NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.
StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2024 Jan-.
Peter F. Edemekong ; Pavan Annamaraju ; Micelle J. Haydel .
Last Update: February 12, 2024 .
Protected health information breaches have impacted over 176 million patients in the United States from 2009 to 2020. Most of these breaches have occurred due to the carelessness of employees and failure to comply with HIPAA rules versus external hackers.[1]
The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Kennedy–Kassebaum Act, or Kassebaum–Kennedy Act) consists of 5 Titles.[2][3][4]
Title I: Protects health insurance coverage for workers and their families who change or lose jobs. It limits new health plans' ability to deny coverage due to a pre-existing condition.
Title II: Prevents healthcare fraud and abuse; medical liability reform; administrative simplification that requires establishing national standards for electronic healthcare transactions and national identifiers for providers, employers, and health insurance plans.
Title III: Guidelines for pre-tax medical spending accounts. It provides changes to health insurance law and deductions for medical insurance.
Title IV: Guidelines for group health plans. It provides modifications for health coverage.Title V: Governs company-owned life insurance policies. Makes provisions for treating people without United States citizenship and repealed financial institution rules to interest allocation rules.
Questions to Consider
Why was the Health Insurance Portability and Accountability Act (HIPAA) established?
The statute focuses on creating confidentiality systems within and beyond healthcare facilities. The goal is to keep protected health information private.Whom does HIPAA cover?
All persons working in a healthcare facility or private office Non-patient care employees Health plans (e.g., insurance companies) Billing companies Electronic medical record companiesWhat are the primary HIPAA goals?
To limit the use of protected health information to those with a “need to know” To penalize those who do not comply with confidentiality regulationsWhat health information is protected?
Any healthcare information with an identifier that links a specific patient to healthcare information (name, social security number, telephone number, email address, street address, among others)
Differentiate between HIPAA privacy rules, use, and disclosure of information.
Use: How information is used within a healthcare facility Disclosure: How information is shared outside a healthcare facilityPrivacy rules: Patients must give signed consent for the use of their personal information or disclosure
What are the legal exceptions when healthcare professionals can breach confidentiality without permission?
Gunshot wound Stab wound Injuries sustained in a crime Child/Elderly abuse Infectious, communicable, or reportable diseasesWhat types of data does HIPAA protect?[5]
Written, paper, spoken, or electronic data Transmission of data within and outside a healthcare facility This applies to anyone or any institution involved with the use of healthcare-related data Data size does not matterWhat types of electronic devices must facility security systems protect?
Both hardware and softwareUnauthorized access to healthcare data or devices, such as a user attempting to change passwords at defined intervals
What are the qualifications and jobs of a HIPAA security officer?
IT background Document and maintain security policies and procedures Audit the systems Risk assessments and compliance with policies/proceduresWhat does a security risk assessment entail?
Should be undertaken at all healthcare facilities Assess the risk of virus infection and hackers Create safeguards against risksWhat are physical safeguards?
Secure printers, fax machines, and computers Locks on computer and record rooms Destroy sensitive informationWhat type of employee training for HIPAA is necessary?
Ideally, under the supervision of the security officer The level of access increases with responsibility Annual HIPAA training with updates mandatory for all employeesWhat type of reminder policies should be in place?
E-mail alert, posters Log-on, log-off computer noticesHow should a sanctions policy for HIPAA violations be written?
Clear, non-ambiguous, plain English policy Apply equally to all employees and contractors Sale of information results in termination Repeat offense increases the punishmentWhat discussions regarding patient information may be conducted in public locations?
Conversational information is covered by confidentiality/HIPAA Do not talk about patients or protected health information in public locationsHow do you protect electronic information?
Point computer screens away from public Use privacy sliding doors at the reception desk Never leave protected health information unattended Log off workstations when leaving an areaHow do you ensure password protection?
Do not share the password Do not write down the password Do not verbalize the password Do not email your passwordHow do you select a safe password?
Do not select consecutive digits Do not select the information that can be easily guessed Choose something that can be remembered but not guessedWhat is the function of HIPAA?
