Health Insurance Portability and Accountability Act

The following page is provided for informational purposes only and speaks solely to federal regulations. ASHA does not and cannot provide legal advice or analysis. Please consult with your legal counsel, and review your state laws and regulations.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) seeks to improve the health care system and protect patients’ personal information and access to health care. Although the law does not apply to every health care entity and setting, the law has a wide reach and has inspired some states to adopt similar regulations that could apply to more entities and settings. It is important that providers become familiar with the elements of HIPAA and determine the level of privacy and security that they need to maintain for their patients.

Elements of HIPAA

The Health Insurance Portability and Accountability Act of 1996 (PL 104-191), also known as HIPAA, is a law designed to improve the efficiency and effectiveness of the nation's health care system. It is intended to protect patients in several ways; two main elements of HIPAA apply to health care providers:

Title I: Health Care Access, Portability, and Renewability

  • Protects health insurance coverage when someone loses or changes their job.
  • Addresses issues such as pre-existing conditions.

Title II: Administrative Simplification

  • Includes provisions for the privacy and security of health information under the Privacy Rule and the Security Rule.
  • Specifies electronic standards for the transmission of health information.
  • Requires unique identifiers for providers.

On this page:

Who Must Comply With HIPAA?

The HIPAA regulations apply to covered entities and business associates, defined as health plans, health care clearinghouses, and health care providers that conduct certain electronic transactions. A provider is considered a covered entity if they transmit HIPAA transactions electronically. HIPAA transactions include electronic interactions between providers and health plans or clearinghouses. Health plans can be private insurance companies, state Medicaid programs, or Medicare. Business associates are individuals or organizations who are members of the covered entity’s workforce but who use or disclose individual identifiable health information. Business associates may provide claims processing assistance, data analysis, or utilization review, or they may assist with billing. HIPAA transactions include but are not limited to claim submission, requests for information (such as explanations of benefits), referral submissions, prior authorizations, payments, and remittance advice (see 45 C.F.R. Part 162).

The Department of Health and Human Services (HHS) provides a helpful summary of covered entities under HIPAA and a tool to help individuals and businesses determine whether they qualify as a covered entity.

Who Is Not a Covered Entity?

Providers that do not work with clearinghouses, accept only cash pay (private pay), provide superbills to patients, and do not submit or request information electronically from the patient’s insurer are not subject to HIPAA regulations. Providers that are not subject to HIPAA regulations do need to consider patient privacy. Many states have enacted their own privacy legislation; these regulations can have broader definitions of covered entities and covered transactions. Clinicians should check with their state department of health and human services or other state governmental agencies involved in patient data privacy for information on local privacy regulations. Even if clinicians determine that they or their practice are not required to cover entities, it is recommended that they take reasonable measures to protect patient information.

Privacy Rule

The HIPAA Privacy Rule was administered by the U.S. Department of Health and Human Services (HHS) to implement requirements outlined in HIPAA legislation. The rule establishes standards on the use and disclosure of individuals’ protected health information (PHI) by covered entities. The purpose is to ensure protection of PHI while allowing the information-sharing needed to promote quality health care and protect the public. The Privacy rule applies to all covered entities.

Protected health information (PHI) is defined as “individually identifiable health information.” This includes an individual’s physical or mental health condition, health care provided to the individual, or payment for health care provided to the individual that identifies the individual with demographic information (name, address, Social Security Number, birthdate). This can be regarding past, present, or future information. PHI under HIPAA does not include employment records maintained by a covered entity and educational records defined under the Family Educational Rights and Privacy Act (FERPA). The intersection between FERPA and HIPAA is discussed in Real-Life Intersections With HIPAA.

The use or disclosure of de-identified health information is not restricted under HIPAA; information that does not specify individuals’ demographic information can be shared. Information can be de-identified through a formal determination by a qualified statistician or by removing all specific identifiers of the individual, their relatives, household members, and employers. You can find out more about ways to de-identify documents at this HHS resource.

Disclosures. PHI can be disclosed—under certain circumstances—in a manner allowed by the HIPAA Security Rule. Covered entities are required to disclose PHI to the individual (or their identified representatives) upon their request and to HHS when they are performing a compliance investigation or other enforcement action. PHI can also be used or disclosed for the purpose of treatment, payment, and health care operations. If patients are given an opportunity to agree or object, then PHI can be shared; if the patient is incapacitated, in an emergency, or unavailable, then the decision to use or disclose can be made by the covered entity’s professional judgment. Covered entities can rely on informal permission to share information with the individual’s family, relatives, friends, or other persons who are directly involved in the individual's care or payment for care. That said, covered entities are encouraged to obtain official authorization from the patient identifying who can receive their PHI. Information can be disclosed if it is “in the public interest”—which can mean when it’s required by law or when it’s necessary (a) to protect public health, (b) to protect victims of abuse or domestic violence, (c) to conduct health oversight activities, (d) to conduct judicial or administrative proceedings, (e) for purposes of law enforcement, decedents, organ donations, specific research, serious threats to health and safety, essential government functions, or workers’ compensation. As mentioned above, it is ideal to obtain authorization from the individual for certain disclosures not already permitted under the privacy rule. Although not officially required under the Privacy Rule, the obtaining of written authorization is often recommended for other disclosures as well (e.g., for purposes of identifying family members or doctors to whom the patient approves the release of information). HHS provides more details on these disclosures in their Summary of the Privacy Rule.

Although the rule allows use and disclosure of information in several circumstances, it also indicates that the information shared should be the minimum necessary. Covered entities must make their most concerted efforts to determine the minimum amount of information necessary to meet the purpose of the disclosure. HHS provides additional information on the Minimum Necessary Requirement.

Covered entities must provide a Privacy Practice Notice detailing the ways in which information may be used or disclosed and describing the individuals’ rights. The notice must also include information on how an individual can submit a complaint to HHS and the covered entity if they believe that their rights have been violated. This must be provided to patients before or at their first service encounter and must be posted at the service delivery site in a visible place. It must be provided in a format accessible to the individual. If the individual is experiencing an emergency, then the covered entity must provide notice as soon as the emergency ends. Covered entities must do their best to obtain acknowledgment, in writing, from the individual that they received the notice. Many providers ask the patient to sign the notice before or at the initial session.

Confidential Communications Requirements indicate that covered entities must communicate with an individual in the manner requested by that individual. This could be a certain mailing address or phone number—or a request that information be sent in a sealed envelope rather than a postcard.

Record Retention Requirements under HIPAA indicate that a covered entity must maintain records according to privacy policies for a minimum of 6 years from the last effective date.

Minors are not able to represent themselves; therefore, parents or guardians can review and sign the privacy notice and exercise individual rights on the minors’ behalf. For example, parents can request access to medical information and submit a complaint to HHS for a privacy violation for their minor children. If the parent is not their representative, then state or other laws determine who can act on behalf of the minor. Anyone legally authorized as a personal representative can also act on behalf of the individual—unless the covered entity has a clear reason to believe that this individual may be abusing or neglecting the individual. HHS provides more information on Personal Representatives.

Right of Access

There are exceptions to various privacy policies and additional stipulations for certain organizational entities available for review in HHS’s Summary of the Privacy Rule. For example, some information can be left out of records when requested by individuals if the information would have a significant negative impact on the individual. See the summary (linked above) for more information on exceptions and considerations for organizational entities.

See also: HHS Summary of the Privacy Rule [PDF]

Security Rule

The Security Rule was developed by HHS to regulate protections and security of specific health information transmitted by covered entities. The Security Rule applies only to electronic protected health information (ePHI)—unlike the Privacy Rule, which applies to all forms of PHI, including oral, paper, and electronic.

The Security Rule consists of the following three parts:

  • Administrative safeguards—includes items such as assigning a security officer and providing training.
  • Physical safeguards—includes equipment specifications, computer back-ups, and access restriction.
  • Technical safeguards—addressed in greater detail below.

Find more details about these safeguards in the Security Rule Guidance Material from HHS.

Each area within the Security Rule includes implementation specifications. Some implementation specifications are required; others are addressable. Addressable means that that the covered entity must implement the Security Rule if that rule is reasonable and appropriate but does not have to implement it if (a) an alternative exists that would accomplish the same purpose or (b) the covered entity can meet the standard without implementing the specification or an alternative.

Note: “Addressable” does not mean that the specification is optional.

Covered entities must do a risk analysis to determine whether they should implement an addressable specification or if an alternative exists. The results of the risk analysis and any decisions made as a result must be documented.

See also: Health Information Technology for Economics and Clinical Health Act (HITECH)

What Types of Information Do I Have to Keep Secure?

Different types of data must be kept secure:

  • data in motion—data moving through a network (e.g., email)
  • data at rest—data that are kept in databases, servers, flash drives, and so forth
  • data in use—data that are in the process of being created, retrieved, updated, or deleted
  • data disposed—data that have been discarded

HIPAA Security Technical Safeguards

Technical safeguards include access control, audit controls, integrity, person or entity authentication, and transmission security.

Access control allows access to ePHI only to those who are granted access rights. Implementation specifications include the following:

  • Assign a unique user identifier to identify and track user activity. (Required)
  • Have procedures in place for getting to ePHI during an emergency. (Required)
  • Set up systems to automatically log off a workstation. (Addressable)
  • Use a system to encrypt and decrypt ePHI. (Addressable)
  • Note: Under the Interim Final Rule [PDF] regarding breach notification (45 C.F.R. § 160 and 164), required access controls alone do not meet the statutory standard of “rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals” (pp. 42741–42742); therefore, a breach of such access controls would require breach notification. This is in contrast to data encryption, which would render data unusable—interception of encrypted data would not require a breach notification.

Audit controls must have a system in place for recording and examining all ePHI activity. There are no implementation specifications.

Integrity means that the covered entity must protect ePHI from being improperly altered or destroyed. Implementation specifications include the following:

  • Authenticating ePHI—confirm that ePHI has not been altered or destroyed in an unauthorized way. (Addressable)

Person or entity authentication requires covered entities to verify that a person who wants access to ePHI is the person they say they are. There are no implementation specifications.

Transmission security requires covered entities to guard against unauthorized access to ePHI that is transmitted electronically. Implementation specifications include the following:

  • Protect ePHI from being altered without detection. (Addressable)
  • Encrypt ePHI whenever deemed appropriate. (Addressable)
  • Encryption is the primary method of achieving transmission security for data in motion and data at rest.
  • Encryption is defined as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key" (45 C.F.R. § 160 and 164, p. 42742).
  • The Security Rule is “technology neutral,” so no specific information about encryption strength is included. Advanced Encryption Standards (AES) [PDF] used by the Federal Government currently use 128-, 192-, or 256-bit keys.
  • Decryption tools should be stored in a separate location from the data.

The Breach Notification Interim Final Rule cites the following National Industry Standards and Technology (NIST) publications that describe valid encryption processes:

Significance of PHI

These regulations were enacted to protect patients’ health and personal information. As technology has advanced, it has become easier for unwanted individuals to access personal information. To steal someone’s identity, very little personal information is needed. Leaking even the most basic personal information can put a patient at great risk of identity theft.

Real-Life Intersections With HIPAA

There are many times in which providers will encounter HIPAA regulations even if they do not appear to meet the qualifications of a covered entity. The first instance is in school settings, where Medicaid is billed for services provided to students. In most cases, these interactions fall under FERPA regulations rather than under HIPAA regulations. If a provider is an employee of the school or school district, then they are not considered a HIPAA-covered entity and thus are subject only to FERPA regulations—even if services are being billed electronically to Medicaid. However, if the provider is considered a contractor, not an employee, and they are billing the Medicaid program, then they are considered a HIPAA-covered entity and are subject to both FERPA and HIPAA regulations. The Joint Guidance on the Application of FERPA and HIPAA to Student Health Records provides examples of instances in which an educational agency or institution can be subject to both FERPA and HIPAA regulations. See also FERPA and Coronavirus Disease 2019 (COVID-19) Frequently Asked Questions [PDF].

There are other times in which a clinician who does not bill insurance might be subject to HIPAA regulations. If they communicate directly with the patient’s insurance to ask about their explanation of benefits, prior authorization requirements, health records, or insurance denials, then they are subject to the privacy rule under HIPAA. If these communications occur over a database, email, or other electronic means of communication, then they are subject to the HIPAA Privacy Rule and the HIPAA Security Rule.

The Breach Notification Rule provides guidance on what clinicians should do in case of an information breach. A breach is when PHI under the Privacy Rule has been used or disclosed in a way not permitted by the patient or HIPAA. Unless the breach has a very low probability of being compromised by the disclosure, entities must provide notification. Providers should seek legal guidance from a lawyer barred in their state to determine the level of risk in a breach. If there is a risk, then covered entities (providers and health care organizations) must notify any affected patients. For very large breaches affecting more than 500 residents in the same state or jurisdiction, the HHS secretary and local media must be notified.

HIPAA Violations and Penalties

The Interim Final Rule [PDF] on HIPAA Administrative Simplification Enforcement (hereafter, “Enforcement Rule”) was issued on October 30, 2009. It includes categories of violations and tiers of increasing penalty amounts.

Categories of violations include those that

  • occur without the person’s knowledge (and without the person having known by exercising reasonable diligence),
  • have a reasonable cause and are not due to willful neglect,
  • are due to willful neglect but that are corrected quickly, and
  • are due to willful neglect but that are not corrected.

Monetary penalties vary by the type of violation and range from $100 per violation with a yearly maximum fine of $25,000 to $50,000 per violation and a yearly maximum of $1.5 million.

The Final Rule [PDF], published in 2013, is an enhancement of and clarification to the Interim Final Rule and enhances the definition of the violation of compliance as a breach—an acquisition, access, use, or disclosure of PHI in a manner not permitted under the rule unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of factors including nature and extent of breach, person to whom disclosure was made, whether the PHI was actually acquired or viewed, and the extent to which the PHI has been mitigated.

The Final Rule removed the harm standard but increased civil monetary penalties in general while taking into consideration the nature and extent of harm resulting from the violation—including financial and reputational harm as well as consideration of the financial circumstances of the person who violated the breach.

Additionally, the Final Rule defines other areas of compliance—including the individual’s right to receive information, additional requirements to privacy notes, and use of genetic information.

Sample HIPAA Forms

ASHA has created a few sample HIPAA templates that providers can download and edit for use in their private practice.

Note: We do not recommend altering the main text. We have highlighted those areas that you can update with your practice information: Make changes only to those highlighted areas.


ASHA Corporate Partners