HIPAA
Definition
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. HIPAA applies to covered entities (healthcare providers, health plans, and clearinghouses) and their business associates, requiring administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI).
HIPAA Rules
Privacy Rule
Establishes standards for the use and disclosure of PHI. Defines patient rights including access to records, amendments, and accounting of disclosures. Applies to all forms of PHI: electronic, paper, and oral.
Security Rule
Requires administrative, physical, and technical safeguards specifically for electronic PHI (ePHI). Mandates risk analysis, access controls, audit controls, encryption, and workforce training.
Breach Notification Rule
Requires notification to affected individuals, HHS, and sometimes media following a breach of unsecured PHI. Breaches affecting 500+ individuals require notification within 60 days.
Enforcement Rule
Establishes investigation and penalty procedures. Penalty tiers range from $141 to $2.1 million per violation category per year, with criminal penalties for willful neglect.
Most Common HIPAA Violations
Failure to conduct or document a comprehensive risk analysis
Inadequate access controls allowing unauthorized access to PHI
Missing or incomplete Business Associate Agreements
Insufficient workforce training on privacy and security requirements
Failure to implement encryption for ePHI at rest and in transit
Delayed breach notification exceeding the 60-day requirement