The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996.  It helps to regulate and protect Personal Health Information, or PHI.  Per the letter of the law, covered entities must implement reasonable safeguards limit incidental, and avoid prohibited uses and disclosures of PHI, including in connection with the disposal of such information.

HIPAA helped re-shape the way information was handled and disposed of in the health care industry.

  • It provides a way to help workers (and their families) transfer and continue their health insurance coverage if or when they lose or change jobs.
  • It helps create a set of industry-wide standards for billing and processes- specifically electronic billing.
  • It mandates the protection and confidential handling of PHI
  • Most importantly, it aims to reduce health care fraud and abuse.

The security requirements for these laws are covered in the Privacy Rule and Security Rule stated in this law.  HIPAA requirements were then modified as part of the Health Information Technology for Economic and Clinical Health Act or HITECH.  These laws and requirements are overseen by the Office of Civil Rights in the Department of Health and Human Services.

HIPAA security rules changed again with the American Recovery and Reinvestment Act.  Some of these changes included:

  • Who is covered under HIPAAThe law now places the same security requirements to business associates as covered entities, which includes administrative, physical, and technical safeguards mandated by the Security Rule.  Business are now required to appoint a security official, develop written procedures, and train its workforce on safeguarding private health information.  They are now also subject to civil and criminal penalties under HIPAA
  • New security breach notification requirementsCovered entities and businesses must notify individuals of security breaches that occur when PHI is compromised through accidental exposure or theft.  This notification must be via mail or email depending on the preferences of the individual.

    Large security breaches (more than 500 individuals) requires that a “prominent media outlet” and the Department of Health and Human Services (HHS) also be notified, and that a website run by HHS is maintained and updated with public disclosure of breaches.

  • Penalties for security violations increased significantlyThe fine per violation grew from $100 per individual with a cap of $25,000 to $1,000 per individual with a cap of $100,000, along with a fine of $10,000 for willful neglect that caps at $250,000.  A $50,000 fine with a cap of $1.5 million per calendar will be imposed if problems are not corrected properly.
  • Expansion of who may sue for HIPAA violationsFines for violations can now go to individuals and their lawyers, which dramatically increases the incentives for lawyers to bring lawsuits.  State Attorney Generals can also bring about action against covered entities and businesses on the behalf of their residents.

HIPAA has changed the healthcare landscape, and brought unprecedented protection for Americans and increased accountability for health care providers and their business associates.  To learn more, please visit the US Department of Health and Human Services.