeguards. This includes creating clear written policies and procedures for managing PHI, appointing a privacy and security officer, training employees on HIPAA regulations, and risk analysis and management.
• Physical safeguards. This requirement is about controlling physical access to spaces where PHI is stored. That means restricting entry to only authorized personnel, using security cameras, and properly disposing of devices or media that contain PHI.
• Technical safeguards. Protecting electronic protected health information (ePHI) requires strong access controls, like unique user IDs and secure passwords. Data should be encrypted both at rest and in transit to keep it safe. Other measures include regular software updates, security patches, and monitoring network activity to detect unauthorized access or potential breaches.
• Breach notification. If a data breach involving PHI occurs, a covered entity must notify affected patients and the Department of Health and Human Services (HHS).
• Business associate agreements. Covered entities must have contracts with their business associates that spell out HIPAA compliance requirements.
• National provider identifier standard. HIPAA-covered entities, including individuals, employers, health plans, healthcare providers, and healthcare clearinghouses, must have a unique 10-digit national provider identifier number, or NPI.
• Privacy Rule. The Privacy Rule establishes national standards for how covered entities can use and disclose PHI. Entities must set policies and procedures to comply, including getting patient consent before sharing PHI, putting reasonable safeguards in place to protect it, and ensuring patients can access and request corrections to their own health information.
• Security Rule. The Security Rule enforces the requirements above and requires covered entities to put in place measures to prevent unauthorized access, use, or disclosure of electronic protected health information (ePHI).

What are the five sections of HIPAA?

HIPAA is divided into five key sections, each addressing specific aspects of healthcare regulation.

Title I: Health insurance reform

Title I of HIPAA ensures workers and their families can keep health insurance coverage if they change or lose jobs. It also sets rules for the availability and scope of group health plans and certain individual insurance policies. A key provision prohibits discrimination in health insurance based on pre-existing conditions.

Title II: Administrative simplification provisions

Title II addresses healthcare-related offenses and establishes penalties for violations, both civil and criminal. It also requires covered entities to use standardized electronic healthcare transactions and codes. However, the cornerstone of Title II lies in its administrative simplification rules. These require the Department of Health and Human Services (HHS) to establish national standards to protect the privacy and security of individually identifiable health information and improve the efficiency of the healthcare system.

Title III: Tax-related health provisions

Title III focuses on the tax side of healthcare. It includes provisions for medical savings accounts (MSAs), offering tax advantages for those who save for future medical expenses. It also sets standards for long-term care insurance, ensuring these policies align with federal tax rules.

Title IV: Application and enforcement of group health plan requirements

Title IV strengthens protections for health insurance portability and continuity. It sets clear rules for group health plans, specifically addressing coverage exclusions and renewability. These guidelines help ensure that people keep their healthcare coverage even when facing life changes or job transitions.

Title V: Revenue offsets

Title V includes rules governing life insurance policies owned by businesses and outlines tax implications for people who renounce their US citizenship.

What are the rules of HIPAA?

HIPAA is built on three key rules that ensure the privacy and security of protected health information: the Privacy Rule, the Security Rule, and the Breach Notification Rule.

HIPAA Privacy Rule

The HIPAA Privacy Rule sets clear standards for using and disclosing protected health information. It limits how and when healthcare providers, health plans, and other entities can share patient data.

According to the Privacy Rule, covered entities must inform patients how their PHI is used. They are also required to track disclosures of PHI and document privacy policies and procedures. Providers that use an electronic health record (EHR) system must allow individuals to access their PHI in electronic form.

The Privacy Rule permits covered entities to disclose PHI without an individual’s authorization for 12 specific national priority purposes. They include:

• Victims of domestic violence or other assault.
• Judicial and administrative proceedings.
• Cadaveric organ, eye, or tissue donation.
• Workers’ compensation.

For any other purpose, the covered entity must obtain written authorization from the individual before disclosing PHI.

