Want to Read More? To continue reading this article, please Log in or Register Now

Health Information and Privacy (HIPAA): Federal

Author: Jayne Zanglein, Western Carolina University

Updating Author: XpertHR Editorial Team


The Health Insurance Portability and Accountability Act of 1996 (HIPAA):

Portability of Health Care Coverage

HIPAA's portability provisions apply to group health plans, including fully insured, self-funded and unfunded plans, if the plan has two or more participants who are active employees. These provisions made it easier for employees to change jobs without risking loss of health insurance coverage, and limited the length of time a health plan could exclude coverage due to a pre-existing medical condition.

The enactment of the Patient Protection and Affordable Care Act of 2010 (PPACA), also known as the Affordable Care Act (ACA), gave employees even better access to health insurance by eliminating pre-existing condition exclusions for all individuals, effective for plan years beginning on or after January 1, 2014. See Health Care Benefits > Prohibitions on Pre-Existing Condition Exclusions.

Special Enrollment Periods

HIPAA requires employers to provide employees and their dependents an opportunity to enroll in the employer's health plan during a special enrollment period. In order to participate in a special enrollment period, the employee and his or her dependents must:

  • Be eligible for coverage under the employer's health plan; and
  • Have declined coverage under the employer's health plan because he or she had coverage elsewhere.

Special enrollment rights can occur when an individual:

  • Loses eligibility for coverage under a group health plan or other health insurance coverage (such as an employee and his or her dependents' loss of coverage under the spouse's plan) or when an employer terminates contributions toward health coverage;
  • Becomes a new dependent through marriage, birth, adoption, or being placed for adoption; or
  • Loses coverage under a State Children's Health Insurance Program (CHIP) or Medicaid, or becomes eligible to receive premium assistance under those programs for group health plan coverage.

Excepted Benefits

Certain types of benefits are exempt from HIPAA's portability and nondiscrimination rules, as well as from the ACA's market reform requirements. These excepted benefits are categorized into four benefit types.

  1. Benefits that are not considered health coverage. Examples of benefits that are not considered health coverage and are always treated as excepted benefits are:
    • Accident-only coverage, including accidental death and dismemberment coverage;
    • Disability-income coverage;
    • Workers' compensation coverage; and
    • Liability insurance.
  2. Limited excepted benefits, such as limited scope dental and vision benefits and benefits for long-term care, nursing home care, home health care or community-based care, must:

    • Be provided under a separate insurance policy; or
    • Not be an integral part of the plan.

    According to final rules released in October 2014, which are applicable to plan years beginning on or after January 1, 2015, limited scope dental and vision benefits and long-term care benefits are not considered an integral part of the plan if:

    • Participants have the right to decline coverage; or
    • The claims for the benefits are administered under a contract separate from claims administration for any other benefits under the plan.

    Benefits provided under a health flexible spending account (FSA) may qualify as a limited excepted benefit if they meet the following conditions:

    • An employer offers other group health plan coverage that is not limited to HIPAA excepted benefits; and
    • The maximum benefit payable to any participant under the FSA must not exceed two times the participant's salary reduction election under the FSA, or, if greater, the amount of the participant's salary reduction election under the FSA, plus $500.
  3. Benefits that are offered separately, are not coordinated with benefits under another group health plan and are paid with respect to any event without regard to whether benefits are provided under any group health plan maintained by the same plan sponsor are referred to as noncoordinated excepted benefits and include:
    • Coverage for a specified disease or illness, such as a cancer only policy; and
    • Hospital indemnity or other fixed indemnity insurance plans that pay a fixed dollar amount per day (or other period) for hospitalization or illness regardless of the amount of expenses incurred.
  4. Supplemental excepted benefits are benefits that are provided under a separate policy, certificate or contract of insurance and are either:
    • Medicare supplemental health insurance;
    • TRICARE or Civilian Health and Medical Program of the Department of Veterans Affairs (CHAMPVA) supplemental insurance; or
    • Similar coverage that is supplemental to coverage under a group health plan.

The Department of Labor (DOL) issued Field Assistance Bulletin (FAB) No. 2007-04 that provides safe harbor requirements to assist in determining similar supplemental coverage. According to the guidance, similar supplemental coverage will fall within the safe harbor provisions if it is a separate policy, certificate or contract of insurance and if it satisfies all of the following requirements:

  • Independent of Primary Coverage. The supplemental policy, certificate or contract of insurance must be issued by an entity that does not provide the primary coverage under the plan. Accordingly, the entities may not be part of the same controlled group of corporations or part of the same group of trades or businesses under common control.
  • Supplemental for Gaps in Primary Coverage. The supplemental policy, certificate or contract of insurance must be specifically designed to fill gaps in primary coverage, such as co-insurance or deductibles, but does not include a policy, certificate or contract of insurance that becomes secondary or supplemental only under a coordination-of-benefits provision.
  • Supplemental in Value of Coverage. The cost of coverage under the supplemental policy, certificate or contract of insurance must not exceed 15 percent of the cost of primary coverage. Cost is determined in the same manner as calculated under a COBRA continuation provision.
  • Similar to Medicare Supplemental Coverage. The supplemental policy, certificate or contract of insurance that is group health insurance coverage must not differentiate among individuals in eligibility, benefits or premiums based on any health factor of an individual or any dependent of the individual.

The October 2014 final rules also cover the four requirements an employee assistance program (EAP) must meet in order to constitute excepted benefits:

  1. The EAP does not provide significant benefits in the nature of medical care. For this purpose, the amount, scope and duration of covered services are taken into account. For example, an EAP that provides only limited, short-term outpatient counseling for substance use disorder services (without covering inpatient, residential, partial residential or intensive outpatient care) without requiring prior authorization or review for medical necessity does not provide significant benefits in the nature of medical care. At the same time, a program that provides disease management services (such as laboratory testing, counseling and prescription drugs) for individuals with chronic conditions, such as diabetes, does provide significant benefits in the nature of medical care.
  2. Benefits cannot be coordinated with the benefits under another group health plan. Participants in the other group health plan must not be required to use and exhaust benefits under the EAP (making the EAP a "gatekeeper") before an individual is eligible for benefits under the other group health plan. Also, participant eligibility for benefits under the EAP must not be dependent on participation in another group health plan. There is no requirement that EAP benefits cannot be financed by another group health plan in order to qualify as excepted benefits.
  3. No employee premiums or contributions may be required as a condition of EAP participation.
  4. The EAP may not impose any cost-sharing requirements.

