What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, is a US federal law that regulates how patient health information is stored, transferred, used, and disclosed. It also aims to improve healthcare efficiency and reduce healthcare fraud and abuse.

What is the purpose of HIPAA?

HIPAA was created to: 

• Ensure uninterrupted health insurance coverage for individuals undergoing job transitions or job loss;
• Promote cost reduction in healthcare by establishing standardized electronic transmission methods for administrative and financial transactions;
• Combat healthcare insurance abuse, fraud, and wasteful practices; 
• Enhance accessibility to long-term care services and health insurance.

Who is covered by HIPAA?

HIPAA applies to two main groups: covered entities and their business associates.

Covered entities are:

• Health plans, including health insurance companies, HMOs, and government programs that pay for healthcare;
• Healthcare clearinghouses, which process healthcare transactions between covered entities;
• Healthcare providers, including doctors, dentists, hospitals, clinics, pharmacies, and nursing homes.

A business associate refers to an individual or organization that performs services for covered entities. These services involve the use of or access to protected health information (PHI) which is why business associates must comply with HIPAA rules and may be held liable for violations. Examples of business associates include third-party billing companies, IT service providers, and law firms.

The five titles under HIPAA

Title I: Health Insurance Reform 

Health insurance reform focuses on health insurance coverage and portability in order to ensure that individuals who change or lose their jobs have access to continuous coverage. It sets standards for health insurance plans and addresses issues such as pre-existing conditions.

Title II: Administrative Simplification

Administrative simplification aims to streamline transactions and improve efficiency in the healthcare industry. To do this, it includes provisions for electronic data interchange (EDI), establishing standards for electronic transactions as well as the privacy and security of health information. 

Title III: Tax-Related Health Provisions 

Title III outlines tax-related provisions that impact healthcare and health insurance coverage. These include medical savings accounts, long-term care insurance, and tax deductions for certain healthcare expenses.

Title IV: Group Health Plan Requirements

This title provides guidelines and sets out requirements regarding group health plans. These provisions cover pre-existing conditions, coverage portability, and nondiscrimination rules.

Title V: Revenue Offsets

The revenue offsets title outlines ways of generating additional funds for healthcare programs and initiatives and is meant to help finance the provisions from the previous titles.

HIPAA compliance (administrative simplification regulations)

HIPAA compliance usually refers to HIPAA Title II, also known as the Administrative Simplification provisions. These are a set of guidelines specifically created to protect sensitive patient health information. They include the following:

HIPAA privacy rule

The HIPAA privacy rule establishes national standards that are supposed to protect a patient’s medical records and other individually identifiable health information (also referred to as personal health information, or PHI).

This rule requires healthcare providers and other covered entities to protect patient data, limit its use and disclosure, and give individuals certain rights over their PHI.

HIPAA security rule

The HIPAA security rule sets nationwide standards for protecting electronic protected health information (ePHI). It requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic personal health information.

HIPAA enforcement rule

The HIPAA enforcement rule establishes procedures for investigations and penalties for HIPAA violations. Moreover, it gives the Department of Health & Human Services (HHS) the authority to investigate complaints and impose civil financial penalties for said violations, and in some cases, refer cases to the Department of Justice for further criminal prosecution.

HIPAA breach notification rule

The HIPAA breach notification rule requires covered entities to notify affected individuals, the HHS, and, in certain cases, the media when a breach of unsecured personal health information occurs.

HIPAA omnibus rule

The HIPAA omnibus rule modified the privacy, security, and breach notification rules by implementing provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. These provisions strengthened the privacy and security protections for personal health information.

What is protected health information (PHI)?

Protected health information (PHI) is any information that identifies an individual or could be potentially used to identify them. HIPAA lists them as:

• Names
• All geographic subdivisions smaller than a State
• All elements of dates (except year) for dates directly related to an individual
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code

Who is responsible for implementing and monitoring the HIPAA regulations?

The responsibility for implementing and monitoring the HIPAA regulations falls on different entities at both the federal and individual levels. 

Here’s an overview of the key stakeholders involved:

1. Department of Health and Human Services (HHS). The HHS is the primary federal agency responsible for overseeing and enforcing HIPAA. It’s the Office for Civil Rights (OCR), within the HHS, that is responsible for  administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. 
2. Covered Entities and BAs. Any entities that handle protected health information, including covered entities and BAs, are responsible for implementing and adhering to the privacy, security, and administrative requirements of HIPAA.
3. State Attorneys General: When HIPAA violations affecting residents of their respective states take place, State Attorneys General can bring civil actions and impose penalties against those in violation.

Individuals: HIPAA also grants individuals certain rights regarding the privacy and security of their health information. These include the right to access their own health records, request amendments to their records, and file complaints if they believe their rights have been violated.

More privacy law resources

• Colorado Privacy Act
• California Privacy Rights Act (CPRA)
• California Consumer Privacy Act (CCPA)
• Utah Consumer Privacy Act (UCPA)
• Connecticut Data Privacy Act (CTDPA)
• New York SHIELD Act

Updated on: June 28, 2023