HIPPA (Health Insurance Portability and Accountability Act)

With the growing use of paperless forms, electronic information transfers and storage has become the norm. This is true about our medical information as well. So, how do we know that our sensitive medical records are being kept private? Thanks to a federal law entitled Health Insurance Portability and Accountability Act (HIPAA), health plans, health care providers, and health care clearinghouses are required to abide by a set of standards to protect your data. While this law does offer protection for certain things, there are some companies that are not required to follow these standards. Keep reading to find out where the loopholes are and how you are being protected by this law. 

Find the Right Health Insurance for You!

Compare free personalized quotes from the nation's top providers.

What is the HIPAA Law and Privacy Rule?

Although HIPAA and Privacy and Security Rules have been around since 1996, there have been many revisions and changes over the years so to keep up with evolving health information technology. HIPAA and the HIPAA Privacy Rule set the bar for standards that protect sensitive patient information by making the rules for electronic exchange as well as the privacy and confidentiality of medical records and information by health care providers, health care clearing houses, and health plans. In accordance with HIPPA, Administrative Simplification Rules were created to safeguard patient privacy. This allows for information that is medically necessary to be shared while also maintaining the patient’s privacy rights. The majority of professionals in the health care industry are required to be compliant with the HIPAA regulations and rules. 

Why do we have the HIPAA Act and Privacy Rule?

The original goal of HIPAA was to make it easier for patients to keep up with their health insurance coverage. This is ultimately why the Administrative Simplification Rules were created to simplify administrative procedures and keep costs at a decent rate. Because of all the exchanges of medical information between insurance companies and health care providers, the HIPAA Act aims to keep things simple when it comes to the healthcare industry’s handling of patient records and documents and places a high importance on maintain patients’ protected health information. 

HIPAA Titles

The Health Insurance Portability and Accountability Act, a federal law which was designed to safeguard healthcare data from data breaches, has five titles. Here is a description of each title:

  • Title I: HIPAA Health Insurance Reform: The objective of Title I is to help individuals maintain health insurance coverage in the event that they lose or change jobs. It also prevents group health plans from rejecting applicants from being covered for having specific chronic illnesses or pre-existing conditions. 
  • Title II: HIPAA Administrative Simplification: Title II holds the U.S. Department of Health and Human Services (HHS) responsible for setting national standards for processing electronic healthcare transactions. In accordance with this title, healthcare organizations must implement data security for health data transactions and maintain HIPPA compliance with the rules set by HHS. 
  • Title III: HIPPA Tax-Related Health Provisions: This title is all about the national standards regarding tax-related provisions as well as the general rules and principles in relation to medical care.  
  • Title IV: Application and Enforcement of Group Health Plan Requirements: Title IV elaborates further on issues related to health insurance coverage and reform, one key point being for patients with pre-existing conditions. 
  • Title V: Revenue Offsets:  This title has provisions regarding company-owned life insurance policies as well as how to handle situations in which individuals lose their citizenship due to issues with income taxes. 

In day to day conversations, when you hear someone bring up HIPAA compliance, they are most likely referring to Title II. To become compliant with HIPAA Title II, the health care industry must follow these provisions:

  • National Provider Identifier Standard: Every healthcare entity is required to have a 10-digit national provider identifier number that is unique to them, otherwise known as, an NPI. 
  • Transactions and Code Sets Standard: Healthcare organizations are required to follow a set of standards pertaining to electronic data interchange (EDI) to be able to submit and process insurance claims.  
  • HIPAA Privacy Rule: This rule sets national standards that help to protect patient health information.
  • HIPAA Security Rule: This rule establishes the standards for patient data security. 

What information is protected by HIPAA?

The HIPAA Privacy Rule safeguards all individually identifiable health information obtained or transferred by a covered entity or business associate. Sometimes this information is stored or transmitted electronically, digitally, on paper or orally. Individually identifiable health information can also be referred to under the Privacy Rule as PHI. 

Examples of PHI are:

  • Personal identifying information such as the name, address, birth date and Social Security number of the patient. 
  • The mental or physical health condition of a person.
  • Certain Information regarding the payment for treatments.

HIPAA penalties

Health industries and professionals should take extra caution to prevent HIPAA violations. If a data breach occurs or if there is a failure to give patients access to their PHI, it could result in a fine. 

There are several types of HIPAA violations and penalties including:

  • Accidental HIPAA violations could result in $100 for an isolated incident and an upward of $25,000 for repeat offenses.
  • Situations in which there is reasonable cause for the HIPAA violation could result in a $1,000 fine and an upward of $100,000 annually for repeat violations.
  • Willfully neglecting HIPAA can cost anywhere between $10,000-$50,000 and $250,000-$1.5 million depending on whether or not it was an isolated occurrence, If it was corrected within a specific timeframe. 

The largest penalty one could receive for a HIPAA violation is $50,000 per violation and $1.5 million per year for repeated offenses.