HIPAA Security Rule

The HIPAA Security Rule focuses specifically on protecting electronic protected health information (ePHI), a subset of data covered under the Privacy Rule. It applies to all individually identifiable health information created, received, maintained, or transmitted electronically by a covered entity.

The Security Rule outlines the technical and nontechnical safeguards required to secure ePHI, including encryption, firewalls, and secure access controls. Tools are available to help entities with risk analysis and remediation tracking.

The Security Rule is intentionally flexible, allowing organizations to tailor security measures to their size, structure, and specific risks.

HIPAA Breach Notification Rule

The Breach Notification Rule lays out the process for responding to a data breach involving protected health information (PHI). If a breach occurs, covered entities must notify:

• Affected individuals promptly and no later than 60 days after discovery of the breach.
• The Department of Health and Human Services (HHS).
• The media, if the breach impacts more than 500 people in a single state or jurisdiction.

Under HIPAA, a breach is defined as any impermissible use or disclosure of PHI that compromises its security or privacy. Unless a risk assessment shows a low probability of PHI compromise, such incidents are presumed to be breaches.

What is HIPAA intended for?

The HIPAA Privacy Rule is intended to limit the disclosure of health information, but it also ensures that health data can flow where it’s needed to deliver quality care and promote public health.

The HIPAA Security Rule complements this by focusing on protecting electronic health information (ePHI). It ensures that as healthcare organizations adopt new technologies, patient data remains secure without impeding innovation or care efficiency.

Note that HIPAA doesn’t restrict patients from sharing their own health information. It applies to how healthcare organizations handle PHI, not how individuals choose to disclose their personal health details to others, such as family members or friends.

What is a HIPAA violation?

A HIPAA violation happens when a covered entity fails to protect PHI or follow regulations, such as the Privacy Rule or the Security Rule. Examples include:

• Sharing individually identifiable health information without authorization.
• Failing to implement proper security measures.
• Not reporting a breach within the required timeframe.

HIPAA violations are handled by the US Department of Health and Human Services (HHS) through the Office for Civil Rights (OCR). Consequences can include civil penalties, criminal charges, or settlements, depending on the severity and intent.

For example, in July 2011, UCLA Health System agreed to pay $865,500 in a settlement related to potential HIPAA violations. From 2005 to 2008, unauthorized employees accessed patient electronic health records without legitimate cause, leading to an OCR investigation and enforcement action.

Organizations can lower the risk of violations through HIPAA compliance training. OCR provides educational programs to help entities understand and follow the Privacy and Security Rules. Organizations must also train their workforce on their internal privacy policies and procedures.

FAQ

Who is covered by HIPAA?

The HIPAA covers healthcare providers, health plans, clearinghouses, and their business associates. There are exceptions — for example, a group health plan with fewer than 50 participants that is entirely self-administered by the employer is not considered a covered entity under HIPAA.

Who is not protected by HIPAA?

HIPAA does not extend to patients receiving healthcare services entirely outside the US unless the healthcare provider is a US-based organization subject to HIPAA. Also, if a non-US citizen uses health apps or services not tied to a covered entity (e.g., fitness trackers or overseas health systems), HIPAA protections do not apply.

What does HIPAA protect against?

HIPAA protects against unauthorized access to, disclosure of, and misuse of patient information. It also safeguards patients’ rights to access and control their medical records. It’s a misconception that the Privacy Rule permits individuals to refuse to share their health information with employers or businesses. HIPAA Privacy Rule requirements restrict covered entities from disclosing PHI without the individual’s consent. However, employers or businesses can directly request health information from individuals, and HIPAA does not regulate those requests.

What happens if HIPAA is violated?

Violations can lead to hefty fines, corrective actions, and, in severe cases, criminal prosecution. Penalties depend on the severity and intent of the violation. For example, individuals and organizations that intentionally access or disclose PHI in violation of the HIPAA Privacy Rule can face fines of up to $50,000 and up to one year in prison.

Who can override HIPAA?

HIPAA can be overridden in cases where public safety is at risk, such as during emergencies or law enforcement investigations. However, such disclosures must comply with specific regulations.