10 questions and answers about HIPAA law
1. What is HIPAA Law?
HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act. HIPAA law was enacted by the U.S. Congress in 1996 to address the security and privacy of health data. It was designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Developed by the Department of Health and Human Services (HHS), HIPAA standards provide patients more control over how their personal health information (termed “individually identifiable health information”) is used and disclosed.
2. Who is a “Covered Entity”?
HIPAA law applies to “covered entities” which include:
- Health care providers
- Health plans
- Health care clearinghouses (such as billing services)
3. How do I know if my business is considered a “covered entity”?
You can download the HHS’ Covered Entity Charts to determine whether your organization qualifies as a “covered entity”.
4. What is “individually identifiable health information”?
“Individually identifiable health information” includes demographic data that relates to:
- the patient’s past, present or future physical or mental health or condition
- the provision of health care to the patient
- the past, present, or future payment for the provision of health care to the patient
- common identifiers (e.g., name, address, birth date, Social Security Number)
5. Who is not required to follow HIPAA Privacy and Security Rules?
Organizations that do not have to follow the Privacy and Security Rules include:
- life insurers
- employers (HIPAA does not protect your employment records even if the information in your records is health-related)
- workers compensation carriers
- schools and school districts
- state agencies like child protective service agencies
- law enforcement agencies
- municipal offices
6. What are the most common HIPAA violations?
The 8 most common HIPAA violations can be found here.
7. How is HIPAA law enforced?
The HHS’ Office for Civil Rights (OCR) is responsible for enforcing HIPAA law. The OCR enforcement process can be found here.
8. How do you file a HIPAA complaint?
If a covered entity violates health information privacy rights or commits any other violation of HIPAA law, a complaint can be filed with OCR either by mail, fax, email or electronically via the OCR Complaint Portal. Anyone can file a HIPAA complaint – a health care provider, patient, patient’s family member, etc.
9. What is the penalty for a HIPAA violation?
HIPAA violations result in fines per offense which range between $100 and $50,000. However, there is a $1.5 million limit that one organization can be fined annually. In addition to these fines, the states’ attorneys general can pursue civil actions. And, breaches for greater than 500 patients must be reported to news media.
10. How can I ensure my facility is HIPAA compliant?
If you want to ensure your business is HIPAA compliant, start here: 3 Steps to HIPAA Law Compliance
Have additional questions?
You can search the HHS.gov database of FAQs regarding HIPAA here.
Sign up for our email newsletter – keep informed about HIPAA, OSHA, JCAHO, and more!