HIPAA Privacy Rule

Contributor(s): Kristen Lee

The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards in the United States to protect patients' personal health information (PHI).

Issued by the United States Department of Health and Human Services, the rule focuses on limiting the use and disclosure of sensitive PHI. It seeks to protect the privacy of patients -- by requiring doctors to provide patients an account of each entity to which the doctor discloses PHI for billing and administrative purposes -- while still allowing relevant health information to flow through the proper channels. It also gives patients the right to access their own medical records.

Who is covered by and must follow HIPAA?

The HIPAA Privacy Rule applies to organizations that are considered HIPAA covered entities, including health plans, healthcare clearinghouses and healthcare providers. In addition, the HIPAA Privacy Rule requires covered entities that work with a HIPAA business associate to produce a contract that imposes specific safeguards on the PHI that the business associate uses or discloses.

What information is protected?

The HIPAA Privacy Rule protects all individually identifiable health information that is held or transmitted by a covered entity or a business associate. This information can be held in any form, including digital, paper or oral. This individually identifiable health information is also known as PHI under the Privacy Rule.

PHI includes:

  • Name, address, birth date and Social Security Number;
  • An individual's physical or mental health condition;
  • Any care provided to an individual; or
  • Information concerning the payment for the care provided to the individual that identifies the patient, or if there is a reasonable basis to believe it can be used to identify the patient.

HIPAA Privacy Rule 101:
HHS breaks it down.

The HIPAA Privacy Rule does not consider employment records that covered entities hold as an employer -- information about education, as well as other records subject to or defined in the Family Educational Rights and Privacy Act -- as PHI.

When it comes to de-identified data, however, there are no restrictions to the use or disclosure. De-identified data does not identify or provide information that could identify an individual.

Administrative requirements

The Privacy Rule lays out certain administrative requirements that covered entities must have in place.

These requirements include:

  • A privacy official must be appointed who is responsible for developing and implementing policies and procedures at a covered entity.
  • Employees -- including volunteers and trainees -- must be trained on policies and procedures.
  • Appropriate administrative, technical and physical safeguards must be maintained to protect the privacy of PHI in a covered entity.
  • A process for individuals to make complaints concerning policies and procedures must be in place at a covered entity.
  • If PHI is disclosed in violation of its policies and procedures, a covered entity must mitigate, to the furthest extent actionable, any harmful effects.

HIPAA penalties

Under the HIPAA Privacy Rule, falling victim to a healthcare data breach, as well as failing to give patients access to their PHI, could result in a fine from the Office for Civil Rights (OCR).

The minimum penalty for:

  • Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
  • Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
  • Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
  • Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.

The maximum penalty for all of these is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.

Covered entities and individuals who intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison.

If the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000 fine and up to 10 years in prison.

Some examples of healthcare organizations getting fined for violating HIPAA include Beth Israel Deaconess Medical Center in Boston, which had to pay a $100,000 fine due to the theft of an employee's laptop, and Cignet Health in Maryland, which had to pay $4.3 million in fines for withholding medical records from 41 patients who asked for them and for not cooperating with an OCR investigation.

This was last updated in December 2016

Continue Reading About HIPAA Privacy Rule

Dig Deeper on Federal health care policy issues and health care reform



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What technologies does your healthcare organization use to ensure the HIPAA Privacy Rule is not violated?
Hi Margaret, enjoyed reading your post. I'm interested your questions re technologies complying with HIPPA rules questions. We're a small Canadian start-up in the health insurance place. Managing our clients data is without a doubt a top priority. We're currently looking at several IT solutions. Any information / guidance as to were to look for more information would be much appreciated. And perhaps might help others in the same Canadian market space: (1) is there an HIPPA equivalent in Canada? (2) is HIPPA recognised / accepted as a good enough standard by Canadian health / data privacy authorities? (3) is it good enough to counter the fact that some IT service providers might be hosting their date in servers physically located outside Canada. Thank you in advance for the reply. Cheers.


File Extensions and File Formats

Powered by: