Health Insurance Portability and Accountability Act of 1996 (HIPAA)

    HIPAA Privacy Rule
    Covered Entities
    Permitted Uses and Disclosures
    HIPAA Security Rule

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
Infographic Thumbnail Image

Compare HIPAA with FERPA
HIPAA Privacy Rule

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as protected health information or PHI) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.”

The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to make sure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare, and to protect the public’s health and well-being. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.

OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rules.

Enforcement Process

OCR enforces the Privacy and Security Rules in several ways:

by investigating complaints filed with it,
conducting compliance reviews to determine if covered entities are in compliance, and
performing education and outreach to foster compliance with the Rules' requirements.

OCR also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.

WARNING!

While signing a Business Associate Agreement may be required, the mere fact that you have paperwork in place does not mean you are compliant.

Don't assume you are complaint without understanding what you are actually agreeing to do under the terms of the BAA.

If you are handling ePHI, you better understand your obligations under the law or you could end up in prison.

Always consult a qualified attorney that specializes in Healthcare Data Privacy and Security when signing a BAA.

The DOJ (Department Of Justice) prosecutes violations that have been referred by OCR and people do go straight to jail for not being compliant or just being sloppy.

The security and handling requirements are very strict and require constant attention to comply.