In March 2015, final rules were released that amend the definition of excepted benefits to include certain limited coverage that wraps around individual health insurance policies (including basic health plan coverage for low-income individuals established under the ACA) or multistate health plans. Five requirements must be met:

  • The limited wraparound coverage must be specifically designed to provide meaningful benefits (e.g., coverage for expanded in-network medical clinics or providers, reimbursement for the full cost of primary care, coverage of the cost of prescription drugs not on the primary plan's formulary).
  • The annual cost of coverage per individual may not exceed the greater of:
    • The maximum permitted annual salary reduction toward a health FSA; or
    • Fifteen percent of the cost of coverage under the employer's primary plan.
  • Coverage may not discriminate based on any health factor, include a preexisting condition exclusion or discriminate in favor of highly compensated individuals.
  • An individual may not be simultaneously enrolled in wraparound coverage and an excepted benefits health FSA.
  • Plan sponsors offering wraparound coverage must file reports with the Department of Health and Human Services (group health plans) or the Office of Personnel Management (self-insured or multistate plans).

The availability of excepted benefits status for wraparound coverage is limited. Wraparound coverage must start no earlier than January 1, 2016, and no later than December 31, 2018. The coverage must end the later of:

  • Three years after the date wraparound coverage is first offered; or
  • The date on which the last collective bargaining agreement relating to the plan terminates after the date wraparound coverage is first offered (determined without regard to any extension agreed to after the date the wraparound coverage is first offered).

Nondiscrimination Rules

HIPAA's nondiscrimination rules prohibit discrimination based on individual health factors. Individuals may not be denied eligibility for benefits, excluded from coverage or charged higher premiums based on individual health factors, such as:

  • Health status;
  • Physical and mental conditions;
  • Claims experience;
  • Receipt of health care;
  • Health history;
  • Genetic information;
  • Evidence of insurability, including conditions arising from domestic violence; and
  • Disability.

Similarly Situated Employees

HIPAA's nondiscrimination rules require that similarly situated individuals be treated the same when determining:

  • Eligibility for benefits;
  • The level of benefits provided; and
  • Premiums.

Similarly situated individuals are alike in all relevant ways for the purpose of making employment decisions. Examples of similarly situated individuals include all:

  • Full-time employees;
  • Part-time employees; and
  • Employees located in the same geographic location.

Practical Example

Acme Financial Services maintains a group health plan insured by All-American Insurance Company. As part of the annual renewal process, All-American reviews the claims experience of plan participants in order to determine a new premium. All-American discovers that one of the plan participants, Abby, had significantly higher claims experience than similarly situated individuals in the plan. All-American quotes the plan a higher per-participant rate because of Abby's claims experience.

This is permissible because All-American is charging a higher premium for all participants in the plan, not just Abby.

If All-American had quoted one rate for Abby and a lower rate for other plan participants, this would have violated HIPAA's nondiscrimination rules.

Alternatively, group health plans are permitted to treat individuals with adverse health factors more favorably than individuals without adverse health factors. This may be done in the form of providing continued coverage beyond the normal limits of the plan, charging lower premiums or eliminating co-pays for individuals with adverse health factors.

Practical Example

A health plan's regular co-pay is $60 for doctor visits for all participants except participants with disabilities for whom the co-pay is waived. Since individuals with adverse health conditions are treated more favorably than similarly situated individuals, the waiver of the co-pay is permissible.

Benefit Plan Practices

HIPAA's nondiscrimination provisions affect a number of benefit plan practices, including:

  • Eligibility;
  • Benefits and benefit plan changes;
  • Source of injury exclusion;
  • Actively-at-work and nonconfinement provisions; and
  • Wellness programs.


Health plans may not consider individual health factors when determining an employee's eligibility for coverage. For this purpose, eligibility includes:

  • Enrollment;
  • Effective date of coverage;
  • Waiting periods;
  • Benefits;
  • Cost-sharing;
  • Special enrollment periods;
  • Continued eligibility; and
  • Termination of eligibility.

Practical Example

Alfred waived participation in his company's health plan when he was first eligible, but decided to enroll during the company's open enrollment period. At that time, he was informed that he had to take and pass a physical exam before being allowed to participate in the plan. This is not permissible since Alfred's enrollment is being conditioned on his health status.

A health plan may require an employee to take a physical exam, as long as the plan does not use the information obtained during that physical to either exclude the employee from plan coverage or charge the employee more for health insurance than other employees.

Benefits and Benefit Plan Changes

HIPAA does not require group health plans to provide any particular benefits, but it does require that any benefits provided be made available to similarly situated individuals.

Health plans are allowed to limit or exclude coverage of specific diseases or types of treatment as long as this exclusion is applied equally to all similarly situated persons.

The ACA required plans to phase out annual and lifetime dollar limits on essential health benefits for plan years beginning on or after January 1, 2014. See Health Care Benefits > Prohibitions On Annual and Lifetime Limits for Essential Health Benefits.

Health plans may make changes to the benefits and coverage levels they provide, but should ensure that there is an appropriate process in place so that these changes do not violate HIPAA's nondiscrimination rules. Changes to group health plans should be made in conjunction with the annual benefit planning process, so as not to appear to be directed at a particular individual.

Source of Injury Exclusion

A group health plan may not deny eligibility or charge higher premiums for coverage due to participation in high risk activities, such as bungee jumping, hang gliding, horseback riding or motorcycle riding. The plan may, however, exclude source of injury treatment related to participation in such activities.

Group health plans that provide coverage for treatment of injuries may not exclude treatment for injuries resulting from physical or mental conditions or for injuries resulting from domestic violence.

Actively-At-Work and Nonconfinement Provisions

In general, group health plans may not delay eligibility or charge higher premiums based on whether or not an individual is actively at work or because an individual is confined to a hospital. If health coverage starts on the first day of employment, the health plan is allowed to require an employee to show up for work in order to be covered.

Practical Example

Candace is 15 and is in the hospital with pneumonia when she becomes eligible to enroll in her mother's health plan. The health plan informs Candace's mother that it will not enroll Candace immediately, but agrees to enroll her as soon as she is discharged from the hospital.

This is a violation of HIPAA's nondiscrimination rules. Coverage under the health plan may not be delayed because Candace is confined to the hospital.

Wellness Programs

An exception to HIPAA's nondiscrimination rules allows group health plans to offer different benefits and charge different premiums as an incentive to participate in a wellness program. If the incentive offered is to recognize participation in the wellness program, group health plans are allowed to vary benefit offerings, impose different cost sharing requirements, including different deductibles and co-payments, and may even charge different contribution rates to individuals who participate in the wellness program.

A plan may impose certain wellness conditions on employees without violating HIPAA's nondiscrimination rules. For example, a plan may give a premium discount to all employees who take a cholesterol test if all plan members who take the test receive the discount. As long as the incentive offered does not require participants to meet a specific standard related to a health factor, or if no reward is offered at all, the program complies with HIPAA's nondiscrimination requirements.

