What is HIPAA (Health Insurance Portability & Accountability Act)? To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 included a series of “administrative simplification” provisions that require the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions. By ensuring consistency throughout the industry, these national standards will make it easier for health plans, doctors, hospitals and other health care providers to process claims and other transactions electronically. The law also requires security and privacy standards in order to protect personal health information.

Compliance required areas
As required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. The provisions of the final rule generally apply equally to private sector and public sector entities.

All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the rule. The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of protected health information (PHI) to the minimum necessary to accomplish the intended purpose. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that will appropriately limit access to personal health information without sacrificing the quality of healthcare.

Enforcement by Department of Health
The Department of Health and Human Services will be responsible for determining if institutions are HIPAA compliant as well as assessing penalties and fines for violations.

Penalties for non-compliance
Civil penalties: Health Plans, providers, and clearinghouses that violate these standards will be subject to civil liability. Civil money penalties are $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.

Federal criminal penalties: Under HIPAA, Congress also established criminal penalties for knowingly violating patient privacy. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under “false pretenses”; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

For more information:
Department of Health & Human Services