In passing the law for HIPAA, Congress required the establishment of federal standards to guarantee electronically protected health information security to ensure confidentiality, integrity, and availability of health information that ensure the protection of individual's health information while also granting access to healthcare providers, clearinghouses, and health plans for continued medical care.[6][7][8]
Standards for security were needed because of the growth in the exchange of protected health information between covered and non-covered entities. These standards guarantee the availability, integrity, and confidentiality of Electronic Protected Health Information (ePHI). Also, there are State laws with strict guidelines that apply and overrule federal security guidelines.
The standards mandated in the Federal Security Rule protect individuals' health information while permitting appropriate access to that information by healthcare providers, clearinghouses, and health insurance plans. The Federal Security Rule establishes federal standards to ensure the availability, confidentiality, and integrity of ePHI. Also, state laws provide more stringent standards that apply over and above federal security standards.
Healthcare providers, health plans, and business associates have a strong tradition of safeguarding private health information. However, the old system of paper records locked in cabinets is not enough in today's world anymore. With information broadly held and transmitted electronically, the rule provides clear national standards for protecting electronic health information.[9][10]
There are 5 HIPAA sections of the act, known as titles.[11][12][13][14]
Title I. Focus on Healthcare Access, Portability, and Renewability
Regulates the availability of group and individual health insurance policies. Title I modified the Employee Retirement Income Security Act, the Public Health Service Act, and the Internal Revenue Code.
Requires the coverage of and limits the restrictions that a group health plan places on benefits for preexisting conditions. Group health coverage may only refuse benefits related to preexisting conditions for 12 months after enrollment or 18 months for late enrollment.
Enables individuals to limit the exclusion period, considering how long they were covered before enrolling in the new plan after any periods of a break in coverage.
Includes "creditable coverage," which applies to nearly all group and individual health plans, Medicare, and Medicaid.
Explains a "significant break" as any 63 consecutive days an individual goes without creditable coverage. It allows premiums to be tied to body mass index or avoiding tobacco use.
Requires insurers to issue policies without exclusion to those leaving group health plans with creditable coverage exceeding 18 months. They also renew individual policies for as long as they are offered or provide alternatives to discontinued plans for as long as the insurer stays in the market without exclusion, regardless of health condition.
Title II. Preventing Healthcare Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Establishes policies and procedures for maintaining privacy and security of individually identifiable health information, outlines offenses, and creates civil and criminal penalties for violations.
Creates programs to control fraud and abuse and Administrative Simplification rules.Requires the Department of Health and Human Services (HHS) to increase the efficiency of the healthcare system by creating standards.
HHS initiated five rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule.
Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by "covered entities." These entities include healthcare clearinghouses, health insurers, employer-sponsored health plans, and medical providers. Upon request, covered entities must disclose PHI to an individual within 30 days. In addition, entities mentioned earlier must provide and disclose PHI as required by law enforcement to investigate suspected child abuse.
Covered entities may disclose PHI to law enforcement if requested by court orders, subpoenas, and administrative requests.
A covered entity may reveal PHI to facilitate treatment, payment, or healthcare operations without a patient's written authorization.
Any other disclosures of PHI require the covered entity to obtain prior written authorization.When a covered entity discloses PHI, it must make a reasonable effort to share only the minimum necessary information.
The Privacy Rule gives individuals the right to demand that a covered entity correct any inaccurate PHI and take reasonable steps to ensure the confidentiality of communications with individuals.
The Privacy Rule requires covered entities to notify individuals of PHI use, keep track of disclosures, and document privacy policies and procedures.
2013 Omnibus Rule update: The revised definition of "significant harm" to an individual in the analysis of a breach provides more investigation to cover entities intending to disclose breaches that were previously not reported. Protection of PHI was changed from indefinite to 50 years after death. The HIPAA Privacy rule may be waived during a natural disaster.
Right to access: The Privacy Rule requires medical providers to give individuals PHI access when an individual requests information in writing. A provider has 30 days to provide a copy of the information to the individual. After that, an individual may request the information in electronic form or hard copy.
Individuals have the right to access all health-related information (except psychotherapy notes of a provider and information gathered by a provider to defend against a lawsuit).
Providers may charge a reasonable amount for copying costs. However, no charge is allowable when providing data electronically from a certified electronic health record (EHR) using the "view, download, and transfer."
Individuals may use encrypted or unencrypted email, media, direct messaging, or other methods to authorize information delivery. An individual must understand and accept data transfer risks when using unencrypted delivery.
Individuals may request their PHI be delivered to a third party in writing.Individuals may request in writing that their provider send PHI to a designated service used to collect or manage their records, such as a Personal Health Record application.
Relative disclosure: Hospitals may not reveal information over the phone to relatives of admitted patients. This has impeded the location of missing persons; as seen after airline crashes, hospitals are reluctant to disclose the identities of passengers being treated, making it difficult for relatives to locate them.
Transactions and Code Sets Rule
HIPAA was created to improve healthcare system efficiency by standardizing healthcare transactions. HIPAA added a new Part C titled "Administrative Simplification" that simplifies healthcare transactions by requiring health plans to standardize healthcare transactions.
For example, medical providers who file for reimbursements must file electronic claims using HIPAA standards to be paid.
Security Rule
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all PHI, the Security Rule is limited to ePHI. It lays out three security safeguards: administrative, physical, and technical.
Administrative safeguards: Policies and procedures are designed to show clearly how the entity will comply with the act. Covered entities must adopt a written set of privacy procedures and designate a privacy officer to develop and implement required policies and procedures. Procedures must identify classes of employees with access to ePHI and restrict it to only those who need it to complete their job function. The procedures must address access authorization, establishment, modification, and termination. Entities must show appropriate ongoing training for handling PHI. Covered entities must back up their data and have disaster recovery procedures. Internal audits are required to review operations to identify security violations. Procedures should document instructions for addressing and responding to security breaches.
Physical safeguards: Procedures must control physical access to protected data by introducing and removing hardware and software from the network and limiting it to authorized individuals. Procedures must also control and monitor access to equipment containing PHI. Workstations must be set up properly, ensuring monitor screens are out of direct public view. If the covered entities utilize contractors or agents, they, too, must be thoroughly trained on PHI.
Technical safeguards: Safeguards include controlling access to computer systems and enabling covered entities to protect communications containing ePHI over open networks.
Information systems housing PHI must be protected from intrusion. Data within a system must not be changed or erased unauthorizedly.Data corroboration, including using a checksum, double-keying, message authentication, and digital signature, must ensure data integrity and authenticate the entities they communicate with.
Entities must make documentation of their HIPAA practices available to the government.Information technology documentation should include a written record of all configuration settings on the network components.
Documented risk analysis and risk management programs are required.Unique identifiers rule (National Provider Identifier, NPI)
HIPAA-covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions.
The NPI replaces all other identifiers used by health plans, Medicare, Medicaid, and other government programs. The NPI does not replace a provider's DEA, state license, or tax identification numbers. The NPI is ten digits (may be alphanumeric), with the last digit a checksum. The NPI cannot contain any embedded intelligence; the NPI is a number that does not have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "sub-parts," such as a free-standing surgery or wound care center.
Enforcement Rule
The Enforcement Rule sets civil financial money penalties for violating HIPAA rules. It establishes procedures for investigations and hearings for HIPAA violations.The US Department of Health and Human Resources has investigated over 20,000 cases resolved by requiring changes in privacy practice or corrective action.
If noncompliance is determined, entities must apply corrective measures.Complaints have been investigated against pharmacy chains, major healthcare centers, insurance groups, hospital chains, and small providers.