Examples of these types of participation-based programs include:

  • Reimbursing employees for the cost of membership in a fitness center;
  • Reimbursing participants for the cost of a smoking cessation program, as long as the reimbursement is not contingent on whether or not the participant quits smoking; and
  • Rewarding a participant who attends a monthly health seminar.

If the program uses an incentive to recognize and reward achievement of a specific health standard, five conditions must be met:

  1. In general, the reward may not exceed 30% of the cost of employee-only coverage. If dependents participate in the wellness program, the reward may not exceed 30% of the cost for coverage in the category in which the employee and dependents are enrolled. This amount increases to 50% to the extent the program is designed to prevent or reduce tobacco use.
  2. The program must be designed to promote health or prevent disease.
  3. Participants must be able to qualify for the reward at least annually.
  4. The reward must be available to all similarly situated individuals, and a reasonable alternative standard for obtaining the reward must be made available.
    • For activity-only wellness programs, a reasonable alternative standard must be provided to any individual for whom it is:
      • Unreasonably difficult due to a medical condition to satisfy the existing standard; or
      • Medically inadvisable to satisfy the existing standard.
    • For outcome-based wellness programs, a reasonable alternative standard must be provided to all individuals who do not meet the initial standard to ensure that the program is reasonably designed to improve health and is not a subterfuge for underwriting or reducing benefits based on health status.
  5. The terms of the plan, including eligibility requirements, standards and rewards, and a notice of availability of reasonable alternatives, must be disclosed to eligible participants.

See Health Care Benefits > Wellness Plans.

In May 2016, the Equal Employment Opportunity Commission (EEOC) published final regulations that provide guidance on how an employer's wellness program can comply with the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA), consistent with HIPAA as amended by the Affordable Care Act (ACA). However, in December 2017, a federal court issued an order vacating the portion of the rules related to incentives, effective January 1, 2019. The rest of the rules remain in effect. The EEOC is expected to issue new regulations in December 2019.

The ADA and GINA final rules apply to all wellness programs, whether or not they are part of a group health plan, while HIPAA applies only to wellness programs that are part of a group health plan.

For additional information on the ADA final rule, please see Disabilities (ADA): Federal, and for additional information on the GINA final rule, please see EEO - Discrimination: Federal.

Medical Privacy Under HIPAA

The Standards for Privacy of Individually Identifiable Health Information, more commonly known as the Privacy Rule, set standards for the protection of an individual's medical information while also allowing the flow of information necessary to provide high quality health care.

The Privacy Rule provides standards for:

  • The use and disclosure of protected health information (PHI); and
  • Individuals' privacy rights so individuals know and understand how their health information is being used.

Protected Health Information

Individually identifiable health information that is maintained or transmitted by a covered entity or its business associate in any form - electronic, oral or written - is considered PHI, and includes demographic data that relates to:

  • An individual's past, present or future physical or mental health or condition;
  • Health care provided to the individual; or
  • The past, present or future payment for health care that identifies the individual.

Individually identifiable health information includes common identifiers, such as an individual's name, address, date of birth and Social Security number.

De-Identified Health Information

De-identified health information does not identify or provide a reasonable basis to identify an individual. Accordingly, there are no restrictions on the use of de-identified health information.

Individually identifiable health information can be de-identified by removing specified identifiers of the individual, the individual's relatives, the individual's household members and the individual's employer. Examples of common identifiers that can be removed in an effort to de-identify information include:

  • Names, addresses, dates of birth and Social Security numbers;
  • Telephone numbers, fax numbers and email addresses;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Medical device identifiers and serial numbers;
  • Biometric identifiers, including finger and voice prints; and
  • Full face photographic images or any comparable images.

De-identified information is only appropriate if the covered entity has no means of using the remaining information to identify the individual.

Covered Entities

Under the Privacy Rule, three specific groups are considered covered entities:

  1. Health care providers, such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies;
  2. Individual and group health plans that provide or pay the cost of medical care, including:
    • Health insurance companies;
    • Health maintenance organizations (HMOs);
    • Employer-sponsored health plans, inclusive of medical, prescription drug, dental and vision plans; and
    • Government programs, such as Medicare, Medicaid and military and veterans' health care programs; and
  3. Health care clearinghouses that process health information received from a third party from a nonstandard format to a standard format or vice versa. A billing service that is responsible for processing data into a standardized format is an example of a health care clearinghouse.

Employer Responsibilities

HIPAA does not specifically apply to employers when they are functioning in the role of employer; however, if an employer sponsors a health care plan for its employees, it may be required to comply with the Privacy Rule since the health plan is a covered entity.

A group health plan with fewer than 50 participants that is administered solely by the employer is not a covered entity and is exempt from the Privacy Rule requirements. For this purpose, participants include employees who are eligible to enroll in the plan, not just those that are enrolled.

Compliance with HIPAA does not affect the employer's ability to use an individual's health information in order to comply with the Occupational Safety and Health Act, the Family and Medical Leave Act, the Americans with Disabilities Act and workers' compensation laws.

In addition, HIPAA does not interfere with an employer's rights with respect to drug screening, fitness-for-duty tests and workplace medical surveillance of nuclear, chemical and biological workers, and does not affect an employer's right to manage sick leave or disability programs.

Business Associates

A business associate is a third party that performs services on behalf of a covered entity involving the use and disclosure of PHI. The definition of business associate includes subcontractors of business associates, and their subcontractors, that create, receive, maintain or transmit PHI when performing services for the business associate. Activities performed by a business associate may include:

  • Claims processing;
  • Billing services;
  • Legal, accounting or consulting services;
  • Utilization reviews; and
  • Data analysis.

Attorneys, actuaries, consultants, accountants and third party administrators may be business associates.

Covered entities that use business associates to provide services should be aware of their responsibilities regarding access to and disclosure of PHI through that relationship and must enter into a written contract that assures that the business associate will safeguard and restrict the use and disclosure of PHI.

The business associate contract safeguards PHI and must include:

  • A description of the permitted and required uses of PHI by the business associate;
  • Language that prohibits the business associate from using PHI in a manner not authorized by the contract; and
  • Requirements imposed on the business associate to adopt safeguards to prevent the improper use and disclosure of PHI.

A covered entity that becomes aware of a business associate who has committed a material breach of contract or is operating in violation of the contract must take reasonable steps to correct the breach or violation.

If the covered entity is unable to correct the breach or violation, it must terminate the business associate contract. If the covered entity is unable to terminate the contract, it is required to notify the Department of Health and Human Services (HHS).

