- What is HIPAA?
a. A brief history of HIPAA
b. Is HIPAA the only law that applies to health information?
- Who must comply with HIPAA?
a. Covered entities
b. Business associates
d. Hybrid entities
- Who isn't required to comply with HIPAA?
- What information does HIPAA cover?
a. What information does the HIPAA Privacy Rule apply to?
b. What information does the HIPAA Security Rule apply to?
- What information isn't covered under the HIPAA Privacy Rule?
a. Health information in employment records
b. Health information in education records (for the most part)
c. Health information regarding a person who has been deceased over 50 years
d. De-identified data
- How does the U.S. Department of Health and Human Services (HHS) enforce HIPAA?
a. When will HHS investigate a complaint?
b. How does HHS determine a penalty for a violation?
c. If there is a monetary penalty, will the individual who filed the complaint receive money?
d. Can individuals sue under HIPAA?
Nearly everyone recognizes the sensitive nature of health and medical information. However, health information privacy and security are complex topics to navigate for patients and healthcare professionals alike.
The federal regulations that govern health information privacy and security are known as HIPAA, for the Health Insurance Portability and Accountability Act that mandated them. As a patient, it is important to understand HIPAA's scope and limitations.This guide provides information on HIPAA basics such as who HIPAA applies to and what information it covers.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that provides baseline privacy and security standards for medical information. The U.S. Department of Health and Human Services (HHS) is the federal agency in charge of creating rules that implement HIPAA and also enforcing HIPAA.
- 1996 – Congress passed the Health Insurance Portability and Accountability Act (HIPAA).
Most people are familiar with HIPAA as a medical privacy and security law. However, HIPAA’s initial purpose was to set standards for transmitting electronic health data and to allow people to transfer and continue health insurance after they change or lose a job.
In fact, until 2003 there were no national privacy standards for medical information under HIPAA. All protections were based in state law.
- 2003 – The U.S. Department of Health and Human Services (HHS) issued and adopted the HIPAA Privacy Rule, HIPAA Security Rule, and the HIPAA Enforcement Rule.
In 2003, HHS issued the first national data privacy and security rules under HIPAA.
The Privacy Rule gives individuals rights with respect to their protected health information (PHI). It also explains how covered entities (those who must comply with HIPAA) can use and disclose PHI.
The Security Rule sets standards for safeguarding electronic PHI.
The Enforcement Rule addresses compliance, investigations, and potential penalties for violations of the HIPAA Privacy Rule and Security Rule. The Office for Civil Rights (OCR) within HHS is reponsible for enforcing the HIPAA regulations.
- 2009 – The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law. The HITECH Act is Title XIII of the American Recovery and Reinvestment Act (AARA).
Between 2003 and 2009 technology changed the medical privacy landscape. Electronic medical records started replacing paper files. Patients began to communicate with their doctors by email and through online portals. Pharmacies began to process prescriptions electronically.
The HITECH Act created financial incentives for healthcare providers and insurers to continue shifting to electronic medical records, and also addressed privacy and security concerns related to the electronic transmission of health information, including unauthorized access and data breaches.
- 2013 – HHS' Office for Civil Rights issued the HIPAA Omnibus Rule.
HHS' Omnibus Rule made several important changes to the HIPAA Privacy, Security, and Enforcement Rules. It implemented many provisions of the HITECH Act. It modified and finalized the Breach Notification Rule. It also implemented changes to the HIPAA Privacy Rule required by the Genetic Information Nondiscrimination Act of 2008 (GINA).
No. The Health Insurance Portability and Accountability Act (HIPAA) is not the only law that applies to health information.
There are federal laws that apply to specific types of health information (or records containing health information) such as genetic information, health information in school records, identifiable information about individuals maintained by the federal government, certain alcohol and drug substance abuse records, and information relating to medical research.
In addition, states may enact their own laws to protect health information because HIPAA sets a baseline from which states can create stronger laws. For more information on state law, see HealthInfoLaw.org (a project of the George Washington University's Hirsh Health Law and Policy Program).
HIPAA does not protect all health information. Nor does it apply to every person who may see or use health information. HIPAA only applies to covered entities and their business associates.
There are three types of covered entities under HIPAA.
- Health care providers get paid to provide health care. Doctors, dentists, hospitals, nursing homes, pharmacies, urgent care clinics, and other entities that provide health care in exchange for payment are examples of providers.
Health care providers must comply with HIPAA only if they transmit health information electronically in connection with covered transactions. Most providers transmit information electronically to carry out functions such as processing claims and receiving payment. Therefore, most providers are covered under HIPAA.
- Health plans pay the cost of medical care.
The following are examples of health plans covered under HIPAA: health insurance companies, health maintenance organizations (HMOs), group health plans sponsored by an employer, government-funded health plans such as Medicare and Medicaid, and most other companies or arrangements that pay for health care.