According to the HHS, the following issues have been reported according to frequency:
Misuse and disclosures of PHI No protection in place for health information Patients unable to access their health information Using or disclosing more than the minimum necessary PHI No safeguards of ePHIThe most common entities required to take corrective action according to HHS are listed below by frequency:
Private Practices Outpatient Facilities Group insurance plans PharmaciesTitle III. Tax-Related Health Provisions Governing Medical Savings Accounts
Standardizes the amount that may be saved per person in a pre-tax medical savings account.Makes medical savings accounts available to employees covered under an employer-sponsored high deductible plan for small employers and self-employed individuals.
Title IV. Application and Enforcement of Group Health Insurance Requirements
Title IV specifies conditions for group health plans regarding coverage of persons with preexisting conditions and modifies continuation of coverage requirements. In addition, it clarifies continuation coverage requirements and includes COBRA clarification.
Title V. Revenue Offset Governing Tax Deductions for Employers
Provisions for company-owned life insurance for employers providing company-owned life insurance premiums, prohibiting the tax-deduction of interest on life insurance loans, company endowments, or contracts related to the company.
It repeals the financial institution rule to interest allocation rules.It amends provisions of law relating to people who give up United States citizenship or permanent residence, expanding the expatriation tax to be assessed against those deemed to be giving up their US status for tax reasons.
It produces former citizens' names as part of the public record by creating the Quarterly Publication of Individuals Who Have Chosen to Expatriate.
HIPAA Privacy and Security Rules have substantially changed how medical institutions and health providers function. The complex legalities, severe civil and financial penalties, and increased paperwork and implementation costs have substantially impacted health care. All health professionals must be trained in HIPAA and understand the potential pitfalls and acts that can lead to a violation.[15][16]
Clinical Care Effects
HIPAA, combined with stiff penalties for violation, may result in medical centers and practices withholding life-saving information from those who may have a right to it and need it at a crucial moment. Through the HIPAA Privacy Rule, the US Government Accountability Office found that healthcare providers were "uncertain about their legal privacy responsibilities and often responded with an overly guarded approach to disclosing information. Ultimately, the solution is the education of all healthcare professionals and their support staff so that they fully appreciate when PHI can be legally released.
Education and Training Effects
Education and training of healthcare providers and students are needed to implement HIPAA Privacy and Security Acts. Practical training and education must describe the regulatory background and purpose of HIPAA and provide a review of the principles and key provisions of the Privacy Rule.
Research Effects
HIPAA restrictions on research have affected the ability to perform chart-based retrospective research. This has made it challenging to evaluate patients prospectively for follow-up.[12][17]
HIPAA Privacy rules have resulted in as much as a 95% drop in follow-up surveys completed by patients being followed long-term.
Recruitment of patients for cancer studies has led to a more than 70% decrease in patient accrual and a tripling of time spent recruiting patients and mean recruitment costs.
The legal language required for research studies is now extensive due to the need to protect participants' health information. While such information is important, a lengthy legalistic section may make these complex documents less user-friendly for those asked to read and sign them.
Many researchers believe that HIPAA privacy laws harm the cost and quality of medical research.[8]
HIPAA Privacy and Security Acts require all medical centers and medical practices to enter and comply. The costs of developing and revamping systems and practices and increasing paperwork and staff education time have impacted the finances of medical centers and practices when insurance companies and Medicare reimbursements have decreased. Ultimately, the cost of violating the statutes is so substantial that scarce resources must be devoted to ensuring an institution is compliant and its employees understand the statutory rules.
Conclusions
HIPAA is a potential minefield of violations that almost any medical professional can commit. Staff with less education and understanding can easily violate these rules during the normal course of work. While a small percentage of criminal violations involve personal gain or nosy behavior, most are momentary lapses resulting in costly mistakes. Writing an incorrect address, phone number, email, or text on a form or expressing protected information aloud can jeopardize a practice. HIPAA education and training are crucial, as well as designing and maintaining systems that minimize human mistakes.[18][19][20]
Violations of HIPAA
For an individual who unknowingly violates HIPAA, a $100 fine per violation with an annual maximum of $25,000 for those who repeat violation.
For a violation due to reasonable cause and not to willful neglect: There is a $1,000 charge per violation, an annual maximum of $100,000 for those who repeatedly violate.