Administrative Responsibilities

The Privacy Rule provides for additional administrative requirements relative to policy development and implementation, documentation and personnel responsibilities. Compliance with HIPAA's administrative requirements may vary depending on the size of the organization and the nature of the business, but, in general, covered entities should:

  • Designate a privacy officer who is responsible for developing, implementing and enforcing privacy policies and procedures;
  • Designate a contact person who is responsible for receiving and documenting complaints and providing information on compliance with privacy practices;
  • Establish written privacy policies and procedures that are reasonably tailored to the employer's access to, and use and disclosure of, PHI;
  • Provide and document annual training on privacy policies and procedures to individuals who deal with PHI;
  • Mitigate the harm associated with the unauthorized use and disclosure of PHI in violation of privacy policies and procedures;
  • Ensure that reasonable and appropriate physical, technical and administrative safeguards are in place to protect the privacy of PHI;
  • Have procedures in place for individuals to complain about noncompliance with privacy policies and procedures;
  • Not retaliate against individuals who exercise their rights under the Privacy Rule, including individuals who file a complaint or participate in an investigation;
  • Not require individuals to waive their rights under the Privacy Rule in order to obtain treatment or payment, enroll in a health plan or become eligible for benefits; and
  • Document and retain privacy policies and procedures, privacy notices, dispositions of complaints and any other documentation required by the Privacy Rule for six years after the later of the date of creation or last effective date.

Guidelines for Use and Disclosure of PHI

A major provision of the HIPAA Privacy Rule is to limit the circumstances under which a covered entity may transmit, use or disclose PHI. In general, there are two situations in which a covered entity is able to use or disclose PHI. If the:

  1. Use and disclosure of PHI is either specifically permitted or required under the Privacy Rule; and
  2. Affected individual provides written authorization.

The individual may rescind this permission by notifying the covered entity of this decision.

In addition, there are two situations in which covered entities are required to disclose PHI. When:

  1. An individual or a designated representative of the individual requests access to, or an accounting of, all disclosures related to the individual's PHI; and
  2. HHS requests this information as part of a compliance investigation or review.

Permitted Uses and Disclosures of PHI

Under certain circumstances, covered entities are allowed to use and disclose PHI without obtaining authorization from a covered individual. Some situations in which this may occur are when:

  • PHI is released directly to the individual;
  • PHI is used for treatment, payment and ongoing health care operations;
  • It is necessary to disclose the PHI to ensure that the treatment being provided is in the best interest of the individual; and
  • The information is used in the best interest of victims of abuse, for law enforcement purposes or for funeral directors, or when it is provided to lessen a serious health threat.

See HHS fact sheets on permitted uses and disclosures for health care operations activities and treatment.

HIPAA recognizes the integral role family members, such as spouses, often play in a patient's care. In September 2014, HHS announced that a spouse includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory or foreign jurisdiction (as long as the marriage performed in a foreign jurisdiction would be recognized in a US jurisdiction). The term marriage includes both same-sex and opposite-sex marriages, and family member includes dependents of those marriages. All of these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage (in other words, the state of celebration rule applies, rather than place of residence). This puts HIPAA in line with the US Supreme Court's 2013 United States v. Windsor decision, which struck down the portion of the Defense of Marriage Act providing that federal law recognizes only opposite-sex marriages. HHS intends to issue additional clarifications to address same-sex spouses as personal representatives under the Privacy Rule.

Note that the Supreme Court has since legalized same-sex marriage nationwide. The Court ruled that the 14th Amendment requires a state to: (1) license a marriage between two people of the same sex; and (2) recognize a marriage between two people of the same sex when their marriage was lawfully licensed and performed out of state. See Obergefell v. Hodges, +2015 U.S. LEXIS 4250 (U.S. June 26, 2015).

Minimum Necessary Disclosure

Under the minimum necessary disclosure requirements, covered entities need to make reasonable efforts to limit requests for PHI to the minimum amount of information necessary to accomplish the intended purpose of the use, disclosure or request. Generally, a covered entity should not request complete medical files unless it justifies that the whole file is necessary for the purpose.

Exceptions to the minimum necessary disclosure requirements include:

  • Disclosures to, or requests made by, a health care provider for treatment;
  • Uses or disclosures made to the individual who is the subject of the disclosure, or his or her personal representative;
  • Uses or disclosures made according to an authorization;
  • Disclosures made to the Secretary of HHS (Secretary) for complaint investigation or compliance review;
  • Uses or disclosures that are required by law; and
  • Uses or disclosures required for HIPAA compliance.

Covered entities should have a policy that identifies employees who need access to PHI in order to do their jobs and should ensure that only those employees have access to such information.

Disclosure to Plan Sponsors

Group health plans and health insurers are allowed to disclose certain PHI to the plan sponsor, including:

  • Whether an individual participates in the group health plan or is enrolled with a health insurer or HMO;
  • Summary health information for the plan sponsor to use in obtaining premium bids or in making decisions to amend or terminate the group health plan; and
  • Information necessary to perform administrative functions.

Use of PHI for Marketing

Marketing is defined as communicating information about a product or service that encourages consumers to purchase or use the product or service. Exceptions to this definition include communications:

  • Describing health-related products or services;
  • About changes to the health plan and to the participating provider network; and
  • For coordination of care for the individual to ensure the best treatment is provided.

If a covered entity is communicating PHI under one of these exceptions, it is not necessary to obtain the individual's authorization. Below are some examples of permissible communications in marketing.

  • An insurer sends out a newsletter about its free nutrition services.
  • A hospital uses its patient list to announce the opening of a new cardiac center.
  • A pharmacy calls a customer to remind her that her prescription is ready to be refilled.
  • A hospital shares medical records with nearby nursing homes in order to make a recommendation for a transfer to a nursing home.

When a covered entity discloses PHI to another company for use in marketing, usually in exchange for some form of remuneration, it is necessary to obtain prior authorization.

Practical Example

A pharmaceutical company purchases a list of patients from a hospital for $5,000, and uses that list to mail out coupons for its new drug. The hospital violated the Privacy Rule because it did not obtain consent from its patients prior to releasing this information.

Privacy Practices Notice Requirements and Individual Rights

The Privacy Rule requires a covered entity to provide individuals with a notice of its privacy practices. The notice of privacy practices should be written in plain language and must include:

  • The individual's rights, such as the right to complain to either the covered entity or to HHS and how to file such complaints;
  • The covered entity's duties with respect to protecting privacy;
  • A description of how the covered entity is allowed to use and disclose PHI;
  • Contact information of individuals from whom additional information can be obtained; and
  • The effective date of the notice.

Health plans are required to distribute the privacy practices notice to new enrollees upon enrollment in the health plan. In addition, the plan must remind plan participants that the notice is available upon request. This reminder must be sent to plan participants at least once every three years. Covered entities that use a website to communicate benefits information must post the privacy notice there as well.

