Article

HIPAA: Health information privacy

Compliance
Time to read: 12 minutes

HIPAA (The Health Insurance Portability and Accountability Act) was enacted to establish national standards to protect protected health information (PHI) from being disclosed without the patient’s consent or knowledge. For individuals who want to learn more about HIPAA, the following are resources provided by the government to help explain its guidelines, compliance requirements, and how to ensure sensitive patient health information is handled correctly.

American Medical Association (AMA)
Provides guidance, checklists, and tools that explain what healthcare providers must do to ensure compliance with HIPAA regulations.

Centers for Medicare & Medicaid Services (CMS)
Offers information on HIPAA eligibility transactions, security, and privacy standards and is useful for healthcare providers, payers, and clearinghouses.

HealthIT.gov
Explains the types of health IT systems that organizations must have to ensure patient privacy and security in line with HIPAA requirements.

Office for Civil Rights (OCR) Privacy Rule Guidance
Details the HIPAA Privacy Rule and explains what it does to protect individuals’ medical records and other personal health information.

U.S. Department of Health & Human Services (HHS)
Provides comprehensive details on HIPAA rules, compliance, and enforcement, along with guidelines that covered entities and business associates must follow to protect PHI.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act was enacted on August 21, 1996. The primary driver of HIPAA was to provide protection for individuals’ health information while ensuring that their healthcare coverage can be maintained during events like changing or losing jobs.

HIPAA’s importance has grown in the digital age as the adoption of electronic health records increases and cybersecurity threats become more prevalent.

HIPAA is fundamental in fostering the adoption of standardized processes within the healthcare industry to secure electronically stored information regarding an individual’s health status, treatment, and payment.

HIPAA ensures that organizations handle PHI with care and confidentiality, which not only protects individuals from potential misuse of sensitive data but also encourages trust in the healthcare system. The balance HIPAA strives to achieve between protecting patient information and permitting the necessary flow of data to ensure high-quality health care and protect the public’s health is crucial for its effectiveness.

Three primary purposes and objectives of HIPAA

  1. Healthcare-related administrative simplification
    HIPAA seeks to streamline healthcare transactions through standardization. It mandates the use of standardized electronic data interchange (EDI) formats for health care transactions, including billing and payments, to improve efficiency and reduce administrative costs.
  2. Insurance portability
    One of the initial motivations behind HIPAA was to ensure that individuals could maintain their health insurance coverage between jobs. This aspect, known as portability, aims to reduce the risk of losing health insurance due to pre-existing conditions exclusions or gaps in coverage when changing employment.
  3. Reducing healthcare fraud
    HIPAA introduced measures to reduce waste, fraud, and abuse across the healthcare and health insurance sectors. It establishes penalties for fraud offenses and has led to the development of policies and procedures that healthcare organizations must follow to deter fraudulent activities.

Key components of HIPAA

Perhaps the most well-known provisions of HIPAA concern the privacy and security of individuals’ health information. These are encapsulated in HIPAA Breach Notification Rule, the HIPAA Enforcement Rule, the HIPAA Privacy Rule, and the HIPAA Security Rule.

The HIPAA Breach Notification Rule was enacted as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. HIPAA-covered entities and their business associates are required to notify impacted individuals following a breach of unsecured PHI. Specific timelines and methods for notification depend on the nature of the breach and the number of individuals affected.

The HIPAA Enforcement Rule grants the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), the authority to investigate complaints against HIPAA-covered entities and their business associates in the event that they fail to comply with HIPAA Rules. This includes imposing penalties for non-compliance.

The HIPAA Privacy Rule established standards that HIPAA-covered entities must follow to protect individuals’ medical records and other PHI.

The HIPAA Security Rule supports the Privacy Rule by outlining national security standards for protecting health information that is held or transferred in electronic form.

Individual rights granted by HIPAA

HIPAA grants individuals a number of rights related to access and control over their PHI, including:

  1. Right to access and obtain a copy of health records
    Individuals have the right to obtain and review their health records. The objective is to provide transparency and patient involvement in their healthcare.
  2. Right to file complaints
    If individuals believe their rights are being compromised or their health information is not being protected, they can file a complaint with their provider, insurer, or the U.S. Department of Health and Human Services.
  3. Right to receive a record of disclosures
    Individuals can request a report that details who has accessed their health information.
  4. Right to request confidential communications
    Individuals can request that their health information be communicated through alternative means or locations to ensure confidentiality.
  5. Right to request corrections
    If individuals believe there is a mistake in their health records, they can request an amendment to these records.

HIPAA benefits for individuals

For individuals, HIPAA provides several benefits, including:

  1. Privacy protections ensure that sensitive health information is shared only with the individual’s consent and for purposes of treatment, payment, and healthcare operations unless otherwise permitted or required by law.
  2. Access to records allows individuals to access their medical records, request copies, and make amendments.
  3. Established limits on how health information can be used for marketing, fundraising, and other purposes without an individual’s explicit consent.
  4. Security measures provide reassurance that healthcare providers and insurers are taking steps to protect health information, particularly in digital form.

The HIPAA Privacy Rule

The HIPAA Privacy Rule defined national standards to protect individuals’ medical records and other PHI. It was established at the end of 2000 and went into effect in 2003. The HIPAA Privacy Rule was driven by growing concerns about the need to protect the privacy and security of health information, particularly as healthcare practices increasingly shifted towards electronic systems.

