HIPAA is a United States legislation that provides data privacy and security provisions for safeguarding medical information. This law has emerged into greater prominence in recent years with the many health data breaches caused by cyber-attacks and ransom ware attacks on health insurers and providers.

The Health Insurance Portability and Accountability Act herein (HIPAA) was signed by President Bill Clinton on Aug. 21, 1996. HIPAA supersedes state laws regarding the safety of medical information, unless the state law is considered more stringent than HIPAA.


HIPAA, also known as Public Law 104-191, has two main purposes:

  1. To provide continuous health insurance coverage for workers who lose or change their jobs.
  2. To  reduce the cost of healthcare by standardizing the electronic transmission of administrative and financial transactions.
  3. Other goals include combating abuse, fraud and waste in health insurance and healthcare delivery, and improving access to long-term care services and health insurance.


  1. Title I: HIPAA Health Insurance Reform.

Title I protects health insurance coverage for individuals who lose or change their  jobs. It also prohibits group health plans from denying coverage to individuals with specific diseases and preexisting conditions and from setting lifetime coverage limits.

  1. Title II: HIPAA Administrative Simplification.

Title II directs the U.S. Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.

  1. Title III: HIPAA Tax-Related Health Provisions.

Title III includes tax-related provisions and guidelines for medical care and provides for provisions that govern medical savings accounts.

  • The Act standardizes the amount that may be saved per person in a pre-tax medical savings account and,
  • Makes medical savings accounts available to employees covered under an employer-sponsored high deductible plan for a small employer and self-employed individuals.
  1. Title IV: Application and Enforcement of Group Health Plan Requirements.

Title IV further defines health insurance reform, including provisions for individuals with preexisting conditions and those seeking continued coverage.

It also specifies conditions for group health plans regarding coverage of persons with pre-existing conditions and modifies continuation of coverage requirements. It clarifies continuation coverage requirements and includes COBRA clarification.

  1. Title V: Revenue Offsets.

Title V includes provisions on company-owned life insurance and the treatment of those who lose their U.S. citizenship for income tax purposes.

  • Provisions for company-owned life insurance for employers providing company-owned life insurance premiums, prohibiting the tax-deduction of interest on life insurance loans, company endowments, or contracts related to the company.
  • Repeals the financial institution rule to interest allocation rules.
  • Amends provisions of law relating to people who give up United States citizenship or permanent residence, expanding the expatriation tax to be assessed against those deemed to be giving up their US status for tax reasons
  • Makes ex-citizens’ names part of the public record through the creation of the Quarterly Publication of Individuals Who Have Chosen to Expatriate.
  • Explains a “significant break” as any 63-day period that an individual goes without creditable coverage. It allows premiums to be tied to avoiding tobacco use, or body mass index.
  • Requires insurers to issue policies without exclusion to those leaving group health plans with creditable coverage exceeding 18 months, and renew individual policies for as long as they are offered or provide alternatives to discontinued plans for as long as the insurer stays in the market without exclusion regardless of health condition.


These are the  entities that are required to follow the HIPAA regulations

Covered entities include:

  • Health Plans,they include health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Health Care Providers—these are providers that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health Care Clearinghouses—entities that process non-standard health information they receive from another entity into standard (i.e., standard electronic format or data content), or vice versa.

In addition, business associates of covered entities must follow parts of the HIPAA regulations.

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:

  • Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
  • Companies that help administer health plans
  • People like outside lawyers, accountants, and IT specialists
  • Companies that store or destroy medical records

Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.


Title I of the Act regulates the availability of group and individual health insurance policies: Title I modified the Employee Retirement Income Security Act along with the Public Health Service Act and the Internal Revenue Code

  • Requires the coverage of and limits the restrictions that a group health plan places on benefits for preexisting conditions. Group health coverage may only refuse benefits that relate to preexisting conditions for 12 months after enrollment or 18 months for late enrollment.
  • Enables individuals to limit the exclusion period taking into account how long they were covered before enrolling in the new plan after any periods of a break in coverage.
  • Covers “creditable coverage” which includes nearly all group and individual health plans, Medicare, and Medicaid.