Under the Privacy Rule, individuals have the right to:

  • Inspect and copy their PHI;
  • Request to have PHI amended or supplemented in an effort to ensure accuracy;
  • Obtain an accounting of certain disclosures of PHI;
  • Request that the use of PHI be restricted to certain situations, including the disclosure of PHI for treatment options and disclosure to individuals involved in assisting with the individual's health care;
  • Request that health care communications be sent to an alternate address or be provided by alternative means; and
  • Revoke prior authorizations.

In February 2016, the HHS published guidance on an individual's right to access his or her PHI. Individuals have a right to access a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; clinical case notes; and other information used to make decisions about the individual. However, a covered entity is not required to create new information, such as explanatory materials or analyses, that does not already exist.

An individual is not entitled to access: information that is not used to make decisions about the individual, such as quality assessment or improvement records patient safety activity records or business planning; psychotherapy notes that are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, which are maintained separate from the rest of the patient's medical record; and information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding.

The PHI generally must be provided in the form and format requested by the individual (e.g., on paper, electronically), if it is readily producible in that form and format; in the manner requested (e.g., mail, email); and within 30 calendar days of the request.

An individual may request to have his or her PHI directly transmitted to another person or entity. The request must be in writing, be signed by the individual and clearly identify to whom and where the information should be sent.

A covered entity may charge a reasonable, cost-based fee for providing the PHI. The fee may include only the cost of certain labor, supplies and postage:

  • Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual (e.g., photocopying; scanning; transferring to a CD, USB drive or other portable media), once the PHI has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied. Labor for copying does not include costs associated with reviewing the request for access, searching for and retrieving the PHI, and segregating or otherwise preparing the PHI.
  • Supplies may include paper, toner or portable media.
  • Postage applies only if the individual requested that the PHI be mailed.

An individual has the right to request that information be sent by unencrypted email or in another unsecure manner. The covered entity is not liable for a breach or disclosure of the information, as long as the individual was warned of and accepted the security risks.

Recordkeeping and Retention Requirements

Covered entities are required to maintain and retain records of privacy policies, procedures, notices, dispositions of complaints and other actions, activities and designations that the Privacy Rule requires to be documented for a period of six years from the date of creation or the date when it was last in effect, whichever is later. See Employee Benefits > Recordkeeping for Employee Benefit Purposes.

Examples of HIPAA Privacy Violations

Violating the HIPAA Privacy Rule carries serious consequences. Some examples of HIPAA privacy violations are:

  • A Boston hospital settled with HHS for $1 million for HIPAA violations relating to the loss of records of 192 patients with infectious diseases, including HIV/AIDS.
  • A hard drive containing the records of 15 million people was stolen from a Connecticut-based health care insurance company. The drive contained names, addresses, PHI, Social Security numbers and financial information. The company spent over $7 million to investigate the theft and notify its members of the security breach. The settlement included two years of credit monitoring for affected individuals and payment of $250,000 to the State of Connecticut.
  • A California health care professional was sentenced to four months in prison for unlawfully accessing the records of his supervisor, his co-workers and various celebrities without a valid reason.

Medical Privacy in Emergency Situations

During a public health or other emergency (e.g., Ebola), covered entities and business associates must continue to comply with the Privacy Rule. The HHS reviewed the application of the Privacy Rule in emergency situations in a November 2014 bulletin.

The Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to PHI that is necessary to carry out their public health mission. Under certain circumstances, covered entities may disclose needed PHI without an individual's authorization. The following are some examples of permissible disclosures:

  • Reporting all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola to a public health authority, such as the Centers for Disease Control and Prevention (CDC);
  • Notifying individuals at risk of contracting or spreading a disease if notification is authorized under another law;
  • Sharing information about a patient as necessary to identify, locate and notify family members, guardians or anyone else responsible for the patient's care, of the patient's location, general condition or death. If the patient is incapacitated or not available to give authorization, the covered entity may use its professional judgment to determine if sharing the information is in the patient's best interest;
  • Sharing PHI with disaster relief organizations, such as the American Red Cross. Obtaining authorization is not necessary if doing so would interfere with the organization's ability to respond to the emergency; and
  • Releasing limited information to the media to acknowledge an individual is a patient and to provide general information about the patient's condition (e.g., critical or stable, deceased, treated and released), unless the patient has objected to or restricted the release of such information or, if the patient is incapacitated, the disclosure is not in the patient's best interest or consistent with the patient's prior expressed preference.

If the President declares an emergency or disaster and the Secretary declares a public health emergency, the HHS may waive sanctions and penalties for noncompliance with the following Privacy Rule provisions:

  • The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care;
  • The requirement to honor a request to opt out of the facility directory;
  • The requirement to distribute a notice of privacy practices;
  • The patient's right to request privacy restrictions; and
  • The patient's right to request confidential communications.

Such waivers would only apply:

  • In the emergency area and for the emergency period identified in the public health emergency declaration;
  • To hospitals that have instituted a disaster protocol; and
  • For up to 72 hours from the time the hospital implements its disaster protocol. The waiver ends when the declaration terminates, even if 72 hours have not elapsed.

HIPAA's Security Rule

HIPAA's Security Rule attempts to ensure the security of electronic protected health information (ePHI) through the use of both technical and nontechnical safeguards. The purpose of the Security Rule is to protect ePHI while allowing covered entities to adopt new technologies to manage health care treatment.

The Security Rule applies only to electronically transmitted or stored PHI (not to oral or written PHI) and generally requires covered entities to maintain administrative, physical and technical safeguards for protecting ePHI. The Security Rule specifically requires covered entities to:

  • Ensure the confidentiality, integrity and availability of all ePHI that they create, receive, maintain or transmit;
  • Identify and protect against any reasonably anticipated threats to the security or integrity of ePHI;
  • Protect against any reasonably anticipated impermissible uses or disclosures of ePHI; and
  • Ensure compliance by their workforce.

The Security Rule applies to covered entities that transmit health information in electronic form. Examples include health plans, health care clearinghouses and health care providers.

Because covered entities range in size from single practitioners to national clearinghouses, the Rule is designed to be scalable and flexible in order to allow covered entities to evaluate their needs and implement appropriate solutions for their environment. When deciding what security measures to use, a covered entity should consider:

  • Its size, complexity and capabilities;
  • Its technical, hardware and software infrastructure;
  • The costs of security measures; and
  • The likelihood and possible impact of potential risks to ePHI.

The Rule is also designed to be technology neutral in order to allow for successful implementation in a rapidly changing technological environment.

The Security Rule is implemented through standards, which explain what must be done, and implementation specifications, which provide instructions for implementing a particular standard. Implementation specifications are either:

  • Required - meaning that the covered entity must implement policies and/or procedures in order to meet the specification's requirements; or
  • Addressable - meaning that the covered entity must assess whether the specification is reasonable and appropriate based on the entity's environment.

