Health and Insurance Portability and Accountability Act (HIPAA)

On August 21, 1996, Congress passed the Health and Insurance Portability and Accountability Act, better known as HIPAA. Two primary outcomes of HIPAA are its Privacy Rule and Security Rule, both of which work to protect patient health information. The goal of these uniform standards is to promote the secure flow of health information while at the same time supporting the highest level of patient care. 

The Privacy Rule identifies what patient information is to be protected. This Protected Health Information (PHI) includes data that identifies or could identify the patient, such as their name, address, date of birth or social security number. The Security Rule specifically protests PHI that is created, received, maintained or transmitted electronically. This subset of PHI is called e-PHI.

HIPAA applies to all healthcare providers, health plans, health clearinghouses, and those entities which interact with them by exchanging PHI. As per the Privacy and Security Rules, covered entities are responsible for protecting PHI from improper use, disclosure or destruction by developing appropriate security measures. They must also regularly review their security measures to adjust for new and emerging threats to the privacy and security of patient information.

Private individuals do not have a private cause of action to sue in the event of a HIPAA violation, but the U.S. Department of Human Service's Office of Civil Rights can impose penalties up to $1.5 million for the most extreme violations. Learn more about how you can be HIPAA compliant and avoid penalties and fines.