The Health Insurance Portability and Accountability Act of 1996

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is important legislation that helps healthcare organizations protect patients’ privacy so that people feel safe when visiting doctors or getting medical help.

We’ll break down the statute, what HIPAA means for covered entities and patients, and how Compliant can help you make your website stay on the right side of the law.

HIPAA regulations stop doctors and health insurance companies from revealing medical information or health insurance coverage information without the patient’s consent and approval. When people refer to HIPAA compliance or violation, they are most likely referring to HIPAA Title II that refers to healthcare fraud and abuse. HIPAA Title II also requires national standards for electronic healthcare transactions.

Who is protected by HIPAA?

HIPAA protects everyone who visits a doctor or has medical insurance in the United States. HIPAA applies to health insurance providers, health care workers, businesses who work with medical workers, healthcare clearinghouses, and other associates with covered entities that receive identifiable health information.

What are the three rules of HIPAA?

The United States Department of Health and Human Services has issued three essential rules about HIPAA explained in the sections below.

The HIPAA Privacy rule

The Privacy Rule pertains to the use of an individual’s protected health information (PHI) or full disclosure of PHI by “covered entities,” including your healthcare facility, health plans, healthcare clearinghouses, and business associates.

The Privacy Rule also gives patients the ability to request copies of their medical information and to request certain corrections be made.

The HIPAA Security rule

The Security Rule mandates that physicians protect patients' electronic protected health information (ePHI) by using administrative, physical, and technical precautions to guarantee this information’s confidentiality, integrity, and security.

The Breach Notification rule

The Breach Notification Rule requires that covered entities and healthcare providers are required to alert patients when their PHI is used or released (“breached; data breaches”) without their knowledge or permission.

What records does HIPAA cover?

HIPAA covers all records created, stored, transmitted, or maintained by covered entities. These can include radiographs, paper forms, electronic forms, patient charts, recordings of psychiatric sessions, identifying information about the patient, and verbal information.

However, HIPAA does not apply to the information noted in employment records, even if it would normally fall under their categories of protected information. For this reason, employers are not allowed to require prospective employees to answer questions about their physical or mental health during the screening process.

Additionally, HIPAA has designated 18 unique identifiers in patient information. If a covered entity eliminates identifiers from a medical file, the information on the record is no longer protected because it cannot be linked back to the individual patient.

What are the five main components of HIPAA?

There are five Titles within HIPAA addressed in the sections below.

Health Care Access

Title I of HIPAA relates to workers and their dependents when they lose or leave their previous places of work. This title enforces limitations on other health insurance providers from denying coverage to people because of pre-existing conditions. It assists workers and their families in retaining and finding new health care coverage when they switch careers.

Preventing Fraud

The second title of HIPAA lays out policies to maintain patient privacy and explanations of punishments for violations. In addition, it provides a variety of safety implementations to prevent or control fraud in the healthcare industry. It also mandates that the Department of Health and Human Services work with covered entities to distribute comprehensive information about the healthcare system to everyone effectively.

Title II also introduces the three rules covered in the section above: the Privacy Rule, the Security Rule, and the Breach Notification Rule.

Tax-Related Health Provisions

Title III of HIPAA mandates the amount of money that individuals can save in pre-tax medical savings accounts. These accounts are open to employees with high-deductible health plans provided by their employers or for self-employed people.

Group Health Insurance Requirements

HIPAA’s fourth title explains the conditions for group health insurance plans applied to individuals with pre-existing conditions. It also allows for COBRA to extend medical insurance after leaving or losing employment while the individual is looking for a new employer or a health insurance plan to ensure that the individual is never without health insurance.

Revenue Offset for Employees

Title V requires that people who decide to give up their status as citizens of the United States must pay a tax before leaving. They also give up their right to privacy as their names are published as part of a list of people who are expatriates.

It also relates to the conditions for company-owned life insurance and stops employers from deducting life insurance loans from their taxes.

What does HIPAA say about confidentiality?

Confidentiality is something that should be maintained according to the patient’s preferences at all times by the physicians, health insurance providers, and other affiliated entities. One example of how doctors protect patient information is by refusing to disclose details about their condition over the phone or to someone who cannot prove that they are the next of kin.

At hospitals, doctors will usually find a private area to discuss confidential information with patients or their family members to ensure that information is not revealed to anyone without proper authorization. Another part of HIPAA requires covered entities to regularly share their confidentiality practices with enforcement agencies and the public so that they can be critiqued as necessary.

HIPAA also extends to other health care professionals. Doctors are not allowed to share information about their patients with other doctors unless the patient has approved the disclosure or if the patient’s health and well-being are at risk. If multiple doctors are working on a single patient, they are allowed to share pertinent information.

It should be noted that there are certain situations under which health care professionals are legally required to report otherwise confidential patient information. Some diseases have been designated as potentially risky for public welfare, which means that any health care provider who diagnoses such a disease must report it immediately. Some of these diseases include COVID-19, HIV, tuberculosis, or syphilis.

Doctors are also obligated to report possible cases of abuse or neglect found among patients, especially when concerning elders, children, or people who are not legally competent.

How is HIPAA enforced?

HIPAA is enforced through various civil and criminal punishments that depend on the type of violation and the length of time of the violation. The Office for Civil Rights within the Department of Health and Human Services accepts complaints of HIPAA violations and partners with the Department of Justice to investigate the allegations.

Depending on the severity and classification of the violation, the DHHS will decide what type of punishment is applicable for the violation. The lowest level of punishment is for physicians who were unaware that their actions violated HIPAA and could not have reasonably known. For this, they receive a civil punishment of a $100 fine per violation.

If a HIPAA violation becomes a criminal act, it entails a fine penalty from $50,000 to $250,000 and imprisonment for one to ten years. HIPAA violations do not become enforceable as criminal acts unless they fall under at least one of three categories:

  • Covered entities who knowingly and willfully obtain or disclose protected patient information in which the patient can be uniquely identified.
  • Covered entities who violate HIPAA knowingly under false pretenses.
  • Covered entities who obtain or disclose protected patient information for personal gain, commercial advantage, or malicious harm.

If someone feels that their rights have been violated under HIPAA protections, they can choose to file a complaint with the Office for Civil Rights within the Department of Health and Human Services. The appropriate authorities will investigate this complaint to determine whether a violation has occurred and what types of penalties are available.

How often are HIPAA rules violated?

In the decade spanning 2003 to 2013, 91,000 complaints about HIPAA violations were filed with the US Department of Health and Human Services. However, only 22,000 of those complaints led to legal enforcement, and only 521 of them were prosecutable by the Department of Justice as criminal acts.


HIPAA exists to make sure administrative safeguards are in place to protect patients from unwanted intrusions into their medical information. This can help prevent bias or discrimination against people who are seeking help for physical or mental illnesses. With the steep penalties in place for HIPAA violations, it is essential that any covered entities or affiliates adequately protect any patient information. Contact us today to see how we can help your website stay Compliant with changing laws.