If an addressable specification is found to be reasonable and appropriate based on the assessment, the covered entity must implement the specification. Alternatively, if an addressable specification is not considered to be reasonable and appropriate, the covered entity must document the rationale supporting that decision and either:

  • Implement an equivalent measure that is reasonable and appropriate and that would accomplish the same purpose; or
  • Not implement the specification (or an alternative equivalent measure) if the standard can be met in some other way.

Security Standards

Covered entities are required to establish procedures that focus on protecting the confidentiality, integrity and availability of ePHI. This is accomplished through the use of administrative, physical and technical safeguards.

Administrative Safeguards

Administrative safeguards are the administrative actions covered entities must take to ensure the protection of ePHI. These actions include developing policies and procedures and managing the conduct of the covered entity's workforce in relation to the protection of that information. There are a number of standards related to administrative safeguards.

Security Management Process

The Security Management process requires covered entities to implement the policies and procedures necessary to prevent, detect, contain and correct security violations. The required implementation specifications in the Security Management process are:

  • Risk analysis, which requires covered entities to conduct an assessment of the potential risks to the confidentiality, integrity and availability of ePHI;
  • Risk management, which requires covered entities to implement security measures in order to reduce risk to a reasonable and appropriate level;
  • Sanction policy, which requires covered entities to apply sanctions against workforce members who do not comply with the covered entity's security policies and procedures; and
  • Information system activity review, which requires covered entities to regularly review records of information system activity.

Assigned Security Responsibility

The purpose of the Assigned Security responsibility standard is to identify who will be operationally responsible for ensuring compliance with the Security Rule. Similar to the requirement to appoint a privacy officer under the Privacy Rule, this standard requires covered entities to appoint a security officer responsible for developing and implementing the required security policies and procedures. There are no separate implementation specifications for this standard.

Workforce Security

The Workforce Security standard requires covered entities to have in place policies and procedures to ensure appropriate access to ePHI and to prevent unauthorized access to ePHI. This standard requires covered entities to provide only the minimum necessary access to ePHI that is required, generally based on job function or responsibility, for a workforce member to do his or her job.

To meet this standard, the covered entity must:

  • Identify workforce members that need access to ePHI in order to perform their job duties;
  • Identify the ePHI that is needed and when it is needed; and
  • Make reasonable efforts to control access to ePHI. This includes identifying computer systems and applications that provide access to ePHI.

The addressable implementation specifications under the Workforce Security standard are:

  • Authorization and/or Supervision provides a system of checks and balances, and requires covered entities to have procedures in place to ensure that workforce members have appropriate access or, in some cases, no access to ePHI.
  • The Workforce Clearance Procedure specification requires covered entities to ensure that workforce members with access to ePHI have appropriate clearances, and to implement procedures to verify that workforce members have the appropriate access for their job function.
  • Termination Procedures require a covered entity to implement procedures for terminating access to ePHI when a workforce member (or other individual) is no longer entitled to have such access.

Information Access Management

This standard reduces the risk of inappropriate disclosure, alteration or destruction of ePHI by requiring covered entities to determine who needs access to ePHI within their environment.

This standard supports a covered entity's compliance with the minimum necessary disclosure requirements under HIPAA's Privacy Rule, which requires covered entities to make reasonable efforts to limit access to and disclosure of PHI to the minimum amount of information necessary to accomplish the intended purpose of the use, disclosure or request.

The Information Access Management standard has three implementation specifications:

  1. The Isolating Health Care Clearinghouse Function is a required specification that applies in situations where a health care clearinghouse is part of a larger organization. In this case, the health care clearinghouse must implement policies and procedures that protect the ePHI of the clearinghouse from access by the larger organization.
  2. Access Authorization, an addressable specification, requires covered entities to implement policies and procedures that identify who is authorized to grant access privileges in addition to stating the process for granting access.
  3. Access Establishment and Modification, another addressable standard, requires covered entities to establish and manage the creation and modification of an individual's right of access to workstations, transactions, programs or processes, based upon the covered entity's Access Authorization policies.

Security Awareness and Training

Under the Security Awareness and Training standard, covered entities are required to implement a security awareness program for all members of the workforce. The implementation specifications (all addressable) for this standard are:

  • Security Reminders - Requires covered entities to implement periodic security updates;
  • Protection from Malicious Software - Requires covered entities to implement procedures for guarding against, detecting and reporting malicious software;
  • Log-In Monitoring - Requires procedures for monitoring log-in attempts and reporting discrepancies; and
  • Password Management - Requires procedures for creating, changing and safeguarding passwords.

Security Incident Procedures

The Security Incident Procedures standard requires covered entities to address security incidents in their environment and to implement policies and procedures in this regard. This standard addresses how to identify security incidents and report them to the appropriate person.

Response and Reporting, a required implementation specification under the Security Incident Procedures standard, requires covered entities to identify and respond to suspected or known security incidents. This includes mitigating, to the extent possible, harmful effects of known security incidents, and documenting incidents and their outcomes.

Contingency Plan

Contingency planning is designed to establish strategies for recovering access to ePHI in the event of an emergency and/or disruption to critical business operations. This standard requires covered entities to establish policies and procedures for responding to an emergency situation or other occurrence, such as fire, vandalism, system failure and natural disaster, that damages systems that contain ePHI.

The Contingency Plan standard has five implementation specifications, three of which are required and two of which are addressable. The required specifications are:

  • Data Backup Plan - Requires covered entities to establish and implement procedures to create and maintain retrievable copies of ePHI;
  • Disaster Recovery Plan - Requires covered entities to establish and implement, as appropriate, procedures to restore loss of data; and
  • Emergency Mode Operation Plan - Requires covered entities to establish and implement, as needed, procedures to ensure continuation of critical business functions for the protection of the security of ePHI while operating in emergency mode.

The addressable specifications are:

  • Testing and Revision Procedures - Requires covered entities to implement procedures for periodic testing and revision of contingency plans; and
  • Application and Data Criticality Analysis - Requires covered entities to assess their software applications in an effort to determine how important each one is to patient or business needs.


In order for a covered entity to know if the security plans and procedures it implements adequately protect its ePHI, it must ensure ongoing monitoring and evaluation. This standard does not have any implementation specifications, but does require covered entities to conduct periodic assessments of technical and nontechnical systems to ensure that ePHI is adequately protected and that both systems and policies and procedures remain compliant with the Security Rule.

Business Associate Contracts and Other Arrangements

Under the Security Rule, a covered entity may permit a business associate to create, receive, maintain or transmit ePHI on its behalf, but only if the covered entity obtains satisfactory assurances that the business associate will also comply with the Security Rule and appropriately safeguard the ePHI.

