HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The act, which was signed into law by President Bill Clinton in August 1996, contains five sections, or titles:
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
- HIPAA Title I protects health insurance coverage for individuals who lose or change jobs. It also prohibits group health plans from denying coverage to individuals with specific diseases and pre-existing conditions, and from setting lifetime coverage limits.
- HIPAA Title II directs the U.S. Department of Health and Human Services to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
- HIPAA Title III includes tax-related provisions and guidelines for medical care.
- HIPAA Title IV further defines health insurance reform, including provisions for individuals with pre-existing conditions and those seeking continued coverage.
- HIPAA Title V includes provisions on company-owned life insurance and treatment of those who lose their U.S. citizenship for income tax purposes.
In IT circles, adhering to HIPAA Title II is what most people mean when they refer to HIPAA compliance. Also known as the Administrative Simplification provisions, Title II includes the following HIPAA compliance requirements:
- National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit national provider identifier number, or NPI.
- Transactions and Code Sets Standards. Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.
- HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.
- HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security.
- HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations.
In 2013, the HIPAA Omnibus Rule was put in place by HHS to implement modifications to HIPAA in accordance with guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act concerning the responsibilities of business associates of covered entities. The omnibus rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.
HIPAA violations can prove quite costly for healthcare organizations. First, the HIPAA Breach Notification Rule within the omnibus set of regulations requires covered entities and any affected business associates to notify patients following a data breach. In addition to the notification costs, healthcare organizations can encounter fines after HIPAA audits mandated by the HITECH Act and conducted by the Office for Civil Rights (OCR). Providers could also face criminal penalties stemming from violations of the HIPAA privacy and security rules.
Organizations can lower their risk of regulatory action through HIPAA compliance training programs. The OCR has six educational programs on complying with the privacy and security rules; a number of consultancies and training groups offer programs as well. Healthcare providers may also choose to create their own training programs, which often encompass each organization's current HIPAA privacy and security policies, the HITECH Act, mobile device management processes and other applicable guidelines.
While there is no official HIPAA compliance certification program, training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act.