The Health Insurance Portability and Accountability Act is a federal law that provides baseline privacy and security standards for medical information. The United States Department of Health and Human Services is the federal agency in charge of creating rules that implement and enforce it.
The Health Insurance Portability and Accountability Act Signed into Law
Though it is widely known as a medical privacy and data security law, the Health Insurance Portability and Accountability Act (HIPAA) was passed and signed into law by President Bill Clinton primarily to improve the health care system’s efficiency and effectiveness. It set standards for transmitting electronic health data and allowed people to transfer and continue health insurance after a job change or job loss. Due to the risks posed by electronic data transfer, HIPAA required the Department of Health and Human Services to create privacy and security rules. Prior to this, privacy protections for medical information were based in state law.
2000 – 2002
The Department of Health and Human Services Published and Subsequently Modified the Health Insurance Portability and Accountability Act Privacy Rule
The HIPAA Privacy Rule gives individuals rights regarding their protected health information and sets standards governing how covered entities who conduct health care transactions electronically can use and disclose protected health information.
The Department of Health and Human Services Published the Health Insurance Portability and Accountability Act Security Rule
The Department of Health and Human Services Published the Health Insurance Portability and Accountability Act Enforcement Rule
Most Covered Entities were Required to Start Complying with the Health Insurance Portability and Accountability Act Privacy Rule
The HIPAA Security Rule sets standards for safeguarding electronic protected health information.
The HIPAA Enforcement Rule addresses compliance, investigations and penalties for violations of the HIPAA Privacy and Security Rules.
The Health Information Technology for Economic and Clinical Health Act was Enacted as Title XIII of the American Recovery and Reinvestment Act
The Health Information Technology for Economic and Clinical Health Act was enacted to promote the adoption and meaningful use of health information technology. It also addressed privacy and security concerns related to the electronic transmission of health information including unauthorized access and data breaches.
The Department of Health and Human Services Office for Civil Rights Issued the Health Insurance Portability and Accountability Act Omnibus Rule
The HIPAA Omnibus Rule made several changes to the HIPAA Privacy, Security and Enforcement Rules by
- implementing provisions of the Health Information Technology for Economic and Clinical Health Act
- modifying and finalizing the Breach Notification Rule
- implementing changes to the HIPAA Privacy Rule required by the Genetic Information Nondiscrimination Act of 2008
The Health Insurance Portability and Accountability Act (HIPAA) does not protect all health information. Nor does it apply to every person who may see or use health information.
HIPAA applies to covered entities, business associates and their subcontractors.
Health Care Providers
Health care providers get paid to provide health care. They include
- nursing homes
- urgent care clinics
Health care providers must comply with HIPAA only if they transmit health information electronically in connection with covered transactions. Most providers transmit information electronically to carry out functions such as processing claims and receiving payment and are required to comply with HIPAA.
Health plans pay the cost of medical care. They include
- health insurance companies
- health maintenance organizations (HMOs)
- group health plans sponsored by an employer
- government-funded health plans (Medicare, Medicaid)
- most other companies or arrangements that pay for health care
Health Care Clearinghouses
Health care clearinghouses process information so that it can be transmitted in a standard format between covered entities. They often act as a go between for health care providers and health plans which means that they rarely deal directly with patients (e.g. may take information from a doctor and put it into a standard coded format that can be used for insurance purposes).1
A business associate creates, receives, maintains or transmits protected health information on behalf of a covered entity or another business associate acting as a subcontractor.2
Business associates can perform many different services. Business associates often perform services that do not involve patient interaction including
- administrative accreditation
- benefit management
- data aggregation
- data analysis
- data transmission
- patient safety activities (limited)
- practice management
- processing or administering claims
- quality assurance
- utilization review
A common example of a business associate with whom patients may interact is a company that offers a personal health record to individuals on behalf of a covered entity.
Covered entities must execute written contracts with their business associates to make sure they safeguard protected health information according to HIPAA standards. Business associates must do the same with any of their subcontractors who can be considered their business associates.3
The Department of Health and Human Services (HHS) website contains more information on business associate relationships and also provides sample language for business associate agreements.4
Business associates must comply with their contractual obligations to covered entities. In addition, business associates are directly liable for violations of the HIPAA Security Rule and many provisions of the HIPAA Privacy Rule—meaning that they are subject to most of the same privacy and data security standards that apply to covered entities and may be subject to HHS audits and penalties.5
Subcontractors that create, maintain or transmit protected health information on behalf of a business associate have the same legal responsibilities as a business associate under HIPAA—meaning privacy- and security-related legal responsibilities flow downstream to subcontractors performing work for a business associate.6
For example, a hospital’s business associate may hire an outside company to shred documents containing protected health information. The outside company (subcontractor) would be required to comply with most HIPAA rules as a business associate and would also be bound by a contract with the business associate rather than the covered entity (hospital).