For HIPAA violation due to willful neglect, with violation corrected within the required period. There is a $10,000 penalty per violation and an annual maximum of $250,000 for repeat violations.
For HIPAA violation due to willful neglect and not corrected. There is a penalty of $50,000 per violation, an annual maximum of $1,000,000, $50,000 per violation, and an annual maximum of $1.5 million.
For entities covered and specified individuals who obtain or disclose individually identifiable health information willfully and knowingly, the penalty is up to $50,000 and imprisonment up to 1 year.
For offenses committed under pretenses, the penalty is up to $100,000 with imprisonment of up to 5 years.
For offenses committed intending to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the penalty is up to $250,000, with imprisonment of up to 10 years.
The US Department of Health and Human Services Office for Civil Rights has received over 100,000 complaints of HIPAA violations, many resulting in civil and criminal prosecution.
Examples of HIPAA violations and breaches include:
Hospital staff disclosed HIV testing concerning a patient in the waiting room, staff was required to take regular HIPAA training, and computer monitors were repositioned.
An office manager accidentally faxed confidential medical records to an employer rather than a urologist's office. This resulted in a stern warning letter and mandatory HIPAA training for all employees.
A surgeon was fired after illegally accessing personal records of celebrities, was fined $2,000, and sentenced to 4 months in jail.
Private practice lost an unencrypted flash drive containing PHI, was fined $150,000, and was required to install a corrective action plan.
Private physician licenses were suspended for submitting a patient's bill to collection firms with CPT codes that revealed the patient's diagnosis.
Texas hospital employees received an 18-month jail term for wrongful disclosure of private patient medical information.
Walgreens's pharmacist violated HIPAA and shared confidential information concerning a customer who dated her husband, resulting in a $1.4 million HIPAA award.
Virginia employees were fired for logging into medical files without legitimate medical need.Employee fired for speaking out loud in the back office of a medical clinic after she revealed a pregnancy test result.
A sales executive was fined $10,000 for filling out prior authorization forms and putting them in patient charts.
Six doctors and 13 employees were fired at UCLA for viewing Britney Spears' medical records when they had no legitimate reason to do so.
A cardiac monitor vendor was fined $2.5 million when a laptop containing hundreds of patient medical records was stolen from a car.
Washington State Medical Center employee fired for improperly accessing over 600 confidential patient health records.
An employee of the hospital posted on Facebook concerning the death of a patient, stating she "should have worn her seatbelt."
A hospital was fined $2.2 million for allowing an ABC film crew to film two patients without their consent.
Cardiology group fined $200,000 for posting surgical and clinical appointments on a public, internet-accessed calendar.
Tricare Management of Virginia exposed the confidential data of nearly 5 million people.Cignet Health of Maryland was fined $4.3 million for ignoring patient requests to obtain copies of their records and ignoring federal officials' inquiries.