The law also stipulates methods that can be used for crediting coverage, they include;-


This is a group health plan, and a health insurance issuer offering group health insurance coverage, should count a period of creditable coverage without regard to the specific benefits covered during the period.


This method entails a group health plan, or a health insurance issuer offering group health insurance coverage, Such election should  be made on a uniform basis for all participants and beneficiaries. Under such election a group health plan or issuer should count a period of creditable coverage with respect to any class or category of benefits if any level of benefits is covered within such class or category.


In the case of an election with respect to a group health (whether or not health insurance coverage is provided in connection with such plan), the plan shall— 

  1. prominently state in any disclosure statements concerning the plan, and state to each enrollee at the time of enrollment under the plan, that the plan has made such election, and 
  2. include in such statements a description of the effect of this election.

These periods of creditable coverage with respect to an individual should  be established through presentation of certifications in such a manner as may be specified in the regulations. 


The certification is a written certification of—

  1. the period of creditable coverage of the individual under such plan and the coverage (if any) under the COBRA continuation provision, and
  2. the waiting period (and affiliation period, if applicable) imposed with respect to the individual for any coverage under such plan.

Disclosure of information on previous benefits.

In the case of an election by a group health plan or health insurance issuer, if the plan or issuer enrolls an individual for coverage under the plan and the individual provides a certification of coverage of the individual ;-

A) upon request of such plan or issuer, the entity which issued the certification provided by the individual shall promptly disclose to the issuer information on coverage of classes and categories of health benefits available under such entity’s plan or coverage, and

(B) such entity may charge the requesting plan or issuer for the reasonable cost of disclosing such information.


On matters pertaining eligibility to enroll a group health plan, and a health insurance issuer offering group health insurance coverage in connection with a group health plan, it may not establish rules for eligibility of any individual to enroll under the terms of the plan based on any of the following health status-related factors in relation to the individual:-

  1. Health status.
  2. Medical condition (including both physical and mental illnesses).
  3. Claims experience.
  4. Receipt of health care.
  5. Medical history.
  6. Genetic information.
  7. Evidence of insurability (including conditions arising out of acts of domestic violence).
  8. Disability.


This title broadly elaborates ways of preventing health care and prevention of fraud by doing and taking the following steps;-

  1. Establishing the suitable policies and procedures for maintaining privacy and security of individually identifiable health information, outlines offenses, and creates civil and criminal penalties for violations.
  2. Creates programs to control fraud and abuse and Administrative Simplification rules.
  3. Requires the Department of Health and Human Services (HHS) to increase the efficiency of the health care system by creating standards.

In healthcare circles, adhering to HIPAA Title II is very vital what is commonly known as refer to HIPAA compliance. Title II includes the following HIPAA compliance requirements:

  • National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, have a unique 10-digit National Provider Identifier number, or NPI.
  • Transactions and Code Sets Standard. Healthcare organizations follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.
  • HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule established national standards to protect patient health information.
  • HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information (ePHI) sets standards for patient data security.
  • HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations.


As per the sipulations of the Act a Fraud and  Abuse Control Program was established to perform the following duties;-

  1. The program had a mandate to coordinate the Federal, State, and local law enforcement programs to control fraud and abuse with respect to health plans.

 The Act defines health plan as a plan or program that provides health benefits, whether directly, through insurance, or otherwise, and includes—

  1. a policy of health insurance;
  2. (2) a contract of a service benefit organization; and
  3. (3) a membership agreement with a health maintenance organization or other prepaid health plan.

(B) to conduct investigations, audits, evaluations, and inspections relating to the delivery of and payment for health care in the United States,

(C) to facilitate the enforcement of the provisions of sections 1128, 1128A, and 1128B and other statutes applicable to health care fraud and abuse,

(D) to provide for the modification and establishment of safe harbors and to issue advisory opinions and special fraud alerts pursuant to section 1128D, and

(E) to provide for the reporting and disclosure of certain final adverse actions against health care providers, suppliers, or practitioners pursuant to the data collection system established under section 1128E.

