HIPAA
What is HIPAA?
Before 1996, U.S. healthcare providers were free to distribute patient healthcare records and other personal information without the patient’s notice or consent.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that defines national standards for the protection of Americans’ medical records and other personal health information. According to the law, patient health information cannot be disclosed without the patient's consent or knowledge.
In addition to protecting patient confidentiality, the HIPAA law helps ease the administrative paperwork associated with transferring patient information between providers. The goal of the act is to achieve the following:
- the ability for Americans to transfer and continue health insurance coverage when they change or lose their jobs
- reduced fraud and abuse in health insurance and health care delivery
- industry-wide standards for healthcare information on electronic billing
- confidential handling of protected health information
- improved access to long-term healthcare services and coverage
- simplified administration of health insurance
In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) broadened the privacy and security protections established by the HIPAA.
Who must comply with HIPAA regulations?
Healthcare providers, health plans, and healthcare clearinghouses all fall under the umbrella of what the HIPAA law calls “covered entities.” Here is a breakdown of the entities the law applies to:
- Healthcare providers, including most hospitals, clinics, nursing homes, and medical practices, including chiropractors, psychologists, and dentists.
- Health Plans, including health insurance companies, HMOs, employee health plans, and some government programs, such as Medicare and Medicaid.
- Healthcare clearinghouses, including companies that process health information they receive from another entity
In addition, so-called “business associates” of these covered entities must follow HIPAA regulations. Examples of business associates that have access to patient records and are subject to HIPAA include:
- Billing companies and companies that process healthcare claims
- Companies that help administer healthcare plans
- Professionals, including lawyers, accountants, and IT specialists
- Companies that store or destroy printed or virtual medical records
The HIPAA law contains five distinct components, called titles, these healthcare entities must follow:
- Title I protects the health insurance coverage for Americans who have changed or lost their jobs. It also prohibits group health plans from refusing to cover individuals who have pre-existing diseases or conditions, and prevents them from setting limits for lifetime coverage.
- Title II standardizes the processing of electronic healthcare transactions. It requires the organizations to implement safe electronic access to the patients’ data, remaining in compliance with the privacy regulations which were set by the Health and Human Services Department (HHS).
- Title III contains tax-related provisions and general medical care guidelines.
- Title IV includes provisions for Americans with pre-existing conditions seeking continued insurance coverage.
- Title V has provisions for company-owned insurance and the treatment of Americans who lost their U.S. citizenship for income tax purposes.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule gives Americans rights concerning who can view and receive their sensitive health information. This rule sets limits and conditions on how a healthcare entity can use and disclose sensitive information without the patient’s authorization. It also gives patients the right to obtain and review a copy of their health records and to request corrections, if necessary.
What Is the HIPAA Security Rule?
The HIPAA Security Rule extends the Privacy Rule to include electronic protected health information. The rule requires that patient medical information is safe from unauthorized access. The law leaves it up to each organization to determine how to keep their electronic records secure.
What are the penalties for a HIPAA violation?
The failure for a covered entity to comply with the HIPAA can result in strict financial penalties. The maximum penalty for a HIPAA violation is $50,000 per incident -- up to $1.5 million, per violation category per year.
If HIPAA violations continue for several years or if multiple violations are discovered, fines in the multi-million-dollar range are possible. Certain HIPAA violations can also bring criminal charges.
Helpful Resources:
Health Insurance Portability and Accountability Act of 1996 - CDC
The HIPAA Privacy Rule - HHS
HIPAA Violation - Hipaa Journal
What is HIPAA?
Before 1996, U.S. healthcare providers were free to distribute patient healthcare records and other personal information without the patient’s notice or consent.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that defines national standards for the protection of Americans’ medical records and other personal health information. According to the law, patient health information cannot be disclosed without the patient's consent or knowledge.
In addition to protecting patient confidentiality, the HIPAA law helps ease the administrative paperwork associated with transferring patient information between providers. The goal of the act is to achieve the following:
- the ability for Americans to transfer and continue health insurance coverage when they change or lose their jobs
- reduced fraud and abuse in health insurance and health care delivery
- industry-wide standards for healthcare information on electronic billing
- confidential handling of protected health information
- improved access to long-term healthcare services and coverage
- simplified administration of health insurance
In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) broadened the privacy and security protections established by the HIPAA.
Who must comply with HIPAA regulations?
Healthcare providers, health plans, and healthcare clearinghouses all fall under the umbrella of what the HIPAA law calls “covered entities.” Here is a breakdown of the entities the law applies to:
- Healthcare providers, including most hospitals, clinics, nursing homes, and medical practices, including chiropractors, psychologists, and dentists.
- Health Plans, including health insurance companies, HMOs, employee health plans, and some government programs, such as Medicare and Medicaid.
- Healthcare clearinghouses, including companies that process health information they receive from another entity
In addition, so-called “business associates” of these covered entities must follow HIPAA regulations. Examples of business associates that have access to patient records and are subject to HIPAA include:
- Billing companies and companies that process healthcare claims
- Companies that help administer healthcare plans
- Professionals, including lawyers, accountants, and IT specialists
- Companies that store or destroy printed or virtual medical records
The HIPAA law contains five distinct components, called titles, these healthcare entities must follow:
- Title I protects the health insurance coverage for Americans who have changed or lost their jobs. It also prohibits group health plans from refusing to cover individuals who have pre-existing diseases or conditions, and prevents them from setting limits for lifetime coverage.
- Title II standardizes the processing of electronic healthcare transactions. It requires the organizations to implement safe electronic access to the patients’ data, remaining in compliance with the privacy regulations which were set by the Health and Human Services Department (HHS).
- Title III contains tax-related provisions and general medical care guidelines.
- Title IV includes provisions for Americans with pre-existing conditions seeking continued insurance coverage.
- Title V has provisions for company-owned insurance and the treatment of Americans who lost their U.S. citizenship for income tax purposes.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule gives Americans rights concerning who can view and receive their sensitive health information. This rule sets limits and conditions on how a healthcare entity can use and disclose sensitive information without the patient’s authorization. It also gives patients the right to obtain and review a copy of their health records and to request corrections, if necessary.
What Is the HIPAA Security Rule?
The HIPAA Security Rule extends the Privacy Rule to include electronic protected health information. The rule requires that patient medical information is safe from unauthorized access. The law leaves it up to each organization to determine how to keep their electronic records secure.
What are the penalties for a HIPAA violation?
The failure for a covered entity to comply with the HIPAA can result in strict financial penalties. The maximum penalty for a HIPAA violation is $50,000 per incident -- up to $1.5 million, per violation category per year.
If HIPAA violations continue for several years or if multiple violations are discovered, fines in the multi-million-dollar range are possible. Certain HIPAA violations can also bring criminal charges.
Helpful Resources:
Health Insurance Portability and Accountability Act of 1996 - CDC
The HIPAA Privacy Rule - HHS
HIPAA Violation - Hipaa Journal