Hybrid entities performs both HIPAA-covered and non-covered functions as part of its business. A few examples are
- a large corporation that has a self-insured health plan for its employees
- a university with a medical center
- a grocery store that has a pharmacy
When an organization elects to be treated as a hybrid entity, only the portion of the company that is a covered entity (called the health care component) is subject to HIPAA. Hybrid entities must ensure that the health care component does not disclose protected health information to another non-covered component of the business and must also safeguard electronic protected health information.7
The HIPAA Privacy Rule applies to protected health information, and the HIPAA Security Rule applies to electronic protected health information.8
Health information is any information (including genetic information) that is created or received by a
- health care provider
- health plan
- public health authority
- life insurance company
- school or university
- health care clearinghouse9
and relates to
- a person’s past, present or future physical or mental health or condition
- treatment provided to a person
- past, present, or future payment for healthcare an individual receives
Health information can exist in any form or medium including paper, electronic or oral.
Protected Health Information
Protected health information is individually identifiable health information that is held or transmitted by a covered entity or its business associate.
Individually identifiable health information identifies—or can be used to identify—a person. It includes demographic and other information that identifies a person such as
- date of birth
- Social Security number10
Information Not Covered
Health Information in Employment Records
HIPAA does not apply to health information in employment records. This includes a covered entity’s employment records.11
Most Health Information in Education Records
Health information in education records that are subject to the Family Educational Rights and Privacy Act (FERPA) is not considered protected health information under HIPAA.12
Health Information Regarding a Person Who Has Been Deceased for More Than 50 Years
For more information on the health information of deceased individuals, see the HHS website’s resource.13
De-Identified Health Information
De-identified health information has either had 18 types of identifiers removed or been the subject of an expert determination that there is a very small risk that information could identify an individual. De-identified data is often the subject of debate because of the possibility of re-identifying an individual.14
Receive a Notice of Privacy Practices
Individuals have the right to receive a notice explaining a covered health care provider’s privacy practices in plain language.15 The notices are intended to provide people with information about how their protected health information is used, disclosed and protected.16
Not all covered entities are required to provide a notice of privacy practices. These include health care clearinghouses, correctional institutions and group health plans.17
See and Receive a Copy of Medical Records
Individuals have the right to request, see and receive a copy of their medical records retained by health care providers and health plans.
Specifically, individuals have the right to access a designated record set—a group of records maintained by or for a covered entity.18 For example, medical records, billing records and any records used (in whole or in part) by or for the covered entity to make decisions about a person are considered within a designated record set.19
Medical records outside the designated record set, and to which a person does not have access rights, include psychotherapy notes or any information collected in anticipation of a civil, criminal or administrative legal proceeding.20
Covered entities may not impose unreasonable measures that act as a barrier to individuals requesting their medical records. Once they receive a request, covered entities have 30 calendar days to respond. If they require more than 30 days, they can take an additional 30 days, but should inform the person in writing about the delay within the initial 30-calendar day timeframe.21
Request Correction of Inaccurate Information in Medical Records
Individuals can request that their records be corrected if they notice inaccurate information.22 The covered entity, such as health care provider or health plan, must respond to the request for correction.23 However, the covered entity may dispute the requested change.24 If the individual disagrees with the covered entity’s determination, they have the right to provide a statement of their disagreement which should be filed with the individual’s records.25
Request Special Privacy Protections for Medical Information
Individuals can request special privacy protections or restriction of uses and disclosures of medical information.26 While a covered entity must permit an individual to request restriction of their own medical information,27 it is not required to agree to such restrictions except under certain circumstances.28
A covered entity must agree to an individual’s request for restricted use or disclosure of protected health information if
- disclosure is only for payment or health care operations and not otherwise requested by law
- the restricted medical information is only about health care items or services the individual paid the covered entity in full29
Learn Who Has Seen and Received Medical Information
An individual has the right to an accounting of disclosures of protected health information made by a covered entity in the six years prior to when the individual requests the accounting.30 For example, the accounting would cover 2016 to 2022 if an individual requests an accounting of disclosed information in 2022. However, the accounting may be limited if, for instance, the disclosure of protected health information was for national security or intelligence purposes, to correctional institutions, or law enforcement officials.31
The actual accounting provided to the individual must be in writing and include
- date of the disclosure
- name of the entity or person who received the protected health information and, if known, the address of such entity or person
- brief description of the protected health information disclosed
- brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or a copy of a written request for a disclosure that was required32 or use and disclosures of information does not require authorization or opportunity to object33
The Health Insurance Portability and Accountability Act (HIPAA) Enforcement Rule allows the Department of Health and Human Services Office for Civil Rights (OCR) to investigate potential HIPAA violations and assess civil monetary penalties for violations. State attorneys general also have authority to enforce the HIPAA rules. While individuals do not have a private right of action under HIPAA, it does not preempt stronger state laws that do contain a private right of action.34
OCR starts the enforcement process by opening an investigation of potential HIPAA Privacy or Security Rule violations. It responds to individual complaints, but may discover HIPAA violations in other ways as well (e.g. conducting audits).35
Individuals can file a complaint with OCR. To be considered for investigation, a complaint must meet the following basic criteria:36
- If the complaint concerns a potential HIPAA Privacy Rule violation, the action must have occurred after April 2003.