The following guidelines are used to carry out the above program;-


  1. GENERAL GUIDELINES – These are guidelines concerning the furnishing of information by health plans, providers, and others to enable the Secretary and the Attorney General to carry out the program.
  2. CONFIDENTIALITY GUIDELINES – Confidential guidelines provide procedures that assure that such information is provided and utilized in a manner that  appropriately protects the confidentiality of the information and the privacy of individuals receiving health care services and items.

(iii) QUALIFIED IMMUNITY FOR PROVIDING INFORMATION.—The provisions of section 1157(a)  apply to a person providing information to the Secretary or the Attorney General in conjunction with their performance of duties.


The purpose of this program is to promote the integrity of the Medicare program by entering into contracts with eligible entities to carry out the following activities;-

1) Firstly,to review the activities of providers of services or other individuals and entities furnishing items and services for which payment may be made. They include medical and utilization review and fraud review (employing similar standards, processes, and technologies used by private health plans, including equipment and software technologies which surpass the capability of the equipment and technologies used in the review of claims.

2) Secondly,conducting an audit of cost reports.

3) Determinations as to whether payment should not be, or should not have been, made under this title and the recovery of payments that should not have been made.

4) Education of providers of services, beneficiaries, and other persons with respect to payment integrity and benefit quality assurance issues.

5) Developing and periodically updating a list of items of durable medical equipment which are subject to prior authorization.


An entity is eligible to enter into a contract under the Program to carry out any of the activities if—

(1) the entity should have demonstrated capability to carry out such activities;

(2) in carrying out such activities, the entity agrees to cooperate with the Inspector General of the Department of Health and Human Services, the Attorney General, and other law enforcement agencies, as appropriate, in the investigation and deterrence of fraud and abuse in relation to this title and in other cases arising out of such activities;

(3) the entity complies with such conflict of interest standards as are generally applicable to Federal acquisition and procurement; and

(4) the entity meets such other requirements as the Secretary may impose. 


The Secretary shall enter into contracts under the Program in accordance with the  procedures  provided in the regulation. Such procedures shall include the following:

(1) Procedures for identifying, evaluating, and resolving organizational conflicts of interest that are generally applicable to Federal acquisition and procurement.

(2) Competitive procedures to be used.

  1. When the Secretary is entering into new contracts
  2. When entering into contracts that may result in the elimination of responsibilities of an individual fiscal intermediary or carrier under section 202(b) of HIPAA.
  3. at any other time considered appropriate by the Secretary.


The Secretary should provide for the limitation of a contractor’s liability for actions taken to carry out a contract under the Program, and such regulation shall, to the extent the Secretary finds appropriate, employ the same or comparable standards and other substantive and procedural provisions as provided.



In modifying and establishing safe harbors the Secretary may consider the extent to which providing a safe harbor for the specified payment practice may result in any of the following:

  1. An increase or decrease in access to health care services.
  2. An increase or decrease in the quality of health care services.
  3. An increase or decrease in patient freedom of choice among health care providers. ‘‘(D) An increase or decrease in competition among health care providers.
  4. An increase or decrease in the ability of health care facilities to provide services in medically underserved areas or to medically underserved populations.
  5. An increase or decrease in the cost to Federal health care programs (as defined in section 1128B(f)
  6. An increase or decrease in the potential overutilization of health care services.
  7.  The existence or nonexistence of any potential financial benefit to a health care professional or provider which may vary based on their decisions of—

(i) whether to order a health care item or service; or

(ii) whether to arrange for a referral of health care items or services to a particular practitioner or provider.

  1. Any other factors the Secretary deems appropriate in the interest of preventing fraud and abuse in Federal health care programs.


Title lll wholly focuses on the standardizing  the amount that is meant to be saved per person in a pre-tax medical savings account and the making of medical savings accounts available to employees covered under an employer-sponsored high deductible plan for a small employer and self-employed individuals.


