Health Insurance Portability and Accountability Act of 1996
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a significant piece of legislation focused on safeguarding the privacy and security of patients' medical records. It grants patients rights over their personal health information, including access to their records and the ability to control how their information is shared. Originally enacted to address issues of health insurance portability and fraud, HIPAA has evolved to include comprehensive privacy and security regulations for healthcare providers, insurers, and related entities.
HIPAA is particularly known for its stringent requirements regarding the handling of both electronic and paper health records, mandating various safeguards to protect sensitive data. Over the years, amendments and updates have expanded patient rights, including new provisions for electronic health records and stricter penalties for violations. The act plays a critical role in the healthcare system, especially highlighted during public health emergencies like the COVID-19 pandemic, where it has raised complex questions about privacy versus public health needs.
Enforcement of HIPAA is overseen by the Office for Civil Rights within the U.S. Department of Health and Human Services, which investigates complaints and ensures compliance among regulated entities. Overall, HIPAA serves as a foundational law in the ongoing discourse around healthcare privacy and the rights of patients in the United States.
Health Insurance Portability and Accountability Act of 1996
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is best known for protecting the privacy and security of patients’ medical records. It provides certain patient rights over the access, use, and distribution of personally identifiable health information, as well as criteria for information disclosures and security requirements that health care providers, insurance plans, and clearinghouses must follow. Updates to the law since its enactment have expanded patient rights, regulation of providers’ and plans’ actions, and the enforceability of existing HIPAA regulations. Public health crises such as the coronavirus disease 2019 (COVID-19) pandemic have brought increased awareness of HIPAA protections and limitations.
Overview
An amendment to the health insurance regulations of the Employee Retirement Income Security Act (ERISA) of 1974, the Health Insurance Portability and Accountability Act was signed into law on August 21, 1996. It included many provisions—among them, insurance portability for employees with preexisting conditions, special enrollment rights for life events, antifraud measures, improved communication between insurers and providers, and incentives for insurance enrollment. With its stated goal of creating nationwide health information standards, the act became best known for its privacy and security rules for patients’ medical information. Among the types of personally identifiable information regulated by HIPAA are medical histories, diagnostic images, test results, treatment plans, insurance eligibility, claims, and bill payments. Both paper and electronic records are subject to HIPAA, as are some oral communications.
Under HIPAA, patients have the right to view their own records, file complaints or amendments, designate the means of contact providers may use to communicate with them, and request nondisclosure to family members. Providers are allowed to share medical information to treat patients, report epidemiological data, comply with law enforcement, intervene in situations of suspected abuse, request payment for services rendered, and improve health care operations. Providers and plans must issue notices of privacy policy informing patients of the ways their medical information is shared, their rights, contact information for the provider or plan, and the procedure for registering a complaint.
In order to protect patient information, HIPAA requires a number of administrative, physical, and technical safeguards. These include determining the “need-to-know” status of various health care staff, careful positioning of office equipment such as computers and printers, and implementing technical safeguards, such as firewalls, antivirus software, data encryption, access controls such as user authentication passwords or PINs, and audit-trail software programs that track who reads and changes records. As health care providers increasingly switch from paper to electronic health records (EHR), the importance of technical safeguards has also increased.
Since the law’s enactment in 1996, the federal government has put forth several measures intended to address gaps or grey areas in it. Criminal liability and penalties for severe HIPAA infractions were defined in 2005. Four years later, the Health Information Technology for Economic and Clinical Health (HITECH) Act established monetary penalties for infractions. The Patient Protection and Affordable Care Act of 2010 set forth operating rules for HIPAA-regulated communications, standards for electronic fund transfers, and compliance policies for health plans.
The HIPAA Omnibus Rule, finalized in 2013, provided patients with additional rights to request electronic copies of health records; to designate a friend or family member with whom to share medical information; and to authorize providers to share their children’s immunization records with schools. It also tightened restrictions on providers and plans by enabling patients to limit the use of their information in fund-raising and marketing endeavors, such as pharmaceutical promotions, and by restricting the sale of patients’ medical information. Liability was extended to providers’ business associates, the procedure for reporting security breaches was clarified, and noncompliance penalties were raised. As a result of these changes, providers and plans were required to review, revise, and redistribute their privacy notices.
Violations, Enforcement, and Exemptions
The Office for Civil Rights (OCR) in the US Department of Health and Human Services is tasked with ensuring regulated entities—that is, health insurers, providers, clearinghouses, and their business associates—comply with HIPAA’s privacy and security rules, and taking enforcement actions if needed. OCR investigates complaints and has completed intermittent compliance audits.
For OCR to act on a complaint, the alleged HIPAA violation must have taken place after April 2003 and filers must have submitted their complaint no later than six months from when they became aware of, or should have been aware of, the alleged violation by a regulated entity. Potential criminal cases are transferred to the Justice Department. If OCR concludes a regulated entity committed civil violations of HIPAA, that entity may voluntarily comply, take corrective action, and/or reach a resolution agreement with the government. Typically, resolution agreements involve additional reporting and oversight over several years and may include fines. OCR can also fine regulated entities that fail to comply.