Virginia physician prosecuted for sharing information with a patient's employer under pretenses.Kessler SR, Pindek S, Kleinman G, Andel SA, Spector PE. Information security climate and the assessment of information security risk among healthcare employees. Health Informatics J. 2020 Mar; 26 (1):461-473. [PubMed : 30866704 ]
Mermelstein HT, Wallack JJ. Confidentiality in the age of HIPAA: a challenge for psychosomatic medicine. Psychosomatics. 2008 Mar-Apr; 49 (2):97-103. [PubMed : 18354061 ]
Iyiewuare PO, Coulter ID, Whitley MD, Herman PM. Researching the Appropriateness of Care in the Complementary and Integrative Health Professions Part 2: What Every Researcher and Practitioner Should Know About the Health Insurance Portability and Accountability Act and Practice-based Research in the United States. J Manipulative Physiol Ther. 2018 Nov-Dec; 41 (9):807-813. [PMC free article : PMC6684225 ] [PubMed : 30755332 ]
Liu X, Sutton PR, McKenna R, Sinanan MN, Fellner BJ, Leu MG, Ewell C. Evaluation of Secure Messaging Applications for a Health Care System: A Case Study. Appl Clin Inform. 2019 Jan; 10 (1):140-150. [PMC free article : PMC6393161 ] [PubMed : 30812040 ]
Tariq RA, Hackert PB. StatPearls [Internet]. StatPearls Publishing; Treasure Island (FL): Jan 23, 2023. Patient Confidentiality. [PubMed : 30137825 ]
Berry MD., Thomson Reuters Accelus. Healthcare Reform. Enforcement and Compliance. Issue Brief Health Policy Track Serv. 2018 Dec 24; 2018 :1-38. [PubMed : 30681783 ]
Berry MD., Thomson Reuters Accelus. Business of Health. Business of Healthcare. Issue Brief Health Policy Track Serv. 2018 Dec 24; 2018 :1-60. [PubMed : 30681304 ]
Kels CG, Kels LH. Potential Harms of HIPAA. JAMA. 2018 Dec 11; 320 (22):2378-2379. [PubMed : 30535213 ]
Lam JS, Simpson BK, Lau FH. Health Insurance Portability and Accountability Act Noncompliance in Patient Photograph Management in Plastic Surgery. Ann Plast Surg. 2019 May; 82 (5):486-492. [PubMed : 30648996 ]
Reynolds RA, Stack LB, Bonfield CM. Medical photography with a mobile phone: useful techniques, and what neurosurgeons need to know about HIPAA compliance. J Neurosurg. 2019 Jan 04; 132 (1):260-264. [PubMed : 30611147 ]
Mattioli M. Security Incidents Targeting Your Medical Practice. MD Advis. 2018 Summer; 11 (2):4-10. [PubMed : 30570893 ]
Baker FX, Merz JF. What gives them the right? Legal privilege and waivers of consent for research. Clin Trials. 2018 Dec; 15 (6):579-586. [PubMed : 30280910 ]
Sims MH, Hodges Shaw M, Gilbertson S, Storch J, Halterman MW. Legal and ethical issues surrounding the use of crowdsourcing among healthcare providers. Health Informatics J. 2019 Dec; 25 (4):1618-1630. [PubMed : 30192688 ]
Kloss LL, Brodnik MS, Rinehart-Thompson LA. Access and Disclosure of Personal Health Information: A Challenging Privacy Landscape in 2016-2018. Yearb Med Inform. 2018 Aug; 27 (1):60-66. [PMC free article : PMC6115206 ] [PubMed : 30157506 ]
Bradley D. HIPAA compliance efforts. Pediatr Emerg Care. 2004 Jan; 20 (1):68-70. [PubMed : 14716172 ]
Butler M. Top HITECH-HIPPA compliance obstacles emerge. J AHIMA. 2014 Apr; 85 (4):20-4; quiz 25. [PubMed : 24834549 ]
Roberts MK, Fisher DM, Parker LE, Darnell D, Sugarman J, Carrithers J, Weinfurt K, Jurkovich G, Zatzick D. Ethical and Regulatory Concerns in Pragmatic Clinical Trial Monitoring and Oversight. Ethics Hum Res. 2020 Sep; 42 (5):29-37. [PubMed : 32937035 ]
White JM. HIPPA compliance for vendors and suppliers. J Healthc Prot Manage. 2014; 30 (1):91-7. [PubMed : 24707761 ]
McMahon EB, Lee-Huber T. HIPPA privacy regulations: practical information for physicians. Pain Physician. 2001 Jul; 4 (3):280-4. [PubMed : 16900255 ]
Bilimoria NM. HIPPA security rule compliance for physicians: better late than never. J Med Pract Manage. 2005 Jul-Aug; 21 (1):39-42. [PubMed : 16206804 ]
Disclosure: Peter Edemekong declares no relevant financial relationships with ineligible companies.
Disclosure: Pavan Annamaraju declares no relevant financial relationships with ineligible companies.
Disclosure: Micelle Haydel declares no relevant financial relationships with ineligible companies.