The Act defines the term ‘medical savings account’  to mean a trust created or organized in the United States exclusively for the purpose of paying the qualified medical expenses of the account holder, but only if the written governing instrument creating the trust meets the following requirements:

  1. unless it is in cash, or
  2. to the extent such contribution, when added to previous contributions to the trust for the calendar year, exceeds 75 percent of the highest annual limit deductible 

(A)for such calendar year.

(B) The trustee is a bank, an insurance company, or another person who demonstrates to the satisfaction of the Secretary that the manner in which such person will administer the trust will be consistent with the requirements of this section.

(C) No part of the trust assets will be invested in life insurance contracts.

(D) The assets of the trust will not be commingled with other property except in a common trust fund or common investment fund.

(E) The interest of an individual in the balance in his account is nonforfeitable.

Section 220 of the Act  provides  for everything that entails medical savings accounts


In the case of an individual who is an eligible individual for any month during the taxable year, there shall be allowed as a deduction for the taxable year an amount equal to the aggregate amount paid in cash during such taxable year by such individual to a medical savings account of such individual.


The amount that is allowed as  a deduction to an individual for the taxable year shall not exceed the sum of the monthly limitations for months during such taxable year that the individual is an eligible individual.


The monthly limitation for any month is the amount equal to 1⁄12 of

 (A) in the case of an individual who has self-only coverage under the high deductible health plan as of the first day of such month, 65 percent of the annual deductible under such coverage, and

(B) in the case of an individual who has family coverage under the high deductible health plan as of the first day of such month, 75 percent of the annual deductible under such coverage.


In the case of  a married couples if either spouse has family coverage;

(A) Then both spouses shall be treated as having only such family coverage (and if such spouses each have family coverage under different plans, as having the family coverage with the lowest annual deductible), and


  1. EMPLOYEES.—The deduction allowed for contributions as an eligible individual should  not exceed such individual’s wages, salaries, tips, and other employee compensation which are attributable to such individual’s employment by the employer
  2. SELF-EMPLOYED INDIVIDUALS.—The deduction allowed herein should  not exceed such individual’s earned income derived by the taxpayer from the trade or business with respect to which the high deductible health plan is established.

The limitations under this paragraph shall be determined without regard to community property laws.


No deduction shall be allowed under this section for any amount paid for any taxable year to a medical savings account of an individual if—

  1. any amount is contributed to any medical savings account of such individual for such year which is excludable from gross income.
  2. if such individual’s spouse is covered under the high deductible health plan covering such individual, any amount is contributed for such year to any medical savings account of such spouse which is so excludable.

(6) DENIAL OF DEDUCTION TO DEPENDENTS.—No deduction shall be allowed under this section to any individual with respect to whom a deduction under section 151 is allowable to another taxpayer for a taxable year beginning in the calendar year in which such individual’s taxable year begins.



A medical savings account is exempt from taxation under this subtitle unless such account has ceased to be a medical savings account.


Rules similar to the rules of paragraphs (2) and (4) of section 408(e) shall apply to medical savings accounts, and any amount treated as distributed under such rules shall be treated as not used to pay qualified medical expenses.



Any amount paid or distributed out of a medical savings account which is used exclusively to pay qualified medical expenses of any account holder shall not be includible in gross income.


Any amount paid or distributed out of a medical savings account which is not used exclusively to pay the qualified medical expenses of the account holder shall be included in the gross income of such holder.



If any excess contribution is contributed for a taxable year to any medical savings account of an individual, paragraph (2) shall not apply to distributions from the medical savings accounts of such individual (to the extent such distributions do not exceed the aggregate excess contributions to all such accounts of such individual for such year) if—

i) such distribution is received by the individual on or before the last day prescribed by law (including extensions of time) for filing such individual’s return for such taxable year, and

(ii) such distribution is accompanied by the amount of net income attributable to such excess contribution. Any net income described in clause (ii) shall be included in the gross income of the individual for the taxable year in which it is received.