By mid-2021, OCR had resolved 99 percent of the 270,242 privacy complaints it had received. No violation was found in nearly one-third of those cases, and more than two-thirds resulted in corrective actions. The most common problems identified between 2017 and 2020 were impermissible uses and disclosures and safeguards, followed by access, administrative safeguards, and technical safeguards.
HIPAA in the COVID-19 Pandemic
As the deadly coronavirus disease 2019 (COVID-19) became a global pandemic in the early 2020s, questions and confusion abounded among the public, in the media, and even among some government officials regarding the reach of the HIPAA rules. Early on, nursing homes reportedly obscured the total numbers of COVID-19 cases and deaths in their facilities from the public under the pretext of HIPAA, for example. Similarly, some individuals claimed incorrectly that under HIPAA, they did not have to disclose their medical reasons for refusing to wear masks in places with mandates, to state their vaccination status, or to provide proof of vaccination if asked. Because HIPAA applies only to a limited number of regulated entities, however, its privacy and security provisions do not prohibit schools, government entities, media outlets, or most businesses and employers from asking about students’, constituents’, customers’, or employees’ symptoms, test results, or vaccination status, though individuals could decline to answer.
Amid the COVID-19 pandemic, OCR also exercised discretion in enforcement among regulated entities. Notably, it decided not to penalize covered entities, such as community testing sites, and business associates that made “good faith” or public health disclosures to aid public health agencies like the Centers for Disease Control and Prevention in combatting the disease, as long as the affected person were notified within ten days. Similarly, “good faith” telehealth services were exempted from security rule enforcement, though insurers or other telehealth payers were not.
Bibliography
Bacon, Grace V. “Legislative Activity: HIPAA and Recommendations to Protect Individual Privacy.” Journal of Law, Medicine & Ethics, vol. 25, no. 4, 1997, pp. 316–19.
Borten, Kate. The HIPAA Omnibus Rule: A Compliance Guide for Covered Entities and Business Associates. HCPro, 2013.
Bump, Bethany. “HIPAA and COVID-19 Vaccines: Why Are so Many Confused?” Times Union, 28 May 2021, www.timesunion.com/news/article/hipaa-and-your-vaccine-status-16204325.php. Accessed 15 Sept. 2021.
Chaikind, Hinda R., et al. The Health Insurance Portability and Accountability Act (HIPAA): Overview and Analyses. Nova Science, 2004.
Hartley, Carolyn P., and Ed Jones III. HIPAA Plain and Simple: After the Final Rule. AMA, 2014.
“Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Grok Knowledge Base. Louisiana State U, 22 July 2021, grok.lsu.edu/article.aspx?articleid=17088. Accessed 16 Sept. 2021.
“HIPAA: Health Insurance Portability and Accountability Act.” AMA, American Medical Association, 2013. Accessed 16 Sept. 2013.
Ladenheim, Kala. “Health Insurance in Transition: The Health Insurance Portability and Accountability Act of 1996.” Publius, vol. 27, no. 2, 1997, pp. 33–51.
Office for Civil Rights. “HIPAA Compliance and Enforcement.” HHS.gov, US Dept. of Health and Human Services, 25 July 2017, www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html. Accessed 15 Sept. 2021.
Peters, Nadine, et al. “HHS Issues New HITECH/HIPAA Rule: Top 10 Changes.” Intellectual Property & Technology Law Journal, vol. 25, no. 5, 2013, pp. 19–23.
Siehr, Ryan T. “What Employers Need to Know about HIPAA.” The National Law Review, vol. 10, no. 83, 23 Mar. 2020, www.natlawreview.com/article/what-employers-need-to-know-about-hipaa. Accessed 15 Sept. 2021.
Sizer, Hillary M., et al. “What’s Changed, What Hasn’t: A Review of HIPAA Rules in a COVID-19 Context.” The National Law Review, vol. 10, no. 123, 2 May 2020, www.natlawreview.com/article/what-s-changed-what-hasn-t-review-hipaa-rules-covid-19-context. Accessed 15 Sept. 2021.
Sullivan, June M. HIPAA: A Practical Guide to Privacy and Security of Health Data. American Bar Association, 2004.
United States, Department of Health and Human Services. “New Rule Protects Patient Privacy, Secures Health Information.” Businesswire, 17 Jan. 2013, www.businesswire.com/news/home/20130117006506/en/New-rule-protects-patient-privacy-secures-health-information. Accessed 16 Sept. 2021.
Wager, Karen A., et al. “Security of Health Care Information Systems.” Health Care Information Systems: A Practical Approach for Health Care Management. 3rd ed., Wiley, 2013.