- Health care clearinghouses process information so that it can be transmitted in a standard format between covered entities. Clearinghouses often act as a go between for health care providers and health plans which means that they rarely deal directly with patients. For example, a clearinghouse may take information from a doctor and put it into a standard coded format that can be used for insurance purposes.
For more information on whether an entity is covered under HIPAA, HHS provides a helpful chart.
What is a business associate? Health care providers, health plans, and health care clearinghouses are just a few of the players in the health care business. Covered entities hire or contract with people and companies to perform numerous services.
A "business associate" creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity or another business associate acting as a subcontractor.
For the definition of a business associate, see 45 CFR § 160.103.
What do business associates do? Business associates can perform many different services for a covered entity, including (but not limited to):
- data aggregation
- administrative accreditation
- processing or administering claims
- data analysis
- data transmission
- utilization review
- quality assurance
- certain patient safety activities
- benefit management
- practice management
Business associates often perform services that don’t involve patient interaction. However, a common example of a business associate patients may interact with is a company that offers a personal health record (PHR) to individuals on behalf of covered entities.
What responsibilities do business associates have? Covered entities must execute written contracts with their business associates to make sure they safeguard PHI according to HIPAA standards. Business associates must do the same with any of their subcontractors who can be considered business associates. The HHS website contains more information on business associate relationships, and it also provides sample clauses for business associate agreements.
Business associates must comply with the contracts they sign with covered entities. In addition, business associates are directly liable for violations of the HIPAA security rule and many provisions of the HIPAA privacy rule. This means that business associates are subject to most of the same privacy and data security standards that apply to covered entities and may be subject to HHS audits and penalties.
A subcontractor that creates, maintains, or transmits protected health information (PHI) on behalf of a business associate has the same legal responsibilities as a business associate under HIPAA. In other words, privacy- and security-related legal responsibilities flow "downstream" to subcontractors performing work for a business associate.
For example, a hospital's business associate may hire an outside company to shred documents containing PHI or to provide a cloud service to store the data. In both instances, the outside company (subcontractor) would be required to comply with most HIPAA rules as a business associate. It would also be bound by a contract with the business associate rather than the covered entity (or hospital in this example).
A hybrid entity performs both HIPAA-covered and non-covered functions as part of its business. A large corporation that has a self-insured health plan for its employees may elect to be treated as a hybrid entity. Other examples are a university with a medical center or a grocery store that has a pharmacy.
When an organization elects to be treated as a hybrid entity, only the portion of the company that is a covered entity (called the health care component) is subject to HIPAA. Hybrid entities must ensure that the health care component does not disclose protected health information to another non-covered component of the business. They must also safeguard electronic protected health information.
Remember, a lot of companies and people aren’t required to comply with HIPAA, and there are many times when health information may be available to these people and companies. HIPAA only applies to covered entities and their business associates.
Here are just a few examples of those who aren’t covered under HIPAA but may handle health information:
- life and long-term insurance companies
- workers' compensation insurers, administrative agencies, or employers (unless they are otherwise considered covered entities)
- agencies that deliver Social Security and welfare benefits
- automobile insurance plans that include health benefits
- search engines and websites that provide health or medical information and are not operated by a covered entity
- gyms and fitness clubs
- direct to consumer (DTC) genetic testing companies
- many mobile applications (apps) used for health and fitness purposes
- those who conduct screenings at pharmacies, shopping centers, health fairs, or other public places for blood pressure, cholesterol, spinal alignment, and other conditions
- certain alternative medicine practitioners
- most schools and school districts
- researchers who obtain health data directly from health care providers
- most law enforcement agencies
- many state agencies, like child protective services
- courts, where health information is material to a case
To learn more about who is (or isn't) covered by HIPAA, see the HHS Guidance Materials for Consumers.
To determine whether HIPAA protects a certain type of health information, it is easiest to first figure out whether there is a covered entity or business associate who must comply with the law.
Under HIPAA, "health information" is any information (including genetic information) that is created or received by a health care provider, health plan, public health authority, employer, life insurance company, school or university, or health care clearinghouse and relates to
- a person's past, present, or future physical or mental health or condition;
- treatment provided to a person; or
- past, present, or future payment for healthcare an individual receives.
Health information can exist in any form or medium, including paper, electronic, or oral.
When a covered entity creates or receives health information that identifies -- or can be used to identify-- a person, HIPAA calls it "individually identifiable health information." Individually identifiable health information includes demographic and other information that identifies a person such as name, address, date of birth, and Social Security number.
For precise definitions of any of the terms in this section, see 45 CFR § 160.103.
The HIPAA Privacy Rule applies to "protected health information" (PHI) which includes all "individually identifiable health information" that is transmitted or maintained in any format or medium.
This means that conversations between a patient and a doctor have the same privacy protections as handwritten or electronic notes.
To learn more about the HIPAA Privacy Rule, see: The HIPAA Privacy Rule: How may covered entities use and disclose health information?