This standard has one required implementation specification that requires a covered entity to document the satisfactory assurances of the business associate, through a written contract or other agreement, that it will appropriately safeguard ePHI. The HHS provides a sample business associate agreement.

Physical Safeguards

Physical safeguards are another line of defense for protecting ePHI and are the physical measures, policies and procedures designed to protect a covered entity's electronic systems and related buildings and equipment. The physical safeguards are intended to protect the confidentiality, integrity and accessibility of ePHI.

There are a number of standards related to physical safeguards. When evaluating and implementing these standards, a covered entity must consider all physical access to ePHI, including access outside of an actual office, such as an employee's home or other location where ePHI is accessed.

Facility Access Controls

This standard requires covered entities to implement policies and procedures that limit physical access to electronic information systems and the facilities in which they are housed while ensuring appropriately authorized access to ePHI is allowed. This standard has four addressable implementation specifications.

  1. The Contingency Operations specification requires covered entities to establish and implement, as appropriate, procedures that maintain physical security and appropriate access to ePHI, while at the same time allowing access to a facility to allow for data restoration activities during an emergency.
  2. Under the Facility Security Plan specification, covered entities are required to document the use of physical access controls and must ensure that only authorized individuals are able to access facilities and equipment containing ePHI.
  3. The Access Control and Validation Procedures specification is designed to align an individual's access to information with his or her role or function in the organization. Covered entities are required to implement procedures to control and validate access to facilities based on functions or roles, including visitor control. Covered entities are also required to have procedures in place to control access to software programs for testing and control.
  4. The Maintenance Records specification requires covered entities to document repairs and changes to the physical aspects of a facility that are related to security. This includes changing locks, installing security devices and conducting routine maintenance checks.

Workstation Use

A workstation is an electronic computing device such as a laptop or desktop computer that has electronic media stored in its immediate environment. Under the Workstation Use standard, covered entities are required to implement policies and procedures that specify the proper functions to be performed by electronic computing devices, and the manner in which the functions are to be performed, regardless of where the workstation is located.

This standard has no implementation specifications, but still must be implemented.

Workstation Security

The Workstation Security standard requires covered entities to implement physical safeguards for workstations that access ePHI in order to restrict access to authorized users. While the Workstation Use standard addresses how workstations should be used and protected, the Workstation Security standard addresses how to physically protect workstations from unauthorized users. Examples include:

  • Office alarm systems;
  • Locked offices that house computers with ePHI; and
  • Security guards.

This standard has no implementation specifications, but still must be implemented.

Device and Media Controls

This standard governs the handling of electronic media, including receipt, removal, backup, storage, re-use, disposal and accountability, and requires covered entities to implement policies and procedures in this regard.

The Device and Media Controls standard has four implementation specifications, two of which are required and two of which are addressable.

  1. Disposal, a required specification, requires covered entities to have procedures in place to address the disposal of ePHI and/or the hardware or other media on which it is stored. When disposing of electronic media containing ePHI, covered entities should ensure that ePHI is unusable and/or inaccessible.
  2. The Media Re-Use specification is also required. Under this specification, covered entities are required to implement procedures to ensure the removal of ePHI from electronic media before it is made available for re-use. This applies to both internal and external re-use of electronic media.
  3. Accountability is an addressable specification that requires covered entities to maintain records documenting the movements of hardware and electronic media.
  4. Data Backup and Storage is also addressable. This specification requires covered entities to create an exact copy of ePHI that is retrievable when needed, before moving equipment.

Technical Safeguards

The Technical Safeguards are the technology and related processes that protect and control access to ePHI. Similar to the Administrative and Physical Safeguards, the Technical Safeguards are implemented through a set of standards and implementation specifications.

Access Control

Access controls provide users of electronic systems with rights and/or privileges to access and perform functions on a covered entity's information systems, applications, programs or files. The Access Control standard requires that controls be in place that enable authorized users to access the minimum amount of information needed to perform their job. Four implementation specifications (two required and two addressable) are associated with this standard.

  1. Unique User Identification, a required specification, requires covered entities to assign a unique name and/or number in order to identify and track user identity. Assigning users a unique user identification allows the covered entity to track user activity when that user is logged into the system and provides a vehicle for holding users accountable for functions performed on systems containing ePHI.
  2. Another required specification, the Emergency Access Procedure, requires covered entities to establish and implement, as appropriate, procedures for ensuring ePHI can be obtained during an emergency.
  3. Automatic Logoff is an addressable specification that requires covered entities to have in place electronic procedures that terminate an electronic session after a predetermined period of inactivity.
  4. Encryption and Decryption, another addressable specification, requires covered entities to implement a mechanism to encrypt and decrypt ePHI.

Audit Controls

The Audit Control standard requires covered entities to implement hardware, software and procedural mechanisms that record and monitor activity in information systems that contain or use ePHI. These controls are useful for recording and examining system activity, and will be helpful when determining if a security violation occurred.

This standard has no implementation specifications, but must still be implemented.


A primary goal of the Security Rule is protecting the integrity of ePHI. Accordingly, the Integrity standard requires covered entities to implement policies and procedures to protect unauthorized alteration or destruction of ePHI.

This standard has one addressable implementation specification. Mechanism to Authenticate Electronic Protected Health Information requires covered entities to authenticate that ePHI has not been altered or destroyed in any unauthorized manner.

Person or Entity Authentication

This standard requires covered entities to implement a verification process to ensure that the individual requesting access to ePHI is the person he or she claims to be. Authentication credentials can range from the simple (passwords or personal identification numbers) to the more sophisticated (biometric screenings such as fingerprints). Once credentials are authenticated, the user is given access privileges to perform functions and access ePHI.

There are no implementation specifications for this standard.

Transmission Security

The Transmission Security standard requires covered entities to implement technical security measures to prevent unauthorized access to ePHI that is being electronically transmitted over a network. This standard has two addressable implementation specifications.

  1. The Integrity Controls specification requires covered entities to implement security measures to ensure that electronically transmitted ePHI is not improperly modified during transmission; and
  2. Encryption requires covered entities to implement a mechanism to encrypt ePHI whenever it is considered appropriate.

HIPAA Breach Notification Rule

The Health Information and Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), and includes requirements addressing breaches of PHI.

Generally, a breach is the impermissible use or disclosure of PHI in violation of the Privacy Rule that compromises the privacy or security of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or, if applicable, the business associate can demonstrate that there is a low probability that the PHI has been compromised based upon a risk assessment of at least the following four factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

Breach Notification Requirements

A covered entity is only required to provide notification of a breach of unsecured PHI. Unsecured PHI is defined as "PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in guidance."

PHI is not considered unsecured PHI if a covered entity implements the specified technologies and methodologies that render PHI unusable, unreadable or indecipherable. Encryption and destruction are the only two methods that satisfy this requirement.

A covered entity must notify affected individuals no later than 60 days after the discovery of the breach. If a business associate discovers a breach, it must notify the covered entity and identify the affected individuals. The 60-day notice requirement begins when the business associate discovers the breach, not when it notifies the covered entity.

In addition to the individual notice requirements, a covered entity is required to notify the Secretary of a breach and, under certain circumstances, the media.

Individual Notices

A covered entity must notify affected individuals of a breach of unsecured PHI.

Individual notices must be in writing and sent by first-class mail. A covered entity may provide the notice via email, if the affected individual has agreed to receive such notices electronically.

If a covered entity does not have sufficient contact information:

  • For 10 or more affected individuals, it may either post the notice on the home page of its website or publish the notice in major print or other broadcast media where the affected individuals likely reside. Both of these alternatives must include a toll-free contact number that must remain active for at least 90 days.
  • For fewer than 10 individuals, it may use an alternative form of providing notice, such as through a phone call.

Individual notices must be provided without unreasonable delay, but in no event may be later than 60 days following the discovery of a breach. The notice must include, to the extent possible:

  • A brief description of the breach, including the date of the breach and the date the breach was discovered (if known);
  • A description of the types of unsecured PHI involved in the breach;
  • Steps individuals should take to protect themselves from potential harm;
  • A description of what the covered entity is doing to investigate the breach, mitigate harm and prevent future breaches; and
  • Contact information for the covered entity or, if applicable, the business associate, which must include either a toll-free telephone number, an email address, a postal address or a website.

Notice to HHS

A covered entity is required to provide the Secretary with notice of a breach of unsecured PHI via the HHS website by completing and electronically submitting a breach report form. If the breach affects:

  • 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay, but in no event may be later than 60 days from the discovery of the breach; or
  • Fewer than 500 individuals, a covered entity must provide the Secretary with notice annually, within 60 days of the end of the calendar year in which the breach or breaches occurred.

Notice to the Media

In addition to notifying the affected individuals and the Secretary, if a breach involved more than 500 residents of a state or jurisdiction, a covered entity must provide notice to a prominent media outlet serving that state or jurisdiction. The media notification must be provided without unreasonable delay, but in no event may be later than 60 days from the date of the discovery of the breach.

Enforcement Provisions

The most common criticism of HIPAA is that it has not been strongly enforced. The HITECH Act strengthens HIPAA's enforcement provisions and increases the penalties for HIPAA violations.

The penalty structure under the HITECH Act is based on tiered levels of culpability, each with increasing penalties. See HIPAA Violation Categories and Penalty Amounts.

In addition to civil monetary penalties, individuals who knowingly obtain or disclose PHI may be held criminally liable for HIPAA violations.

The HITECH Act requires the HHS to perform periodic audits of covered entity and business associate compliance with HIPAA. A covered entity or business associate may conduct a self-audit using the HHS's Audit Protocol.

Health Plan Identifier (HPID)

The health plan identifier (HPID) is a standard, unique identifier established under the Administrative Simplification provisions of the Affordable Care Act. The HPID eliminates the need for multiple identifiers and streamlines HIPAA standard transactions. The HPID identifies health plans and other entities that perform health plan functions, such as third-party administrators and clearinghouses, in HIPAA transactions. HPIDs are obtained online through the Health Plan and Other Entity Enumeration System (HPOES).

A final rule was published in 2012, but on October 31, 2014, CMS announced a delay in enforcement until further notice. The final rule provides for the following:

Controlling health plans with more than $5 million in annual receipts were to obtain their HPIDs by November 5, 2014. Controlling health plans with $5 million or less in annual receipts were to have until November 5, 2015, to get their HPIDs. The full implementation date for all covered plans to use the HPIDs in HIPAA transactions was to be November 7, 2016.

Plans that do not report annual receipts to the IRS can use one of the following proxy measures to determine annual receipts:

  • Fully insured plans should use the amount of total premiums that they paid for health insurance benefits during the plan's last full fiscal year;
  • Self-insured plans (both funded and unfunded) should use the total amount paid for health care claims by the employer, plan sponsor or benefit fund (as applicable) on behalf of the plan during the plan's last full fiscal year; or
  • Plans that provide health benefits through a mix of purchased insurance and self-insurance should combine proxy measures.

A controlling health plan (CHP) is a health plan that:

  • Controls its own business activities, actions or policies; or
  • Is controlled by an entity that is not a health plan, and, if it has a subhealth plan, exercises sufficient control over the subhealth plan to direct its business activities, actions or policies.

A subhealth plan (SHP) is a health plan whose business activities, actions or policies are directed by a CHP. An SHP is eligible, but not required, to get an HPID. However, a CHP may obtain an HPID for an SHP or direct the SHP to obtain one.

A fully insured health plan must obtain an HPID. The health insurance issuer is responsible for getting the HPID for a fully insured CHP. The individual employer plans are considered SHPs to the fully insured CHPs, so the employer is not required to obtain an HPID.

A self-insured health plan must get an HPID if it is a health plan (i.e., an individual or group plan that provides or pays the cost of medical care) and is a CHP. An employer may authorize a third-party administrator to obtain an HPID on its behalf.

A health reimbursement arrangement (HRA) may require an HPID if it meets the definition of a health plan. However, an HRA that covers only deductibles and/or out-of-pocket costs does not require an HPID because it is more like an additional plan benefit than a stand-alone plan.

Flexible spending accounts (FSAs), health savings accounts (HSAs) and cafeteria plans do not require an HPID.

Employers that sponsor multiple-benefit group health plans have the option to obtain either a single HPID for the entire plan or separate HPIDs for each component benefit that would meet the definition of a CHP if it were a separate plan. Group health plans designed so that multiple types of benefits are included in one umbrella plan document are often referred to as a wrap plan.

A CHP must:

  • Disclose an HPID upon request to any entity that needs the HPID to identify the health plan in a HIPAA transaction; and
  • Communicate any changes (e.g., updates, corrections) to its own data to the enumeration system within 30 days of the change.

An SHP with an HPID must comply with the same rules as a CHP.

If a covered entity uses a business associate to conduct HIPAA transactions on its behalf, it must require the business associate to use an HPID to identify a health plan in a transaction.

Entities that are not health plans, health care providers or individuals, but that need to be identified in standard transactions, may, but are not required to, obtain an other entity identifier (OEID). Examples of such entities are third-party administrators, transaction vendors, clearinghouses and other payers.

Future Developments

There are no developments to report at this time. Continue to check XpertHR regularly for the latest information on this and other topics.