Health insurance portability and accountability act was passed in

What Is the Health Insurance Portability and Accountability Act (HIPAA)?

The Health Insurance Portability and Accountability Act (HIPAA) is an act created by the U.S. Congress in 1996 that amends both the Employee Retirement Income Security Act (ERISA) and the Public Health Service Act (PHSA). HIPAA was enacted in an effort to protect individuals covered by health insurance and to set standards for the storage and privacy of personal medical data.

Key Takeaways

• HIPAA law impacts policies, technology, and record-keeping at medical facilities, health insurance companies, HMOs, and healthcare billing services. 
• Noncompliance with HIPAA standards and best practices is against the law.
• The HITECH Act was created in 2009 to expand HIPAA privacy and security protections for patients.

How the Health Insurance Portability and Accountability Act (HIPAA) Works

The Health Insurance Portability and Accountability Act (HIPAA) ensures that individual health-care plans are accessible, portable and renewable, and it sets the standards and the methods for how medical data is shared across the U.S. health system in order to prevent fraud. It preempts state law (unless the state's regulations are more stringent).

Since 1996, HIPAA has been modified to include processes for safely storing and sharing patient medical information electronically. It also includes administrative simplification provisions, which are aimed at increasing efficiency and reducing administrative costs by establishing national standards.

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) broadened HIPAA privacy and security protections. The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009 as a way of promoting the use of health information technology. A portion of the HITECH Act addresses privacy and security concerns.

The Future of the Health Insurance Portability and Accountability Act (HIPAA)

In 2018, Bloomberg Law reported on the privacy risks that come from digital healthcare data and the likelihood of updated federal laws in the near future. In an age of fitness-tracking apps and GPS-tracked, shareable data on everything from an individual’s daily step count to their average heart-rate, medications, allergies, and even menstrual cycles, there are new challenges for upholding standards in storing and protecting personal medical data.

In a video interview, Nan Halstead, health privacy and security attorney with Reed Smith LLP, said that future laws are unlikely to expand on HIPAA. Rather, they will use HIPAA's framework as a model to create new laws governing the digital sector. Although no such federal laws have yet been passed, states can pass laws that fill the gap in the meantime. Moreover, companies tracking consumer data are currently also subject to supervision by regulating bodies like the U.S. Food and Drug Administration (FDA) and the Federal Trade Commission (FTC).

The Health Insurance Portability and Accountability Act (HIPAA) does not protect all health information. Nor does it apply to every person who may see or use health information.

HIPAA applies to covered entities, business associates and their subcontractors.

Covered Entities

Health Care Providers

Health care providers get paid to provide health care. They include

• doctors
• dentists
• hospitals
• nursing homes
• pharmacies
• urgent care clinics

Health care providers must comply with HIPAA only if they transmit health information electronically in connection with covered transactions. Most providers transmit information electronically to carry out functions such as processing claims and receiving payment and are required to comply with HIPAA.

Health Plans

Health plans pay the cost of medical care. They include

• health insurance companies
• health maintenance organizations (HMOs)
• group health plans sponsored by an employer
• government-funded health plans (Medicare, Medicaid)
• most other companies or arrangements that pay for health care

Health Care Clearinghouses

Health care clearinghouses process information so that it can be transmitted in a standard format between covered entities. They often act as a go between for health care providers and health plans which means that they rarely deal directly with patients (e.g. may take information from a doctor and put it into a standard coded format that can be used for insurance purposes).1

Business Associates

A business associate creates, receives, maintains or transmits protected health information on behalf of a covered entity or another business associate acting as a subcontractor.2

Services

Business associates can perform many different services. Business associates often perform services that do not involve patient interaction including

• accounting
• actuarial
• administrative accreditation
• benefit management
• billing
• consulting
• data aggregation
• data analysis
• data transmission
• legal
• management
• patient safety activities (limited)
• practice management
• processing or administering claims
• quality assurance
• repricing
• utilization review

A common example of a business associate with whom patients may interact is a company that offers a personal health record to individuals on behalf of a covered entity.

Responsibilities

Covered entities must execute written contracts with their business associates to make sure they safeguard protected health information according to HIPAA standards. Business associates must do the same with any of their subcontractors who can be considered their business associates.3

The Department of Health and Human Services (HHS) website contains more information on business associate relationships and also provides sample language for business associate agreements.4

Business associates must comply with their contractual obligations to covered entities. In addition, business associates are directly liable for violations of the HIPAA Security Rule and many provisions of the HIPAA Privacy Rule—meaning that they are subject to most of the same privacy and data security standards that apply to covered entities and may be subject to HHS audits and penalties.5

Subcontractors

Subcontractors that create, maintain or transmit protected health information on behalf of a business associate have the same legal responsibilities as a business associate under HIPAA—meaning privacy- and security-related legal responsibilities flow downstream to subcontractors performing work for a business associate.6

For example, a hospital’s business associate may hire an outside company to shred documents containing protected health information. The outside company (subcontractor) would be required to comply with most HIPAA rules as a business associate and would also be bound by a contract with the business associate rather than the covered entity (hospital).

Hybrid Entities

Hybrid entities performs both HIPAA-covered and non-covered functions as part of its business. A few examples are

• a large corporation that has a self-insured health plan for its employees
• a university with a medical center
• a grocery store that has a pharmacy

When an organization elects to be treated as a hybrid entity, only the portion of the company that is a covered entity (called the health care component) is subject to HIPAA. Hybrid entities must ensure that the health care component does not disclose protected health information to another non-covered component of the business and must also safeguard electronic protected health information.7

The HIPAA Privacy Rule applies to protected health information, and the HIPAA Security Rule applies to electronic protected health information.8

Health Information

Health information is any information (including genetic information) that is created or received by a

• health care provider
• health plan
• public health authority
• employer
• life insurance company
• school or university
• health care clearinghouse9

and relates to

• a person’s past, present or future physical or mental health or condition 
• treatment provided to a person
• past, present, or future payment for healthcare an individual receives

Health information can exist in any form or medium including paper, electronic or oral.

Protected Health Information

Protected health information is individually identifiable health information that is held or transmitted by a covered entity or its business associate.

Individually identifiable health information identifies—or can be used to identify—a person. It includes demographic and other information that identifies a person such as

• name
• address
• date of birth
• Social Security number10

Information Not Covered

Health Information in Employment Records

HIPAA does not apply to health information in employment records. This includes a covered entity’s employment records.11

Most Health Information in Education Records

Health information in education records that are subject to the Family Educational Rights and Privacy Act (FERPA) is not considered protected health information under HIPAA.12

Health Information Regarding a Person Who Has Been Deceased for More Than 50 Years

For more information on the health information of deceased individuals, see the HHS website’s resource.13

De-Identified Health Information

De-identified health information has either had 18 types of identifiers removed or been the subject of an expert determination that there is a very small risk that information could identify an individual. De-identified data is often the subject of debate because of the possibility of re-identifying an individual.14

Why was the Health Insurance Portability and Accountability Act was passed?

Why did Congress pass HIPAA in 1996?

Which are functions of the Health Insurance Portability and Accountability Act?

What does the Health Insurance Portability and Accountability Act HIPAA aim to increase?