The Health Insurance Portability and Accountability Act of 1996 (PL 104-191), also known as HIPAA, is a law designed to improve the efficiency and effectiveness of the nation's health care system. HIPAA is divided into two parts:
The HIPAA regulations apply to covered entities and business associates, defined as health plans, health care clearinghouses, and health care providers who conduct certain electronic transactions.
Find out if you are a covered entity under HIPAA.
The 2013 Final Rule [PDF] expands the definition of a business associate to generally include a person who creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. This now includes:
For more information on business associates, see:
The interim final rule [PDF] on HIPAA Administrative Simplification Enforcement ("Enforcement Rule") was issued on October 30, 2009. It includes categories of violations and tiers of increasing penalty amounts.
Categories of violations include those:
Monetary penalties vary by the type of violation and range from $100 per violation with a yearly maximum fine of $25,000 to $50,000 per violation and a yearly maximum of $1.5 million.
The final rule [PDF] published in 2013 is an enhancement and clarification to the interim rule and enhances the definition of the violation of compliance as a breach—an acquisition, access, use, or disclosure of protected health information in a manner not permitted under the rule unless the covered entity or business associate demonstrates that there is a low probability that the (PHI) has been compromised based on a risk assessment of factors including nature and extent of breach, person to whom disclosure was made, whether it was actually acquired or viewed and the extent to which the PHI has been mitigated.
The final rule removed the harm standard, but increased civil monetary penalties in general while taking into consideration the nature and extent of harm resulting from the violation including financial and reputational harm as well as consideration of the financial circumstances of the person who violated the breach.
Additionally, the final rule defines other areas of compliance including the individual's right to receive information, additional requirements to privacy notes, use of genetic information.
The following is provided for informational purposes only. Please consult with your legal counsel and review your state laws and regulations.