SecurePrivacy Logo

Health Insurance Portability and Accountability Act (HIPAA)

View Law Text
Maximum Fine
$1.5M per violation
Scope
Healthcare
Regulator
HHS OCR
Enacted
1996

Need Help with Health Insurance Portability and Accountability Act (HIPAA) Compliance?

Get expert guidance on implementing HIPAA requirements and ensuring ongoing compliance for your healthcare organization.

Get Expert Help

Overview

HIPAA establishes national standards for the protection of individuals' medical records and other personal health information, applying to health plans, health care providers, and health care clearinghouses.

Key Facts

  • Enacted in 1996, Privacy Rule effective 2003
  • Enforced by Office for Civil Rights (OCR)
  • Includes Privacy, Security, and Breach Notification Rules

HIPAA Rules

Privacy Rule

Standards for the protection of individuals' medical records and other personal health information.

Requirements

  • Appropriate safeguards implementation
  • Patient rights protection
  • Use and disclosure limits
  • Notice of privacy practices
  • Business associate agreements

Examples

  • Patient authorization forms
  • Privacy policy documentation
  • Access request procedures
  • Minimum necessary standards

Security Rule

National security standards to protect electronic protected health information (ePHI).

Requirements

  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards
  • Risk analysis
  • Security management process

Examples

  • Access control systems
  • Encryption implementation
  • Audit controls
  • Facility security plans

Breach Notification Rule

Requirements for notification following a breach of unsecured protected health information.

Requirements

  • Breach risk assessment
  • Notification procedures
  • Documentation requirements
  • Timing requirements
  • Content of notifications

Examples

  • Breach notification letters
  • Risk assessment documentation
  • Media notifications
  • HHS reporting procedures

Compliance Requirements

Risk Assessment and Management

Organizations must conduct regular risk assessments and implement appropriate security measures.

Implementation Steps

  • Identify potential risks
  • Evaluate current safeguards
  • Assess likelihood of threats
  • Determine potential impact
  • Implement security measures

Required Documentation

  • Risk assessment reports
  • Security policies
  • Mitigation plans
  • Review schedules
  • Implementation records

Workforce Training

Regular training for all workforce members on privacy and security policies.

Implementation Steps

  • Develop training materials
  • Schedule regular sessions
  • Track attendance
  • Assess understanding
  • Document completion

Required Documentation

  • Training materials
  • Attendance records
  • Assessment results
  • Certification records
  • Policy acknowledgments

Business Associate Management

Establish and maintain agreements with business associates handling PHI.

Implementation Steps

  • Identify business associates
  • Review relationships
  • Execute agreements
  • Monitor compliance
  • Update agreements

Required Documentation

  • Business associate agreements
  • Compliance reports
  • Monitoring records
  • Review documentation
  • Update logs

Enforcement & Penalties

Civil Monetary Penalties

OCR can impose civil money penalties based on tiered violation categories.

Penalty Categories

$100-$50,000 per violation
$1,000-$50,000 per violation
$10,000-$50,000 per violation
$50,000+ per violation

Example Cases

Anthem Inc.
$16 million
2018 - Largest healthcare data breach settlement for cyber attack affecting 79 million people
Memorial Healthcare System
$5.5 million
2017 - Insufficient access controls leading to PHI disclosure

Criminal Penalties

The Department of Justice can pursue criminal penalties for HIPAA violations.

Penalty Categories

Up to $50,000 and 1 year
Up to $100,000 and 5 years
Up to $250,000 and 10 years

Example Cases

Former UCLA Employee
Criminal charges
2019 - Accessing celebrity medical records without authorization
Texas Hospital Employee
Criminal prosecution
2020 - Selling patient information for personal gain