Health Insurance Portability and Accountability Act

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (PL 104-191), also known as HIPAA, is a law designed to improve the efficiency and effectiveness of the nation's health care system. HIPAA is divided into two parts:

Title I: Health Care Access, Portability, and Renewability
- Protects health insurance coverage when someone loses or changes their job
- Addresses issues such as pre-existing conditions
Title II: Administrative Simplification

Includes provisions for the privacy and security of health information
Specifies electronic standards for the transmission of health information
Requires unique identifiers for providers

Who needs to comply with HIPAA?

The HIPAA regulations apply to covered entities and business associates, defined as health plans, health care clearinghouses, and health care providers who conduct certain electronic transactions.

Find out if you are a covered entity under HIPAA.

Definition of Business Associate

The 2013 Final Rule [PDF] expands the definition of a business associate to generally include a person who creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. This now includes:

Subcontractor—person (other than a business associate workforce member) to whom a business associate delegates a function, activity, or services where the delegated function involves the creation, receipt, maintenances, or transmission of PHI.
Health information organizations, e-prescribing gateways and other person that "provide data transmission services with respect to PHI to a covered entity and that require access on a routine basis to such PHI"
Persons who offer a personal health record to one or more individuals "on behalf of" a covered entity.

For more information on business associates, see:

What happens if I don't comply

The interim final rule [PDF] on HIPAA Administrative Simplification Enforcement ("Enforcement Rule") was issued on October 30, 2009. It includes categories of violations and tiers of increasing penalty amounts.

Categories of violations include those:

that occur without the person's knowledge (and the person would not have known by exercising reasonable diligence)
that have a reasonable cause and are not due to willful neglect
due to willful neglect but that are corrected quickly
due to willful neglect that are not corrected

Monetary penalties vary by the type of violation and range from $100 per violation with a yearly maximum fine of $25,000 to $50,000 per violation and a yearly maximum of $1.5 million.

The final rule [PDF] published in 2013 is an enhancement and clarification to the interim rule and enhances the definition of the violation of compliance as a breach—an acquisition, access, use, or disclosure of protected health information in a manner not permitted under the rule unless the covered entity or business associate demonstrates that there is a low probability that the (PHI) has been compromised based on a risk assessment of factors including nature and extent of breach, person to whom disclosure was made, whether it was actually acquired or viewed and the extent to which the PHI has been mitigated.

The final rule removed the harm standard, but increased civil monetary penalties in general while taking into consideration the nature and extent of harm resulting from the violation including financial and reputational harm as well as consideration of the financial circumstances of the person who violated the breach.

Additionally, the final rule defines other areas of compliance including the individual's right to receive information, additional requirements to privacy notes, use of genetic information.