The Health Insurance Portability and Accountability Act (HIPAA) is a United States law that was passed in 1996. It is designed to protect the privacy of individuals’ personal health information, known as “protected health information” (PHI), and to provide rules for the handling and sharing of PHI by covered entities, such as health care providers and health insurance companies. The law includes requirements for physical, network, and process security to protect PHI from unauthorized access, and also includes provisions for individuals to access their own PHI and to control how it is used and disclosed. HIPAA also requires covered entities to report certain types of PHI breaches.
Health Insurance Portability and Accountability Act (HIPAA) History and Amendment
The Health Insurance Portability and Accountability Act (HIPAA) was passed by the United States Congress in 1996. It was signed into law by President Bill Clinton and went into effect in 1997. The law was enacted with the intent of improving the portability and continuity of health insurance coverage in the individual and group markets, combat fraud and abuse in health insurance and healthcare delivery, and promote the use of medical savings accounts.
The law was later amended in 2009 by the HITECH Act, which provided funding for the adoption and meaningful use of health information technology, including electronic health records, and also further strengthened the privacy and security provisions of HIPAA.
In 2013, the final Omnibus Rule was issued, which made significant changes to the HIPAA Privacy, Security, and Enforcement Rules, including the expansion of patient rights and the implementation of a tiered civil money penalty structure for HIPAA violations.
In 2020, the CARES ACT made amendment to HIPAA enabling covered healthcare providers to communicate with patients via telehealth and remote communication technologies to help prevent the spread of COVID-19, and also made some exceptions for sharing protected health information for public health and research purposes.
Health Insurance Portability and Accountability Act (HIPAA) Provisions
The Health Insurance Portability and Accountability Act (HIPAA) includes several provisions that are intended to protect the privacy and security of individuals’ personal health information, also known as “protected health information” (PHI). These provisions include:
- Privacy Rule: This rule sets standards for the use and disclosure of PHI by covered entities, including health care providers and health insurance companies. It also gives individuals certain rights with respect to their PHI, such as the right to access and receive a copy of their PHI.
- Security Rule: This rule sets standards for the protection of electronic PHI (ePHI) and requires covered entities to implement administrative, physical, and technical safeguards to protect ePHI from unauthorized access, use, disclosure, or destruction.
- Breach Notification Rule: This rule requires covered entities to notify individuals and the Department of Health and Human Services (HHS) in the event of a breach of unsecured PHI.
- Enforcement Rule: This rule sets out the enforcement mechanisms for HIPAA, including civil monetary penalties for HIPAA violations.
- HITECH ACT: The HITECH act further strengthened the security provisions of HIPAA and provided funding for the adoption and meaningful use of health information technology, including electronic health records.
- The Omnibus Rule: This final rule made significant changes to the HIPAA Privacy, Security, and Enforcement Rules, including the expansion of patient rights and the implementation of a tiered civil money penalty structure for HIPAA violations.
- CARES ACT: This act made amendment to HIPAA enabling covered healthcare providers to communicate with patients via telehealth and remote communication technologies to help prevent the spread of COVID-19, and also made some exceptions for sharing protected health information for public health and research purposes.
Health Insurance Portability and Accountability Act (HIPAA) Responsibilities and Accountabilities
The Health Insurance Portability and Accountability Act (HIPAA) places certain responsibilities and accountabilities on covered entities, which include health care providers, health plans, and health care clearinghouses.
- Privacy Rule: Covered entities are responsible for implementing policies and procedures to protect the privacy of individuals’ personal health information (PHI), and are accountable for ensuring that PHI is used and disclosed in accordance with the Privacy Rule.
- Security Rule: Covered entities are responsible for implementing administrative, physical, and technical safeguards to protect electronic personal health information (ePHI) from unauthorized access, use, disclosure, or destruction. They are also responsible for conducting regular risk assessments to identify and address potential security vulnerabilities.
- Breach Notification Rule: Covered entities are responsible for notifying individuals and the Department of Health and Human Services (HHS) in the event of a breach of unsecured PHI.
- Enforcement Rule: Covered entities are accountable for HIPAA compliance and may face penalties for non-compliance.
- HITECH Act: Covered entities are also responsible for using the HITECH funding provided to adopt and meaningfully use health information technology, including electronic health records.
- The Omnibus Rule: Covered entities are responsible for implementing changes to their HIPAA Privacy, Security, and Enforcement Rules as per the new regulations.
- CARES ACT: Covered entities are now responsible for the use of telehealth and remote communication technologies in compliance with the amendment made by the CARES ACT.
Health Insurance Portability and Accountability Act (HIPAA) Sanctions and Remedies
The Health Insurance Portability and Accountability Act (HIPAA) includes several sanctions and remedies for non-compliance with the Privacy, Security, and Enforcement Rules. These include:
- Civil Monetary Penalties: The Department of Health and Human Services (HHS) may impose civil monetary penalties on covered entities for HIPAA violations, with penalties ranging from $100 to $50,000 per violation, up to a maximum of $1.5 million per year for all identical violations.
- Criminal Penalties: Willful violations of HIPAA’s Privacy and Security Rules can result in criminal penalties, including fines and imprisonment.
- Compliance Reviews: The HHS Office for Civil Rights (OCR) may conduct compliance reviews of covered entities to ensure that they are in compliance with HIPAA.
- Technical Assistance: The OCR may provide technical assistance to covered entities to help them understand and comply with HIPAA.
- Voluntary Compliance: The OCR may enter into voluntary compliance agreements with covered entities to correct HIPAA violations and prevent future violations.
- Corrective Action: The OCR may require covered entities to take corrective action, such as implementing new policies and procedures, to address HIPAA violations.
- Civil Action: The OCR may also bring a civil action in federal court to enforce HIPAA.
- Criminal Prosecution: The U.S. Department of Justice (DOJ) may bring criminal prosecution against individuals and entities that violate HIPAA’s Privacy and Security Rules.
It is important to note that, in addition to the sanctions and remedies imposed by the OCR, covered entities may also be liable for damages under state and federal laws, such as state breach notification laws, and state and federal consumer protection laws.