What is the HIPAA Law?

Key points

• A central component of the Health Insurance Portability and Accountability Act (HIPAA) is the health care privacy protections it provides to individuals.
• The HIPAA law sets standards for health care providers for the storage and disclosure of personal health information.
• HIPAA rules apply to health care providers, health insurance companies and businesses they contract with, but doesn’t apply to all organizations or in all situations, so it’s important to take steps to protect your own health information.

Most of us have heard of HIPAA before. Maybe you’ve had to sign a form at the doctor’s office to acknowledge you were made aware of your rights, or perhaps you’ve heard someone talk about what HIPAA means for patients.

But how much do you really know about what HIPAA does and doesn’t do? Considering how much of your and your family’s information doctors, hospitals and other health care services have, it’s a good idea to get an in-depth look at what HIPAA is about, including its various provisions, whom it applies to and what happens if there is a violation.

What is the HIPAA law?

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to create certain best practices and protections in the health care industry. Congress had many goals when it passed the bill, including protecting individuals from losing health care when they change jobs, reducing fraud and abuse in the health care industry, creating industry-wide standards for health care billing and records and more.

The law also addressed patient privacy and created regulations for health care providers to help keep patient medical information safe. It’s the most well-known component of HIPAA, but you might be surprised to learn it’s just a small part of the law.

While the security and privacy provisions of HIPAA weren’t the main focus when the bill was initially passed, they are the parts of the bill most relevant to individuals and the parts that you’re likely to hear most about. Since the initial bill was passed, Congress has passed two additional pieces of legislation to further modernize the HIPAA best practices.

“HIPAA was not designed to comprehensively resolve issues around the protection of health care data,” said Matt Fisher, a regulatory health care attorney with the health care technology company Carium. “It was a significant development, but could also be seen as a first step on the path, especially since it was passed in 1996 before much of the modern technology was developed or readily available.”

Since HIPPA was first introduced, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was added. This updated the rules and definitions for electronic health records, as well as required health care organizations to report data breaches. Another bill was the HIPAA Omnibus bill passed in 2013, which addressed security controls to strengthen the HIPAA privacy protections.

What are the different provisions of HIPAA?

HIPAA includes five different provisions. Each provision—known as “Titles”—addresses one of the law’s major goals.

Title I, HIPAA Health Insurance Reform

This provides continuity of health care for workers and their families when they change jobs.

Title II, HIPAA Administrative Simplification

This establishes standards for storing electronic health care records and for the security and privacy of health care data.

Title III, HIPAA Tax-Related Health Provisions

This provides for tax deductions for medical insurance and sets other guidelines of medical care.

Title IV, Application and Enforcement of Group Health Plan Requirements

This creates regulations for covering people with preexisting conditions.

Title V, Revenue Offsets

This includes provisions for company-owned life insurance and the treatment of individuals who lose their U.S. citizenship.

As you can see, HIPAA touches many different parts of health care. However, Title II is probably the most well-known. And there are two different Title II rules you should know about.

HIPAA privacy rule

This sets standards for the use and disclosure of protected health information (PHI). It’s this law that prevents medical providers from sharing your health information with anyone else unless you’ve given them specific permission to do so.

At the same time, the HIPAA privacy rule creates methods for the flow of health information within the system when needed to ensure that health care providers have the information they need to properly care for their patients.

“On the privacy front, HIPAA prevents total free rein when it comes to use and disclosure of health information,” Fisher said. “While permitted uses and disclosures can be quite broad and potentially broader than desired, HIPAA does stop exposure of information to the public generally. HIPAA also grants certain rights to individuals that can impact how protected health information is used or to enable access to the information. HIPAA tries to strike a delicate and difficult balance.”

HIPAA Security Rule

Like the Privacy Rule, the HIPAA Security Rule is designed to protect the safety of individual health records but does so in a different way. The Security Rule specifically addresses the care of electronic protected health information (e-PHI). It creates standards about the confidentiality and integrity of e-PHI, requires providers to detect and safeguard against threats to security and protects against impermissible disclosures or uses of e-PHI.

Who has to comply with the HIPAA Privacy Rule?

One of the most confusing parts of HIPAA is who it actually applies to, especially as it relates to the Privacy Rule. Because while people certainly have a right to protect their health information, the privacy provisions in HIPAA only apply to certain parties, and those that are not included aren’t necessarily legally prohibited from sharing your health information.

The parties required to comply with the HIPAA Privacy Rule are:

• Health care providers.
• Health plans, including health, dental, vision and prescription drugs, as well as employer and government-sponsored health plans.
• Health care clearinghouses that process medical information.
• Business associations that have access to PHI because of functions or services they provide for other covered entities.

The Privacy Rule prohibits the parties above from sharing someone’s PHI without their permission, but there are some situations where they are permitted to use and disclose that information. First and foremost, they can—and must—disclose PHI to the individual themselves. You always have a legal right to your health records.

There are several other situations and purposes for which businesses are allowed to share PHI, including if it’s required for the treatment of the individual, to bill and collect a payment, for public interest and benefit and when the individual has agreed to have their PHI shared.

What happens if someone violates the HIPAA Privacy Rule?

The U.S. Department of Health and Human Services (HHS) is responsible for enforcing the HIPAA Privacy Rule and Security Rule. When the agency is alerted of a HIPAA violation, it investigates the situation, conducts compliance reviews and imposes civil and criminal penalties, if necessary.

Violations of HIPAA can result in civil penalties based on the nature and extent of the violation, as well as how much harm was done. Penalties can range from $100 per violation to $50,000 per violation. In the most extreme cases where the guilty party was willfully neglectful and didn’t correct the situation, fines could reach up to $1.5 million.

There are also criminal penalties when someone knowingly or intentionally discloses personal health information. Those offenses can result in up to $250,000 in fines for the individual, as well as imprisonment of anywhere from 1 to 10 years.

HHS also educates organizations to prevent violations. One of its primary enforcement mechanisms is education and outreach to organizations that may have unknowingly and unintentionally violated HIPAA.

What HIPAA doesn’t cover

There are health care providers or services that you may assume are prohibited from sharing your health information, but actually aren’t. Those parties include:

• Your employer.
• Life insurance companies.
• Workers compensation carriers.
• Schools and school districts.
• State agencies, including child protective services.
• Law enforcement agencies.
• Municipal offices.

Tip: HIPAA also doesn’t address many of the technologies we use today that have access to our health data.

“Information could be generated or stored through things like a wearable device. Think of the information created by an Apple Watch; that falls outside the traditional health care structures,” Fisher said. “In those instances, the information is not subject to protection by HIPAA and the limitations or transparency required by HIPAA do not apply.”

How else to protect your health information

HIPAA’s Privacy Rule and Security Rule go a long way in keeping your health information safe, but they don’t apply in all situations or to all individuals and organizations. If you want to keep your health information safe, there are some things you can do on your own, too.

Fisher recommended looking at the terms of use to learn how your information will be used before you enter your information on any website or application. A simple rule of thumb is that if you don’t want a piece of information made public, don’t share it online. That’s the only way to fully prevent your information from being shared.

You can also protect your health information by being mindful of how you store the health information you receive. When you get medical records and bills in the mail, avoid using online storage that someone could hack into.

Another thing to know is that if you believe a provider or company has violated HIPAA, you can report it to HHS, who will then investigate the complaint.