The term ‘excess contribution’ means any contribution (other than a rollover contribution) which is neither excludable from gross income nor deductible.



The tax imposed by this chapter on the account holder for any taxable year in taxable year in which there is a payment or distribution from a medical savings account of such holder which is includible in gross income shall be increased by 15 percent of the amount which is so includible.


 If the payment or distribution is made after the account holder becomes disabled or dies.


Subparagraph (A) shall not apply to any payment or distribution after the date on which the account holder attains the age specified in section 1811 of the Social Security Act.

(5) ROLLOVER CONTRIBUTION.—An amount is described in this paragraph as a rollover contribution if it meets the following requirements;-

  1. IN GENERAL – Any amount paid or distributed from a medical savings account to the account holder to the extent the amount received is paid into a medical savings account for the benefit of such holder not later than the 60th day after the day on which the holder receives the payment or distribution.
  2. LIMITATION – This paragraph shall not apply to any amount received by an individual from a medical savings account if, at any time during the 1-year period ending on the day of such receipt, such individual received any other amount from a medical savings account which was not includible in the individual’s gross income.


For purposes of determining the amount of the deduction under section 213, any payment or distribution out of a medical savings account for qualified medical expenses shall not be treated as an expense paid for medical care.


The transfer of an individual’s interest in a medical savings account to an individual’s spouse or former spouse under a divorce or separation instrument should not be considered a taxable transfer made by such individual notwithstanding any other provision of this subtitle, and such interest shall, after such transfer, be treated as a medical savings account with respect to which such spouse is the account holder.


  1. TREATMENT IF DESIGNATED BENEFICIARY IS SPOUSE – If the account holder’s surviving spouse acquires such holder’s interest in a medical savings account by reason of being the designated beneficiary of such account at the death of the account holder, such medical savings account shall be treated as if the spouse were the account holder.
  1. IN GENERAL.—If, by reason of the death of the account holder, any person acquires the account holder’s interest in a medical savings account 
  2. (I) such account shall cease to be a medical savings account as of the date of death, and (II) an amount equal to the fair market value of the assets in such account on such date shall be includible if such person is not the estate of such holder, in such person’s gross income for the taxable year which includes such date, or if such person is the estate of such holder, in such holder’s gross income for the last taxable year of such holder.
    1. REDUCTION OF INCLUSION FOR PRE-DEATH EXPENSES.—The amount includible in gross income under clause (i) by any person (other than the estate) shall be reduced by the amount of qualified medical expenses which were incurred by the decedent before the date of the decedent’s death and paid by such person within 1 year after such date.
    2. DEDUCTION FOR ESTATE TAXES.—An appropriate deduction shall be allowed und any person (other than the decedent or the decedent’s spouse) with respect to amounts included in gross income under clause (i) by such person.

(g) COST-OF-LIVING ADJUSTMENT.—In the case of any taxable year beginning in a calendar year after 1998, each dollar amount in shall be increased by an amount equal to—

(1) such dollar amount, multiplied by

(2) the cost-of-living adjustment determined for the calendar year in which such taxable year begins by substituting ‘calendar year 1997’ for ‘calendar year 1992’. If any increase under the preceding sentence is not a multiple of $50, such increase shall be rounded to the nearest multiple of $50.

h) REPORTS.—The Secretary may require the trustee of a medical savings account to make such reports regarding such account to the Secretary and to the account holder with respect to contributions, distributions, and such other matters as the Secretary determines appropriate. The reports required by this subsection shall be filed at such time and in such manner and furnished to such individuals at such time and in such manner as may be required by the Secretary.


In this title we shall tackle the following subtitles;-

  1. Application and Enforcement of Group Health Plan Requirements
  2. Group health plan portability, access, and renewability requirements.
  3. Penalty on failure to meet certain group health plan requirements.
  4. COBRA clarifications.


