Skip to main content

What is HIPAA?


HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996. (HIPAA) and its administration simplification provisions established rules and regulations around the standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy.

 

Applicability

 

HIPAA defines what entities and activities are covered under the rules. Generally, referred to as "covered entities", it applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. A covered entity is permitted to use and disclose protected health information, without an individual's authorization, for the following purposes or situations:

 

• To the Individual (unless required for access or accounting of disclosures);

 

• Treatment, Payment, and Health Care Operations;

 

• Opportunity to Agree or Object;

 

• Incident to an otherwise permitted use and disclosure;

 

• Public Interest and Benefit Activities

 

• Limited Data Set for the purposes of research, public health or health care operations

What is a Covered Entity?

 

 

A Health Care Provider

A Health Plan

A Health Care Clearinghouse

This includes providers such as

Doctors

Clinics

Psychologists

Dentists

Chiropractors

Nursing Homes

Pharmacies

This includes:

Health insurance companies

HMOs

ACOs

Company Health Plans

Government programs such as Medicare or Tricare

 

This includes entities that process non-standard health information they receive from another entity into a standard (i.e. Standard electronic format or data content), or vice versa.

 

** Business Associates may have to comply with some or all of the HIPAA Administrative Simplification Rules

 

Two Components of HIPAA

 

 

Privacy Component

Security Component

Protects individually identifiable health information* held or transmitted by a covered entity or business associate (otherwise known as Privacy of Personal Health Information (PHI))

Electronic

Paper

Oral

Sets forth the requirements and safeguards to protect the privacy of personal health information which is being electronically transmitted

Sets limitations on uses and disclosures without patient authorization

Establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity

Establishes national standards to protect individual medical records and other PHI

Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.

 

Gives patients rights over their health information which include:

The right to access their Protected Health Information.

The right to amend their Protected Health Information.

The right to receive a notice of Privacy Practices.

The right to request restrictions and confidential communications.

The right to an accounting of disclosures.

 

 

*What is Individually Identifiable Health Information?

 

"Individually identifiable health information" is information, including demographic data, that relates to:

 

• the individual's past, present or future physical or mental health or condition,

 

• the provision of health care to the individual, or

 

• the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers such as a name, address, birth date or Social Security Number.

 

 

Exceptions to the Privacy Rule

 

Plans providing certain incidental types of coverage are entirely exempt from HIPAA regulations. Incidental coverage would usually be for non-medical benefits such as:

 

• Accident Policies;

 

• Disability income;

 

• Liability insurance;

 

• Worker's compensation;

 

• Self-administered, self -insured group health plans with fewer than 50 employees eligible to participate.**

 

**This exclusion does NOT apply to a self-insured health plan that uses a third-party administrator.

 

Penalties

 

 

 

Criminal Penalties

‚Äč

Civil Penalties

Knowingly obtains or discloses individually identifiable health information

Up to $50,000.00 and up to one year in prison

Penalty amount of $100 to $50,000 or more per violation

Wrongful conduct with false pretenses

Up to $100,000 and up to five years in prison

Calendar year cap of $1,500,000

Wrongful conduct with intent to sell, transfer or use information

Up to $250,000 and up to ten years in prison

 

 

 

 

 

This content is being provided as an informational tool. It is believed to be accurate at the time of posting and is subject to change. It is recommended that plans consult with their own experts or counsel to review all applicable federal and state legal requirements that may apply to their group health plan. By providing this information, Meritain Health is not exercising discretionary authority or assuming a plan fiduciary role, nor is Meritain Health providing legal advice.