HIPAA Overview

Health Insurance Portability and Accountability Act

Get HIPAA Help

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for protecting the privacy and security of health information. HIPAA applies to covered entities and their business associates.

HIPAA consists of two main rules: the Privacy Rule and the Security Rule, which work together to protect individuals' health information while allowing appropriate access for healthcare operations.

Who Must Comply with HIPAA?

Covered Entities

  • Healthcare providers (doctors, hospitals, clinics)
  • Health plans (insurance companies, HMOs)
  • Healthcare clearinghouses

Business Associates

  • IT service providers
  • Cloud storage providers
  • Billing and coding services
  • Any vendor with access to PHI

HIPAA Rules

Privacy Rule (45 CFR 164.500-534)

Establishes standards for protecting the privacy of individually identifiable health information (PHI).

  • Patient rights regarding their health information
  • Uses and disclosures of PHI
  • Notice of Privacy Practices
  • Minimum necessary standard

Security Rule (45 CFR 164.302-318)

Establishes administrative, physical, and technical safeguards for electronic PHI (ePHI).

  • Administrative safeguards (policies, procedures, training)
  • Physical safeguards (facility access, workstation security)
  • Technical safeguards (access control, audit logs, encryption)

Breach Notification Rule (45 CFR 164.400-414)

Requires covered entities to notify individuals and HHS of breaches of unsecured PHI.

  • Individual notification within 60 days
  • HHS notification within 60 days (if 500+ individuals affected)
  • Media notification for breaches affecting 500+ individuals

HIPAA Security Safeguards

Administrative Safeguards

  • Security officer designation
  • Workforce training and awareness
  • Access management procedures
  • Information access management
  • Security awareness training
  • Security incident procedures
  • Contingency planning

Physical Safeguards

  • Facility access controls
  • Workstation use restrictions
  • Workstation security controls
  • Device and media controls

Technical Safeguards

  • Access control (unique user identification)
  • Audit controls and logging
  • Integrity controls
  • Transmission security (encryption)

Key HIPAA Requirements

Protected Health Information (PHI)

  • 18 identifiers that make health information PHI
  • Minimum necessary standard for PHI use and disclosure
  • Patient authorization for non-routine disclosures
  • Business associate agreements (BAAs)

Patient Rights

  • Right to access their health information
  • Right to request amendments
  • Right to request restrictions
  • Right to accounting of disclosures

HIPAA Violations and Penalties

Civil Penalties
  • • Tier 1: $127 - $63,973 (didn't know)
  • • Tier 2: $1,280 - $63,973 (reasonable cause)
  • • Tier 3: $12,794 - $63,973 (willful neglect, corrected)
  • • Tier 4: $63,973 - $1,919,173 (willful neglect, not corrected)
Criminal Penalties
  • • Up to $50,000 and 1 year in prison
  • • Up to $100,000 and 5 years in prison
  • • Up to $250,000 and 10 years in prison

Need HIPAA Compliance Help?

Get expert guidance on HIPAA implementation and compliance.

Schedule Free Consultation