(A) IN GENERAL – The term ‘preexisting condition exclusion’ means, with respect to coverage, a limitation or exclusion of benefits relating to a condition based on the fact that the condition was present before the date of enrollment for such coverage, whether or not any medical advice, diagnosis, care, or treatment was recommended or received before such date.

(B) TREATMENT OF GENETIC INFORMATION – For purposes of this section, genetic information shall not be treated as a condition described in subsection (a)

(1) in the absence of a diagnosis of the condition related to such information.

(2) ENROLLMENT DATE – The term ‘enrollment date’ means, with respect to an individual covered under a group health plan, the date of enrollment of the individual in the plan or, if earlier, the first day of the waiting period for such enrollment.

(3) LATE ENROLLEE – The term ‘late enrollee’ means, with respect to coverage under a group health plan, a participant or beneficiary who enrolls under the plan other than during— ‘‘(A) the first period in which the individual is eligible to enroll under the plan, or ‘‘(B) a special enrollment period under subsection (f).

(4) WAITING PERIOD- The term ‘waiting period’ means, with respect to a group health plan and an individual who is a potential participant or beneficiary in the plan, the period that must pass with respect to the individual before the individual is eligible to be covered for benefits under the terms of the plan.


1) CREDITABLE COVERAGE DEFINED.—For purposes of this part, the term ‘creditable coverage’ means, with respect to an individual, coverage of the individual under any of the following:

(A) A group health plan.

(B) Health insurance coverage.

(C) Part A or part B of title XVIII of the Social Security Act.

(D) Title XIX of the Social Security Act, other than coverage consisting solely of benefits under section 1928.

(E) Chapter 55 of title 10, United States Code.

(F) A medical care program of the Indian Health Service or of a tribal organization.

(G) A State health benefits risk pool.

(H) A health plan offered under chapter 89 of title 5, United States Code.

(I) A public health plan (as defined in regulations).

(J) A health benefit plan under section 5(e) of the Peace Corps Act (22 U.S.C. 2504(e)). Such term does not include coverage consisting solely of coverage of excepted benefits (as defined in section 9805(c)).


(A) IN GENERAL – The term ‘health insurance coverage’ means benefits consisting of medical care (provided directly, through insurance or reimbursement, or otherwise) under any hospital or medical service policy or certificate, hospital or medical service plan contract, or health maintenance organization contract offered by a health insurance issuer.

(B) NO APPLICATION TO CERTAIN EXCEPTED BENEFITS – Certain benefits  shall not be treated as benefits consisting of medical care.

(2) HEALTH INSURANCE ISSUER.—The term ‘health insurance issuer’ means an insurance company, insurance service, or insurance organization (including a health maintenance organization, which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of section 514(b)(2) of the Employee Retirement Income Security Act of 1974, as in effect on the date of the enactment of this section). Such term does not include a group health plan.

(3) HEALTH MAINTENANCE ORGANIZATION.—The term ‘health maintenance organization’ means;- 

(A) a federally qualified health maintenance organization (as defined in section 1301(a) of the Public Health Service Act (42 U.S.C. 300e(a))),

(B) an organization recognized under State law as a health maintenance organization, or

(C) a similar organization regulated under State law for solvency in the same manner and to the same extent as such a health maintenance organization. 


For purposes of this chapter, the term ‘excepted benefits’ means benefits under one or more (or any combination thereof) of the following:


(A) Coverage only for accident, or disability income insurance, or any combination thereof.

(B) Coverage issued as a supplement to liability insurance.

(C) Liability insurance, including general liability insurance and automobile liability insurance.

(D) Workers’ compensation or similar insurance.

(E) Automobile medical payment insurance.

(F) Credit-only insurance.

(G) Coverage for on-site medical clinics.

(H) Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.


‘‘(a) GENERAL RULE.—There is hereby imposed a tax on any failure of a group health plan to meet the requirements of chapter 100 (relating to group health plan portability, access, and renewability requirements).


(1) IN GENERAL.—The amount of the tax imposed on any failure shall be $100 for each day in the noncompliance period with respect to each individual to whom such failure relates.