Covered entities under the HIPAA Privacy Rule

  1. Healthcare providers
    Any individual or organization that transmits any PHI in electronic form. Healthcare providers include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
  2. Healthcare clearinghouses
    Any entity that processes nonstandard health information into a standard electronic format or data content, or vice versa, is considered a healthcare clearinghouse. This can include billing services and community health management information systems.
  3. Health plans
    Under HIPAA, health plans include health insurance companies, company health plans, HMOs (Health Maintenance Organizations), and government programs, such as Medicaid and Medicare.
  4. Business associates
    A Business Associate is any organization or individual that engages with or provides services to a covered entity when handling PHI.

Permitted PHI uses and disclosures under HIPAA

According to the HIPAA Privacy Rule, covered entities are permitted to use and disclose PHI without an individual’s authorization for the purposes outlined below. Beyond these purposes, the HIPAA Privacy Rule mandates that covered entities obtain written consent from individuals before using or disclosing their PHI.

  1. Incidental uses and disclosures
    Disclosures that are incidental to permissible uses or disclosures that are reasonable safeguards (e.g., speaking quietly, using private rooms for sensitive discussions, or ensuring that medical records on screens are not visible to unauthorized individuals) are allowed. For example, a doctor discussing a patient’s treatment options with a nurse in shared office space may be overheard by another patient. However, as long as reasonable safeguards are in place to minimize such exposure, such incidental disclosures are generally permissible under HIPAA.
  2. Notification
    PHI can be used or disclosed for notification purposes, such as identifying or locating a family member, personal representative, or other persons responsible for the care of the individual.
  3. Opportunity to agree or object
    In certain situations, a covered entity can share PHI when the individual is present and has the opportunity to agree or object to the sharing of their information. An example of this is discussing a patient’s treatment in the presence of a family member.
  4. Payment
    PHI can be used and disclosed to obtain payment for healthcare services. An example is billing a health insurance provider for a patient’s treatment.
  5. Public interest and benefit activities
    PHI may be disclosed for various public interests and benefits, such as for public health activities, reporting victims of abuse, neglect, or domestic violence, and for health oversight activities.
  6. Treatment
    PHI can be shared among healthcare providers involved in treating an individual. An example of this is a primary care physician sharing information about a patient’s condition with a specialist to determine a course of treatment.

HIPAA Security Rule

The HIPAA Security Rule was established in 2005 as a complement to the Privacy Rule. It outlines national security standards for protecting health information that is held or transferred in electronic form.

According to the HIPAA Security Rule, HIPAA-covered entities must implement the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).

These safeguards range from employee training and access controls to encrypted transmission of data.

HIPAA FAQ

Here are the answers to some frequently asked questions about HIPAA.

What is the function of HIPAA?

The primary function of HIPAA is to protect and secure the privacy of an individual’s PHI while ensuring that health insurance coverage is maintained during major life transitions, such as changing or losing jobs. Several core mandates collectively support the HIPAA objective by enhancing the efficiency of the healthcare system, protecting patients’ privacy rights, and improving the reliability and portability of health insurance. These include:

  1. Ensuring that individuals can retain their health insurance during employment transitions or job loss to minimize the chance of being uninsured, particularly for those with pre-existing conditions or other issues related to the continuity of health coverage.
  2. Establishing guidelines for enforcement and penalties for non-compliance with HIPAA rules and regulations.
  3. Limiting exclusions for individual’s pre-existing conditions, prohibiting denial of insurance coverage for employees and dependents based on their health status, and guaranteeing the renewal and availability of health insurance coverage.
  4. Requiring standardization of electronic health records systems and transactions, including billing and connections between healthcare providers and insurance companies.
  5. Setting national standards for the protection of PHI, including physical records and electronic health records (EHRs). Under HIPAA, healthcare providers, insurance companies, and other entities handling health information are required to implement appropriate safeguards to protect privacy and limit unauthorized access and disclosures.

How often should security and privacy risk assessments be performed under HIPAA?

HIPAA does not specify an exact frequency for performing security and privacy risk assessments. Still, it is recommended to conduct them annually or as needed, particularly when significant changes to electronic systems occur. The purpose of HIPAA security and risk assessments is to uncover any potential threats and weaknesses that could impact the confidentiality, integrity, and security of electronically stored protected health information (ePHI).

Can patient information be emailed under HIPAA?

Patient information can be sent via email under HIPAA, but certain precautions must be taken to ensure the security of the data. If PHI is transmitted by email, patients must be informed of the risks of emailing ePHI, and data should be encrypted to protect against unauthorized access during transmission​.

What privacy disclosures are covered entities required to share with patients?

Covered entities under HIPAA are required to provide patients with a Notice of Privacy Practices (NPP). This notice must clearly articulate how the patient’s PHI will be used and disclosed and outline the rights patients have regarding their PHI. The NPP should also explain the legal obligations of the covered entity to protect privacy and list procedures for filing complaints if privacy protections are believed to be violated.

Protect your rights by understanding HIPAA

Since its enactment, HIPAA has become synonymous with health information protection in the U.S. While navigating HIPAA regulations can be complex for healthcare providers and insurers, the benefits to individuals are clear—greater control over one’s health information, enhanced privacy protections, and improved healthcare system efficiency.

Assess the strength of your identity security program

Research-backed, industry-specific benchmark data and a roadmap for driving business value

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief