What Is HIPAA Law?
By Melissa McCall, J.D. | Legally reviewed by Aviana Cooper, Esq. | Last reviewed September 29, 2023
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ensured that citizens continued to have health coverage when they switched jobs.
HIPAA advanced public health law to provide insurance coverage and safeguards for patients. HIPAA also promoted healthcare efficiency. Before HIPAA, people with chronic illnesses often didn't switch jobs. This was because they were afraid of losing coverage.
The Affordable Care Act (ACA)'s rules on pre-existing conditions replaced HIPAA's guidance. But HIPAA's data privacy and security rules for patient health information remain intact.
The U.S. Department of Health and Human Services (HHS) handles implementing HIPAA. The Office of Civil Rights (OCR) within HHS enforces HIPAA. HIPAA consists of five parts, or "titles." Title I and Title II provide important protections for patients.
- Title I covers access, renewability, and portability of insurance coverage. It protects health insurance coverage for individuals who experience a change in employment. It prohibits coverage denials based on pre-existing conditions. It also prohibits limits on lifetime coverage.
- Title II requires doctors and medical professionals to keep patient medical records confidential. It sets national privacy standards for electronic healthcare transactions and health information. It also safeguards protected health information (PHI).
For most people, the most important part of HIPAA is its privacy provisions. This article examines some of the privacy protections of HIPAA Title II.
HIPAA Title II Overview
The HHS created standards under Title II to safeguard medical information stored in electronic form. It also established guidelines on the rules and procedures used by healthcare providers. The HHS, through the Office for Civil Rights (OCR), enacted "The Privacy Rule." The OCR enforces and implements the HIPAA privacy rule.
HIPAA Privacy Rule
The privacy rule gives a patient rights over their protected health information. These rights include the right to see and examine copies of their health records. They have the right to correct their record and have it transmitted in electronic form. The privacy rule applies to "covered entities." Covered entities are organizations that send health information for the uses covered by HHS. A few examples of covered entities include:
- Health plans. This includes medical, vision, dental, Medicaid, and Medicare.
- Health Care Clearinghouses. These are organizations that provide information-related services to a health plan.
- Health Care Providers. This includes providers, such as pharmacies who send PHI in electronic form.
- Business Associates. These entities provide services on behalf of or to a covered entity. These services include the use or disclosure of identifiable health information.
Life insurance companies are not considered covered entities under HIPAA.
Protected Health Information
Protected health information includes common identifiers. Common identifiers can identify a patient. This includes name, age, date of birth, or social security information. Protected health information covered under the privacy rule also includes the following:
- Any information about a patient's past, present, or future health condition(s). This includes mental health or physical health.
- Any information used to provide healthcare to an individual
- Any information related to payments to a healthcare professional for providing healthcare. This includes past, present, and future payments for an individual.
Permitted Disclosures
Managing healthcare is complex, requiring collaboration between providers. Healthcare professionals can share protected health information (permitted disclosures) under certain circumstances.
Permitted disclosure includes disclosure of PHI between covered entities for health care operations. Each entity must have had an interaction with the patient. The disclosure must be necessary and concern the relationship between both entities. This may include information a healthcare provider shares with an insurance company.
Permitted disclosures for treatment help providers coordinate care for their patients. The providers must have the patient in common. For example, a surgeon may share post-surgical notes with the patient's regular physician. This allows the physician to continue care.
Privacy Rights
The Office for Civil Rights (OCR) helps patients understand their privacy rights. The OCR also provides guidance to help patients manage their personal health information.
As stated above, this includes a right of access to your health information to direct the usage of your PHI. Healthcare practices should have a standard notice of privacy practices. These notices identify their privacy practices for patients. It should spell out permitted disclosures of protected health information. A mental health practice's notice may state how they handle psychotherapy notes.
Healthcare providers or covered entities have a privacy officer who handles HIPAA compliance. They ensure adherence to HIPAA rules. Privacy officers are a critical element of any healthcare operation. They may manage health records and ensure health information privacy within their organization. They are also responsible for accounting for disclosures or responding to court orders.
HIPAA's privacy rule protects against unauthorized disclosure of a patient's health information. This includes test results. A patient must consent, in writing, to disclosures. This includes disclosures to family members or a personal representative.
Violations Of HIPAA
If a healthcare provider violates your privacy rights under HIPAA, you have a few options. HIPPA does not include a cause of action to sue providers or covered entities. A patient can potentially file a lawsuit against a doctor under state laws.
Under federal law, a patient can file a complaint with the Office of Civil Rights (OCR) for a HIPAA violation. If that patient wants to file a lawsuit, they will have to look to state laws.
A doctor whose disclosure of a patient's PHI is not permitted may face a lawsuit on one of the following grounds:
HIPAA violations can lead to both civil and criminal federal penalties. The Office for Civil Rights usually handles civil violations. The U.S. Department of Justice handles criminal violations. Civil penalties may include a fine. Criminal penalties will involve law enforcement investigation and possible incarceration.
Have a Legal Question About HIPAA? An Attorney Can Help
Every American has rights under HIPAA to protect their healthcare information. Navigating privacy laws is challenging. Information from the Department of Health and Human Services can help you get started. The best option is to speak to an experienced health care attorney near you.
Can I Solve This on My Own or Do I Need an Attorney?
- Medicare and Medicaid issues can often be handled on your own
- Attorneys are helpful when the health care system is complex
- Complex heath care cases (such as medical malpractice, bioethics, or health advocacy) may need the support of an attorney
Protect your patient rights with an attorney at your side. An attorney can offer tailored advice and help prevent common mistakes.
Stay up-to-date with how the law affects your life
Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.