What is HIPAA? Understanding the Health Insurance Portability and Accountability Act

If you have ever attempted to get a hold of someone’s medical documents, then you might have butted up against HIPAA. The Health Insurance Portability and Accountability Act was introduced in 1996 with two main goals in mind: to address the loss of insurance coverage for individuals between jobs and to prevent healthcare fraud. HIPAA has largely been positive, though some see it as an inconvenience. Still, while it might seem like a bother to you, it is a very serious matter for many industry professionals, as neglecting to follow HIPAA rules can lead to massive fines, loss of face, and (for many lower-level employees) a swift firing.

As such, it is important to know what HIPAA is all about, including how to gain access to medical information without running into issues.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by congress in 1996 in an effort to increase privacy surrounding medical information and reduce health care fraud or abuse. It set industry-wide standards for health care information on electronic billing and other processes, while also granting the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs.¹

It also established new rules designed to protect what it refers to as “protected health information” (PHI). This includes any medical information that could specifically identify a person. Outside of certain circumstances, HIPAA prevents various entities and organizations to disclose PHI unless they get the written consent of the patient.

The Three Rules

HIPAA contains three main rules for protecting patient health information. These rules are:

• The Privacy Rule
• The Security Rule
• The Breach Notification Rule

These three rules are uniform across the United States, serving as national standards for protecting any health information that could be used to identify a person.

1. The Privacy Rule

The purpose of the Privacy Rule is simple: to determine the right of access to one’s Protected Health Information. Specifically, it guarantees that patients can access their records for a reasonable price and in a timely manner while creating additional requirements for others looking to access this information.² It also determines which organizations must follow the HIPAA standards, what qualifies as PHI, and the permitted practices for the usage and disclosure of PHI. Healthcare entities covered by HIPAA include most official health plans, health care providers or clearinghouses, and business associates who conduct healthcare transactions for covered entities.

2. The Security Rule

The Security Rule sets the standards for the protection of PHI in an electronic format (ePHI), requiring entities to have appropriate administrative, physical, and technical safeguards in place to ensure the confidentiality, integrity, and security of electronically protected health information.³ All healthcare providers who use ePHI and their business associates are covered and must follow the Security Rule. This means that they must protect all ePHI that they create, receive, store, or send.

Any organization covered under HIPAA’s Security Rule must ensure the confidentiality and availability of the PHI, protecting it against all threats to its security and integrity. This includes adopting suitable policies and practices, training employees to better ensure compliance, and performing regular risk analysis to mitigate potential dangers. It is recommended that organizations conduct risk analysis annually, as there are always new risks to be concerned about.⁴

3. The Breach Notification Rule

Under HIPAA, any and all PHI usage or disclosures that aren’t permitted under the Privacy Rule are considered a breach. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate can demonstrate at least a low probability that the protected health information has been compromised based on a risk assessment.5 As such, the Breach Notification Rule requires covered entities to send alerts upon discovery of a breach. Once a covered entity becomes aware of a breach, the alerts have to be sent within the next 60 days.⁶ Covered entities are required to alert the affected individuals, Health and Human Services (HHS), along with any related business associates.

Knowing What You’re Getting Into

For some, HIPAA’s security requirements can be a source of frustration. For instance, parents with children who have recently turned 18 might be frustrated to find that they no longer have immediate access to their child’s medical information, even if they wind up in a serious accident. Situations like this can make the law seem like a problem to be navigated rather than a source of protection.

Still, it is important to remember that at the end of the day, HIPAA exists for the sake of patients. While navigating its privacy requirements can be a challenge sometimes, if you are aware of these issues ahead of time, you can plan accordingly. It typically isn’t difficult to get a HIPAA release form if you need it, and when you realize just how much information hospitals and other health care organizations have on your loved ones, you’ll probably realize why it isn’t more easily accessible.

Just know what you’re getting into and you can mitigate the worst parts of the process.

Endnotes

1.  Department of Health Care Services. (n.d.). Health Insurance Portability & Accountability Act. What is HIPAA? https://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00WhatisHIPAA.aspx.

2.  Office for Civil Rights. (2020, December 10). HIPAA – The Privacy Rule. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html. 

3.  Office for Civil Rights. (2020, September 23). HIPAA – The Security Rule. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html. 

4.  Office for Civil Rights. (2020, September 23).

5.  Office for Civil Rights. (2013, January 26). HIPAA – The Breach Notification Rule. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html. 

6.  Office for Civil Rights. (2013, January 26).

About the author

Author profile

RG Skadberg

Founder/Attorney, CCSK Law
I create customized solutions for families to address their planning needs.
I provide plans clients understand. Also, they make sure they know when to use them, and do so affordably. I love the opportunity to break through the legal jargon to clarify issues. We find success when we work through a person’s situation and put the law to work for them.

Related entries

• RG Skadberg

  https://ccsklaw.com/author/rgskadberg/

  Your End-of-Life Wishes: What is a Letter of Last Instruction?
• RG Skadberg

  https://ccsklaw.com/author/rgskadberg/

  What To Do When Someone Dies At Home
• RG Skadberg

  https://ccsklaw.com/author/rgskadberg/

  Covering Funeral Costs: Can SS Lump Sum Benefit Do The Job?
• RG Skadberg

  https://ccsklaw.com/author/rgskadberg/

  Who gets the $250 Social Security Benefit When Someone Dies?