(2) NONCOMPLIANCE PERIOD.—For purposes of this section, the term ‘noncompliance period’ means, with respect to any failure, the period—

(A) beginning on the date such failure first occurs, and

(B) ending on the date such failure is corrected.


The Department of Health and Human Services (HHS) aids in increasing  the efficiency of the health care system by creating standards.

HHS initiated 5 rules to enforce Administrative Simplification:

(1) Privacy Rule,Transactions and Code Sets Rule, Security Rule, Unique Identifiers Rule, and Enforcement Rule.

Privacy Rule

The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by “covered entities.” These entities include health care clearinghouses, health insurers, employer-sponsored health plans, and medical providers. Upon request, covered entities must disclose PHI to an individual within 30 days. Entities mentioned earlier must provide and disclose PHI as required by law enforcement for the investigation of suspected child abuse.

  • Covered entities may disclose PHI to law enforcement if requested to do so by court orders, court-ordered warrants, subpoenas, and administrative requests.
  • A covered entity may reveal PHI to facilitate treatment, payment, or health care operations without a patient’s written authorization.
  • Any other disclosures of PHI require the covered entity to obtain prior written authorization.
  • When a covered entity discloses PHI, it must make a reasonable effort to share only the minimum necessary information.
  • The Privacy Rule gives individuals the right to demand that a covered entity correct any inaccurate PHI and make reasonable steps to ensure the confidentiality of communications with individuals.
  • The Privacy Rule requires covered entities to notify individuals of PHI use, keep track of disclosures, and document privacy policies and procedures.


Right to Access

The Privacy Rule requires medical providers to give individuals PHI access when an individual requests information in writing. A provider has 30 days to provide a copy of the information to the individual. An individual may request the information in electronic form or hard-copy.

  • Individuals have the right to access all health-related information (except psychotherapy notes of a provider, and information gathered by a provider to defend against a lawsuit).
  • Providers may charge a reasonable amount for copying costs. However, no charge is allowable when providing data electronically from a certified electronic health record (EHR) using the “view, download, and transfer.”
  • An individual may authorize delivery of information using either encrypted or un-encrypted email, media, direct messaging, or other methods. When using un-encrypted delivery, an individual must understand and accept the risks of data transfer.
  • An individual may request in writing that their PHI be delivered to a third party.
  • An individual may request in writing that their provider send PHI to a designated service used to collect or manage their records, such as a Personal Health Record application.

Relative Disclosure

Hospitals may not reveal information over the phone to relatives of admitted patients.

  • This has impeded the location of missing persons, as seen after airline crashes, hospitals are reluctant to disclose the identities of passengers being treated, making it difficult for relatives to locate them.

The following personales are covered by the Privacy Rule;-

The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). 

  1. Health Plans.

Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.

Two types of government-funded programs are not health plans:-

(1) those whose principal purpose is not providing or paying the cost of health care, such as the food stamps program; and

(2) those programs whose principal activity is directly providing health care, such as a community health center, or the making of grants to fund the direct provision of health care.

Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the entity with respect to the health plan line of business.

  1. Health Care Providers.

Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.

  1. Health Care Clearinghouses.

Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate. In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of protected health information. Health care clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.

What Information is Protected

Protected Health Information.

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).

PHI includes but is not limited to the following:

  • a patient’s name, address, birth date, Social Security number, biometric identifiers or other personally identifiable information (PII);
  • an individual’s past, present or future physical or mental health condition;
  • any care provided to an individual; and
  • information concerning the past, present or future payment for the care provided to the individual that identifies the patient or information for which there is a reasonable basis to believe could be used to identify the patient.

PHI does not include the following:

  • employment records, including information about education, as well as other records subject to or defined in the Family Educational Rights and Privacy Act (FERPA); and
  • deidentified data, meaning data that does not identify or provide information that could identify an individual — there are no restrictions to its use or disclosure.