- If the complaint concerns a potential HIPAA Security Rule violation, the action must have occurred after April 2005.
- An individual must file a complaint against a person, organization or other entity that is subject to HIPAA.
- The complaint must allege something that would violate the HIPAA Rules.
- Individuals must file complaints within 180 days of the time they knew (or should have known) about the potential violation.
If OCR believes the complaint has merit, it will contact the person who filed the complaint as well as the covered entity involved to try and reach a mutual resolution. Some matters may be referred to a hearing before an administrative law judge.
After an investigation, OCR can resolve an issue by
- determining there is no violation
- entering into a resolution agreement with the responsible party
- finding that the party is in violation and assessing penalties37
The minimum penalty varies, but the maximum penalty is $1.5 million per year for violations of the same HIPAA provision.
The four-tiered civil penalty structure is
|Violation||Penalty (per Violation)||Total Civil Monetary Penalties for Violating an Identical Provision Within a Calendar Year|
|Unknowing*1||$100 – $50,000||$1,500,000|
|Reasonable Cause*2||$1,000 – $50,000||$1,500,000|
|Willful Neglect—Corrected*3||$10,000 – $50,000||$1,500,000|
|Willful Neglect—Not Corrected*4||At least $50,000||$1,500,000|
* Table Notes
- The covered entity did not know of the violation and would not have known through the exercise of reasonable diligence.
- The covered entity would have known of the violation by exercising reasonable diligence.
- The covered entity intentionally violated HIPAA or acted with reckless indifference but corrected the violation within 30 days of discovery.
- The covered entity intentionally violated HIPAA or acted with reckless indifference but did not correct the violation within 30 days of discovery.38
- 45 CFR § 160.103.
- 45 CFR § 160.103.
- 45 CFR § 164.502(e).
- See HHS’ Business Associates.
- 45 CFR § 164.402(b)-(c). See also HHS’ Covered Entities and Business Associates; Direct Liability of Business Associates.
- 45 CFR § 160.402(c).
- 45 CFR § 160.103.
- 45 CFR § 164.500.
- 45 CFR § 160.103.
- 45 CFR § 160.103.
- 45 CFR § 164.512 (b)(1)(v).
- See Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records; HHS’ FERPA and HIPAA.
- 45 CFR § 160.103.
- 45 CFR 164.514. See also HHS’ Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the HIPAA Privacy Rule.
- 45 CFR §164.520(a).
- 45 CFR §164.520(b).
- 45 CFR §164.520(a)(2). See also HHS’ Notice of Privacy Practices for Protected Health Information.
- 45 CFR § 164.501.
- 45 CFR § 164.501 (1)(i)-(iii).
- 45 CFR § 164.524(a)(1)(ii).
- 45 CFR § 164.524. See also HHS’ Individuals’ Right under HIPAA to Access their Health Information.
- 45 CFR § 164.526(a)(1).
- 45 CFR §164.526(b)(2)(i).
- 45 CFR § 164.526(a)(2).
- 45 CFR §164.526(d)(2), (4), (5). See also, 45 CFR §§ 164.508, 164.524 and 164.526 for more information on reasonable copy fees for medical records, format of records, denial of request.
- 45 CFR § 164.522 (a)(1).
- 45 CFR § 164.522 (a)(1)(i).
- 45 CFR § 164.522 (a)(1)(ii).
- 45 CFR § 164.522 (a)(1)(vi)(A)-(B). See also, 45 CFR § 164.522 and Restriction Request Section of HHS’ Summary of the HIPAA Privacy Rule for more information on how to request special privacy protection of medical information.
- 45 CFR § 164.528 (a)(1).
- 45 CFR § 164.528 (a)(1)(i)-(ix).
- 45 CFR §164.5002 (a)(2)(ii).
- 45 CFR §164.512. See also 45 CFR § 164.5228 and HHS’ Right to an Accounting of Disclosures for more information on how to request an accounting of protected health information disclosure and the required information included in a requested accounting report.
- See OCR About Us.
- 45 CFR § 308. See also How OCR Enforces the HIPAA Privacy & Security Rules.
- 45 CFR § 160.306. See also Filing a Complaint.
- 45 CFR § 160.312. See also How OCR Enforces the HIPAA Privacy and Security Rules; Enforcement Data; Enforcement Highlights; HIPAA Enforcement.
- 45 CFR § 402; 160.404; 160.408. See also How OCR Enforces the HIPAA Privacy and Security Rules; Enforcement Data; Enforcement Highlights; HIPAA Enforcement.