The Health Insurance Portability and Accountability Act (HIPAA) is a piece of federal legislation in the United States that provides national standards for protecting the privacy of personal health data. It prevents health care providers, insurers, and other official entities from disclosing sensitive information about a patient’s health without the patient’s knowledge and consent.
HIPAA was signed into law by President Bill Clinton in 1996. It was created to address the evolving threats to patient privacy and set standards for sharing protected health information (PHI) as safely and efficiently as possible.
At the time, Congress recognized the potential issues that could arise with the digitization of healthcare data, so they needed to add subsequent protections that spoke to the changing landscape of healthcare technology. Because of this, the legislation didn’t take full effect until 2002.
In 2013, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the Final Omnibus Rule. This rule expanded jurisdiction to business associates who work with PHI, including contractors or subcontractors. It also provided clarification for the distinction between a security incident and a security breach, as well as when a covered entity is required to report a breach.
Protected health information (PHI) is any information that connects an individual’s identity to their health data. This includes but is not limited to:
PHI does not include employment records or information that cannot be traced back to an individual. From a research perspective, this type of information is used to identify public health trends, improve care, and support healthcare legislation. HIPAA outlines two different ways of de-identifying PHI so it can be used without risking patient privacy: the Expert Determination method and the Safe Harbor method.
The Expert Determination method involves consulting a statistician or other expert who can determine how many direct identifiers can be removed while maintaining a “very small” risk that the health data could be used to identify the individual patient. This method requires documentation of the expert’s analysis to justify the determination.
The second option, called the Safe Harbor method, involves removing all of the following 18 direct identifiers from health data:
HIPAA guidelines and requirements apply to four entities that work with patient PHI:
The HIPAA legislation is outlined in five titles.
This title protects health insurance coverage for workers who lose their job or get a new job at a different company. This is known as health insurance portability. It prevents group health plans from denying coverage based on pre-existing conditions or any other type of discrimination against employees or their dependent family members based on health factors. It also ensures individuals have opportunities to enroll in a group health plan or change their coverage if they experience certain life events like getting married, becoming a parent, or turning 26 years old.
This title requires HHS to create national standards for:
This title designates how much money an individual may contribute pre-tax to a medical savings account (MSA). These accounts are coupled with high-deductible health plans (HDHPs), which come with lower monthly premiums and higher deductibles. MSAs function similarly to health savings accounts (HSAs), which were introduced under separate legislation in 2003.
This title defines insurance reform for group health plans, including those for individuals with pre-existing conditions and continual coverage requirements through COBRA.
This title includes provisions for company-owned life insurance and repeals interest allocation rules for financial institutions. It also expands an expatriation tax to individuals who are deemed to be giving up their U.S. citizenship for tax reasons.
HIPAA compliance is sometimes a moving target. Since Congress introduced the legislation in 1996, HHS has added rules to HIPAA Title II to clarify what organizations need to do to maintain HIPAA compliance.
The Standards for Privacy of Individually Identifiable Health Information, also known as the Privacy Rule, took effect in 2003 to set standards for the protection of PHI. This rule defines the circumstances under which PHI can be used or shared, as well as the appropriate means for using or sharing it. It also limits the actions covered entities can take with PHI if the patient hasn’t provided express authorization for it to be used.
The Security Standards for the Protection of Electronic Protected Health Information, also known as the Security Rule, took effect in 2003 alongside the Privacy Rule. This rule standardizes three types of security measures across all covered entities:
Last but not least, HHS introduced the Enforcement Rule in 2006 to set expectations for how the HHS Office for Civil Rights can investigate HIPAA compliance complaints and violations. The Enforcement Rule also gives HHS the authority to issue fines or bring criminal charges against covered entities whose violations occur frequently, aren’t corrected within 30 days, or result in “serious harm” to an individual.
HIPAA restrictions do not apply in situations where an individual discloses their own health data voluntarily, unless they are disclosing it to a covered entity. For example, if a patient sends a tweet about their medical treatment, Twitter is not subject to HIPAA compliance. Similar examples include a user’s search history related to a health condition, and the data collected from a wearable fitness tracker.
Additionally, there are some organizations that handle health data but are not expected to comply with HIPAA regulations. These include employers, most law enforcement agencies, and most schools and school districts. It’s worth noting, however, that health records managed by schools and school districts are usually protected by the Family Educational Rights and Privacy Act (FERPA).
During the COVID-19 pandemic, the HHS Office for Civil Rights announced it would not impose HIPAA penalties against covered health care providers using remote communication technologies to provide telehealth services. This includes doctors who use popular tools like Zoom, Skype, and FaceTime to speak with patients for non-emergency needs, regardless of whether the tools are HIPAA compliant.
HHS also issued guidance for reporting COVID-related PHI to public health authorities. Under this guidance, HHS permits covered entities to disclose positive COVID-19 test results to state and local health departments, the CDC, or HHS itself.
This article was updated May 2021 by Kaiti Norton.