Specific examples of PHI include a medical record, laboratory report or hospital bill because these documents contain identifying information — the patient’s name, for example — associated with health data.

One example of information that is not PHI would be blood pressure or heart rate data collected by a consumer health device, like a smartwatch, because it is not shared with a covered entity.

Individually identifiable health information” is information, including demographic data, that relates to:

the individual’s past, present or future physical or mental health or condition,

  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either:

(1) a formal determination by a qualified statistician; or

(2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

Administrative requirements

The Privacy Rule lays out certain administrative requirements that covered entities must have in place.

These requirements include the following:

  • A privacy official, such as a chief privacy officer (CPO), must be appointed who is responsible for developing and implementing policies and procedures at a covered entity.
  • Employees, including volunteers and trainees, must be trained on policies and procedures.
  • Appropriate administrative, technical and physical safeguards must be maintained to protect the privacy of PHI in a covered entity.
  • A process for individuals to make complaints concerning policies and procedures must be in place at a covered entity.
  • If PHI is disclosed in violation of its policies and procedures, a covered entity must mitigate — to the furthest extent actionable — any harmful effects.

HIPAA-permitted uses and disclosures

The HIPAA Privacy Rule defines when a covered entity may use or disclose an individual’s PHI. There are two conditions in which use or disclosure is allowed:

  1. if the Privacy Rule specifically permits or requires it — if the covered entity is using the data themselves, or transmitting it to another covered entity, the Privacy Rule permits it; and
  2. if the subject of the information gives written authorization.

These stipulations aim to facilitate the interoperability of the health information technology (IT) environment by making sure that electronic health information is made available to the right people at the right time. In certain cases — like a national emergency (a pandemic, for example) — parts of the Privacy Rule may be changed to permit PHI disclosure that would, in normal circumstances, be a violation.

HIPAA Privacy Rule penalties

Under the HIPAA Privacy Rule, falling victim to a healthcare data breach, as well as failing to give patients access to their PHI, could result in a fine from OCR.

Privacy rule penalties vary depending on the severity of the infraction. They are split into four categories:

  1. Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
  2. Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
  3. Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
  4. Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.

Covered entities and individuals who intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison. If the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000 fine and up to 10 years in prison.

Organizations can lower their risk of regulatory action through HIPAA compliance training programs. OCR offers guidance through educational programs on complying with privacy and security rules. A number of consultancies and training groups offer programs as well. Healthcare providers may also choose to create their own training programs, which often encompass each organization’s current HIPAA privacy and security policies, the HITECH Act, mobile device management (MDM) processes and other applicable guidelines.

While there is no official HIPAA compliance certification program, training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act.


HIPAA Security Rule?

 The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. The Security Rule defines confidentiality to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality HIPAA requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. Under the Security Rule, integrity means that e-PHI is not altered or destroyed in an unauthorized manner. Availability means that e-PHI is accessible and usable on demand by an authorized person.

HHS recognizes that covered entities range from the smallest provider to the largest, so the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments.
When a covered entity is deciding which security measures to use, the HIPAA regulations rule does not dictate those measures but requires the covered entity to consider:

  1. Its size, complexity, and capabilities
  2. Its technical, hardware, and software infrastructure
  3. The costs of security measures
  4. The likelihood and possible impact of potential risks to e-PHI.

Covered entities must review and modify their security policies to continue protecting e-PHI in their ever changing environment.

HIPAA Risk Analysis and Management

• The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
• A risk analysis process includes, but is not limited to, the following activities:

•Evaluate the likelihood and impact of potential risks to e-PHI;
•Implement appropriate security measures to address the risks identified in the risk analysis;
•Document the chosen security measures and, where required, the rationale for adopting those measures;
•Maintain continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

Administrative Safeguards

  1. Security Management Process: A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
  2. Security Personnel: A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
  3. Information Access Management: The Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).
  4. Workforce Training and Management: A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
  5. Evaluation:  A covered entity must perform a periodic assessment of how well its security policies and procedures meet the HIPAA requirements of the Security Rule.