The HIPAA Security rule requires covered entities to establish data security measures only for PHI that is maintained in electronic format, called "electronic protected health information" (ePHI). The Security Rule does not apply to PHI that is transmitted orally or in writing.
To learn more about the HIPAA Security Rule, see Privacy Rights Clearinghouse Fact Sheet 8d: Protecting Health Information: The HIPAA Security and Breach Notification Rules.
HIPAA does not apply to employment records, even when those records include medical information. This includes employment records a covered entity holds in its role as employer. However, if an employee of a healthcare provider becomes a patient of that provider, HIPAA will apply.
To learn more about medical information in the workplace, see the HHS' Employers and Health Information in the Workplace.
Health information in education records that are subject to the Family Educational Rights and Privacy Act (FERPA) is not considered protected health information (PHI) under HIPAA. For example, a child's K-12 records containing information about school nurse visits are not subject to HIPAA.
For more information on FERPA as it relates to health information and HIPAA, see: Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records and Student Privacy 101: Health Privacy in Schools –What law applies?
Protected health information (PHI) does not include health information about a person who passed away more than 50 years ago.
For more information on the health information of deceased individuals, see the HHS website.
De-identified data is health information that has had 18 specific identifiers removed and therefore is considered to make the individual who is the subject of the information unidentifiable. This means de-identified data is not protected under the HIPAA Privacy Rules as PHI and covered entities can use and disclose it more widely.
De-identified data is often the subject of debate because of the possibility of re-identifying an individual. Prof. Latanya Sweeney, has done a significant amount of work in the area of re-identification.
For more information on de-identification, see 45 CFR 164.514 and HHS’ Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the HIPAA Privacy Rule.
The HIPAA Enforcement Rule allows the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to investigate potential HIPAA violations and assess civil monetary penalties (CMP) for violations. State attorneys general also have the authority to enforce the HIPAA rules. Individuals do not have a private right of action under HIPAA and cannot sue for a violation.
OCRstarts the enforcement process by opening an investigation of potential HIPAA Privacy or Security Rule violations. OCR responds to individual complaints, but may discover HIPAA violations in other ways as well (such as conducting audits). After the investigation, OCR can resolve an issue by determining there is no violation, entering into a resolution agreement with the responsible party, or finding that the party is in violation and assessing penalties.
To learn more about HIPAA enforcement, see How OCR Enforces the HIPAA Privacy and Security Rules, Enforcement Data, Enforcement Highlights, and HIPAA Enforcement.
When individuals are aware of a potential HIPAA violation, they can file a complaint with HHS’ Office for Civil Rights (OCR). To be considered for investigation, a complaint must meet the following basic criteria:
- If the complaint concerns a potential Privacy Rule violation, the action must have occurred after April 2003. If the complaint concerns a potential Security Rule violation, the action must have occurred after April 2005.
- An individual must file a complaint against a person, organization or other entity that is subject to HIPAA.
- The complaint must allege something that would violate the HIPAA Rules.
- Individuals must file complaints within 180 days of the time they knew (or should have known) about the potential violation.
If OCR believes the complaint has merit, the agency will contact the person who filed the complaint as well as the covered entity involved to try and reach a mutual resolution. Some matters may be referred to a hearing before an administrative law judge.
For violations that occurred after 2009, HHS determines penalties for HIPAA violations based on the violator’s culpability. The minimum penalty varies, but the maximum penalty is $1.5 million per year for violations of the same HIPAA provision.
The four-tiered civil penalty structure is as follows:
Penalty (per violation)
Total civil monetary penalties for violating an identical provision within a calendar year
$100 - $50,000
$1,000 - $50,000
$10,000 - $50,000
Willful neglect—not corrected
At least $50,000
Unknowing means the covered entity did not know of the violation and would not have known through the exercise of reasonable diligence.
Reasonable cause means the covered entity would have known of the violation by exercising reasonable diligence.
Willful neglect-corrected means that the covered entity intentionally violated HIPAA or acted with reckless indifference but corrected the violation within 30 days of discovery.
Willful neglect-uncorrected means that the covered entity intentionally violated HIPAA or acted with reckless indifference but did not correct the violation within 30 days of discovery.
No. Any money from penalties that HHS collects is paid to the U.S. Treasury.
No. Individuals do not have the right to sue under HIPAA. However, HIPAA does not prevent states from passing laws that provide enhanced protection. George Washington University has a guide, Health Information and the Law, which contains information on state laws.
Health Information Technology for Economic and Clinical Health (HITECH) Act, Public Law 111-5, 2009
Genetic Information Nondiscrimination Act of 2008 (GINA), (Public Law 110-223, 122 Stat. 881)
HIPAA Privacy Rule of 2003 and subsequent modifications
HHS Omnibus Rule, 78 Federal Register, January 25, 2013
State Laws and Health Privacy
George Washington University, Health Information and the Law
Department of Health and Human Services, Office of Civil Rights
Privacy Rights Clearinghouse
PRC Medical Privacy Resources.