HIPAA (Health Insurance Portability and Accountability Act)

This definition is part of our Essential Guide: Breaking down what's in your cloud SLA
Contributor(s): Jacqueline Biscobing

HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The act, which was signed into law by President Bill Clinton in August 1996, contains five sections, or titles:

  • HIPAA Title I protects health insurance coverage for individuals who lose or change jobs. It also prohibits group health plans from denying coverage to individuals with specific diseases and pre-existing conditions, and from setting lifetime coverage limits.
  • HIPAA Title II directs the U.S. Department of Health and Human Services to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
  • HIPAA Title III includes tax-related provisions and guidelines for medical care.
  • HIPAA Title IV further defines health insurance reform, including provisions for individuals with pre-existing conditions and those seeking continued coverage.
  • HIPAA Title V includes provisions on company-owned life insurance and treatment of those who lose their U.S. citizenship for income tax purposes.

In IT circles, adhering to HIPAA Title II is what most people mean when they refer to HIPAA compliance. Also known as the Administrative Simplification provisions, Title II includes the following HIPAA compliance requirements:

  • National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit national provider identifier number, or NPI.
  • Transactions and Code Sets Standards. Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.
  • HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.
  • HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security.
  • HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations.

In 2013, the HIPAA Omnibus Rule was put in place by HHS to implement modifications to HIPAA in accordance with guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act concerning the responsibilities of business associates of covered entities. The omnibus rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.

HIPAA violations can prove quite costly for healthcare organizations. First, the HIPAA Breach Notification Rule within the omnibus set of regulations requires covered entities and any affected business associates to notify patients following a data breach. In addition to the notification costs, healthcare organizations can encounter fines after HIPAA audits mandated by the HITECH Act and conducted by the Office for Civil Rights (OCR). Providers could also face criminal penalties stemming from violations of the HIPAA privacy and security rules.

Organizations can lower their risk of regulatory action through HIPAA compliance training programs. The OCR has six educational programs on complying with the privacy and security rules; a number of consultancies and training groups offer programs as well. Healthcare providers may also choose to create their own training programs, which often encompass each organization's current HIPAA privacy and security policies, the HITECH Act, mobile device management processes and other applicable guidelines.

While there is no official HIPAA compliance certification program, training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act.

This was last updated in April 2015

Continue Reading About HIPAA (Health Insurance Portability and Accountability Act)



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What is your organization's top HIPAA compliance concern?
Compliance is pretty difficult when you're a technology company that works with protected information all the time. It's what we do. One difficulty is complying with HIPAA but needing data for product development in lower environments. 
When delinquent borrowers are seeking assistance FHA requires proof of hardship, for borrowers who fell delinquent due to medical expenses they require copies of medical bills. Is that a HIPAA violation?
If a family member ask if the patient is being admitted can you tell them answer?


File Extensions and File Formats

Powered by: