Updated by Kaiti Norton
The Health Insurance Portability and Accountability Act (HIPAA) is a piece of federal legislation in the United States that provides national standards for protecting the privacy of personal health data. It prevents health care providers, insurers, and other official entities from disclosing sensitive information about a patient’s health without the patient’s knowledge and consent.
History of HIPAA
HIPAA was signed into law by President Bill Clinton in 1996. It was created to address the evolving threats to patient privacy and set standards for sharing protected health information (PHI) as safely and efficiently as possible.
At the time, Congress recognized the potential issues that could arise with the digitization of healthcare data, so they needed to add subsequent protections that spoke to the changing landscape of healthcare technology. Because of this, the legislation didn’t take full effect until 2002.
In 2013, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the Final Omnibus Rule. This rule expanded jurisdiction to business associates who work with PHI, including contractors or subcontractors. It also provided clarification for the distinction between a security incident and a security breach, as well as when a covered entity is required to report a breach.
Protected health information
Protected health information (PHI) is any information that connects an individual’s identity to their health data. This includes but is not limited to:
- Personally identifiable information (PII), including a patient’s name, date of birth, mailing address, email address, IP address, or insurance member ID
- Financial records related to health care that could be tied back to the individual
- Medical records related to tests, diagnoses, treatments, or other health services
PHI does not include employment records or information that cannot be traced back to an individual. From a research perspective, this type of information is used to identify public health trends, improve care, and support healthcare legislation. HIPAA outlines two different ways of de-identifying PHI so it can be used without risking patient privacy: the Expert Determination method and the Safe Harbor method.
The Expert Determination method involves consulting a statistician or other expert who can determine how many direct identifiers can be removed while maintaining a “very small” risk that the health data could be used to identify the individual patient. This method requires documentation of the expert’s analysis to justify the determination.
The second option, called the Safe Harbor method, involves removing all of the following 18 direct identifiers from health data:
- Geographic subdivisions smaller than a state (street address, ZIP code, etc.)
- All elements of dates tied to an individual, including date of birth and admission date
- Telephone numbers
- Vehicle identifiers, including serial numbers and license plate numbers
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- Social Security numbers
- IP addresses
- Medical record numbers
- Biometric identifiers, including fingerprints
- Health plan beneficiary numbers
- Full-face photos or similar images
- Account numbers
- Certificate/license numbers
- Any other unique identifying number, characteristic, or code
HIPAA covered entities
HIPAA guidelines and requirements apply to four entities that work with patient PHI:
- Health care providers: doctors, nurses, and other medical personnel
- Health plans: insurance providers, health maintenance organizations (HMOs), Medicare, Medicaid, and other organizations that provide or pay the cost of care
- Health care clearinghouses: billing services, community health information systems, and other public or private organizations that process health data
- Business associates: data analysts, actuaries, lawyers, or other individuals or organizations who interact with PHI on behalf of another covered entity
The HIPAA legislation is outlined in five titles.
Title I: HIPAA Health Insurance Reform
This title protects health insurance coverage for workers who lose their job or get a new job at a different company. This is known as health insurance portability. It prevents group health plans from denying coverage based on pre-existing conditions or any other type of discrimination against employees or their dependent family members based on health factors. It also ensures individuals have opportunities to enroll in a group health plan or change their coverage if they experience certain life events like getting married, becoming a parent, or turning 26 years old.
Title II: HIPAA Administrative Simplification
This title requires HHS to create national standards for:
- Electronic health care transactions, such as a doctor’s office filing a claim with an insurance provider to receive payment for a patient’s office visit
- Code sets, which are used to simplify the process of classifying and identifying medical diagnoses, procedures, tests, treatments, equipment, and supplies
- Unique identifiers, which enable traceability for health care transactions among health care providers, health plans, employers, and patients
Title III: HIPAA Tax Related Health Provisions
This title designates how much money an individual may contribute pre-tax to a medical savings account (MSA). These accounts are coupled with high-deductible health plans (HDHPs), which come with lower monthly premiums and higher deductibles. MSAs function similarly to health savings accounts (HSAs), which were introduced under separate legislation in 2003.
Title IV: Application and Enforcement of Group Health Plan Requirements
This title defines insurance reform for group health plans, including those for individuals with pre-existing conditions and continual coverage requirements through COBRA.
Title V: Revenue Offsets
This title includes provisions for company-owned life insurance and repeals interest allocation rules for financial institutions. It also expands an expatriation tax to individuals who are deemed to be giving up their U.S. citizenship for tax reasons.
What is HIPAA compliance?
HIPAA compliance is sometimes a moving target. Since Congress introduced the legislation in 1996, HHS has added rules to HIPAA Title II to clarify what organizations need to do to maintain HIPAA compliance.
HIPAA Privacy Rule
The Standards for Privacy of Individually Identifiable Health Information, also known as the Privacy Rule, took effect in 2003 to set standards for the protection of PHI. This rule defines the circumstances under which PHI can be used or shared, as well as the appropriate means for using or sharing it. It also limits the actions covered entities can take with PHI if the patient hasn’t provided express authorization for it to be used.
HIPAA Security Rule
The Security Standards for the Protection of Electronic Protected Health Information, also known as the Security Rule, took effect in 2003 alongside the Privacy Rule. This rule standardizes three types of security measures across all covered entities:
- Administrative security, which includes the documented processes and procedures an organization must have in place to show preparedness for security incidents and breaches
- Physical security, which includes the treatment of hardware and software in relation to an organization’s network, user access permissions, and broader facility security measures
- Technical security, which includes data encryption, user authentication, activity logging, and documented risk management programs
HIPAA Enforcement Rule
Last but not least, HHS introduced the Enforcement Rule in 2006 to set expectations for how the HHS Office for Civil Rights can investigate HIPAA compliance complaints and violations. The Enforcement Rule also gives HHS the authority to issue fines or bring criminal charges against covered entities whose violations occur frequently, aren’t corrected within 30 days, or result in “serious harm” to an individual.
What HIPAA doesn’t cover
HIPAA restrictions do not apply in situations where an individual discloses their own health data voluntarily, unless they are disclosing it to a covered entity. For example, if a patient sends a tweet about their medical treatment, Twitter is not subject to HIPAA compliance. Similar examples include a user’s search history related to a health condition, and the data collected from a wearable fitness tracker.
Additionally, there are some organizations that handle health data but are not expected to comply with HIPAA regulations. These include employers, most law enforcement agencies, and most schools and school districts. It’s worth noting, however, that health records managed by schools and school districts are usually protected by the Family Educational Rights and Privacy Act (FERPA).
HIPAA and COVID-19
During the COVID-19 pandemic, the HHS Office for Civil Rights announced it would not impose HIPAA penalties against covered health care providers using remote communication technologies to provide telehealth services. This includes doctors who use popular tools like Zoom, Skype, and FaceTime to speak with patients for non-emergency needs, regardless of whether the tools are HIPAA compliant.
HHS also issued guidance for reporting COVID-related PHI to public health authorities. Under this guidance, HHS permits covered entities to disclose positive COVID-19 test results to state and local health departments, the CDC, or HHS itself.
This article was updated May 2021 by Kaiti Norton.