HIPPA - Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule provides national standards for protecting people's medical records and other sensitive health information.

Individuals have rights over their health information under the HIPAA Privacy Rule, including the ability to obtain a copy of their data and request corrections.

The Rule applies to three categories of HIPAA-covered entities: health plans, healthcare clearinghouses, and healthcare providers that undertake certain healthcare transactions electronically to preserve the protected health information (PHI) entrusted to them.

CMS's Original Medicare (fee-for-service) health plan, which covers Medicare Parts A (Hospital Insurance) and B (Medical Insurance), is a HIPAA-compliant business. CMS ensures that Original Medicare's uses and disclosures of PHI comply with HIPAA privacy regulations while providing and promoting high-quality health care to beneficiaries.

Other CMS-administered Medicare plans, such as Medicare Advantage (Part C) and Medicare Drug Plans (Part D), are HIPAA-covered businesses in their own right and are responsible for their own HIPAA compliance.

State Medicaid and Children's Health Insurance Programs and Marketplace plans are all HIPAA-compliant businesses.

Privacy Rule Under HIPAA

The Privacy Rule rules govern how enterprises subject to the Privacy Rule use and disclose people's health information ("protected health information"). These people and organisations are referred to as "covered entities." 

The Privacy Rule also includes rules for individuals' rights to understand and regulate the use of their health information.

The Privacy Rule's main purpose is to guarantee that people's information is appropriately secured while permitting the flow of health information required to deliver and promote high-quality health care and protect the public's health and well-being.

The Privacy Rule establishes a compromise between allowing vital uses of data and preserving the privacy of those seeking care and recovery.

Entities Protected

Individuals and organizations that fall under the following categories are subject to the Privacy Rule and are deemed covered entities:

  1. Healthcare Providers: Any healthcare practitioner who communicates health information electronically in conjunction with specific transactions, regardless of the size of the practice. Claims, benefit eligibility queries, referral authorization requests, and other transactions for which HHS has defined criteria under the HIPAA Transactions Rule are examples of these transactions.
  2. Health Plans: Organizations that offer or pay for medical treatment. Health plans include insurers for health, dental, vision, and prescription drugs; HMOs; Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans are further examples of health plans. A covered entity is a group health plan with fewer than 50 members exclusively administered by the employer that formed and maintained the program.
  3. Healthcare Clearinghouses: Organizations that convert nonstandard information received from another institution into a standard (i.e., standard format or data content), or vice versa. In most cases, healthcare clearinghouses will only receive individually identifiable health information if they act as a business associate for a health plan or healthcare provider.
  4. Business associates: Any person or organization (other than a member of a covered entity's workforce) that uses or discloses individually identifiable health information to perform or provide duties, activities, or services for a covered entity.

HIPAA Security Regulation

The HIPAA Privacy Rule covers protected health information (PHI), whereas the Security Rule protects a subset of the information covered by the Privacy Rule.

This subset includes any personally identifiable health information created, received, maintained, or transmitted electronically by a covered entity. This data is known as "electronically protected health information" (e-PHI).

The Security Rule does not apply to PHI transmitted verbally or in writing.

All covered businesses must perform the following to comply with the HIPAA Security Rule:

  • Ensure the security, integrity, and accessibility of all digitally protected health information.
  • Detect and protect against potential risks to information security.
  • Protect yourself from potentially illegal uses or disclosures.
  • Ensure that their personnel complies.
  • When reviewing requests for these permissible uses and disclosures, covered entities should rely on professional ethics and their best judgment. The HHS Agency enforces HIPAA laws for Civil Rights, and any complaints should be sent to that office. HIPAA infractions can result in both civil and criminal sanctions.