Compliance

HIPAA

The Health Insurance Portability and Accountability Act is US legislation that establishes standards for protecting sensitive patient health information from disclosure without consent.

Also known as:Health Insurance Portability and Accountability ActHIPAA Compliance

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a US federal law enacted in 1996 that sets national standards for protecting sensitive patient health information. It applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates.

Key Rules

Privacy Rule

  • Establishes standards for PHI protection
  • Defines permitted uses and disclosures
  • Grants patient rights over their data
  • Requires minimum necessary standard

Security Rule

  • Technical safeguards (encryption, access controls)
  • Physical safeguards (facility access, workstation security)
  • Administrative safeguards (policies, training, risk analysis)

Breach Notification Rule

  • Notify affected individuals within 60 days
  • Notify HHS of all breaches
  • Media notification for large breaches (500+)

Protected Health Information (PHI)

Any health information that can identify an individual:

  • Medical records
  • Lab results
  • Insurance information
  • Payment history
  • Any of 18 identifiers

Covered Entities & Business Associates

Covered Entities

  • Healthcare providers
  • Health plans
  • Healthcare clearinghouses

Business Associates

  • Vendors handling PHI
  • Require BAA contracts
  • Subject to same requirements

Penalties

  • $100 to $50,000 per violation
  • Up to $1.5 million per year per violation category
  • Criminal penalties for willful neglect
Previous

Hashing

Next

Homomorphic Encryption