According to the legislation itself, the stated goal of HIPAA was “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”
Although HIPAA is a wide-ranging law that affected many aspects of Americans’ health coverage, it’s often misunderstood as being just about information privacy. That is an important aspect of HIPAA, but there’s a lot more to the law (information privacy falls under the “other purposes” catchall in the goal).
This article will explain what HIPAA does, who it protects, and how those protections have evolved over time.
Medioimages / Photodisc / Getty Images
HIPAA Rules and Regulations
HIPAA is divided into five major sections or titles. Here’s an overview:
Health Care Access, Portability, and Renewabilty
This section of HIPAA, along with Title IV (application and enforcement of group health plan requirements), was arguably the most important part of the law at the time it was enacted. Without it, workers would have had far fewer consumer protections related to their health benefits.
TheAffordable Care Act(ACA) enhanced HIPAA’s provisions and extended them to apply to individual/family (self-purchased) health coverage. So since 2014, HIPAA and ACA protections have provided robust protections to ensure access to health coverage in the U.S.
Preexisting Conditions and HIPAA
HIPAA implemented rules to ensure that an employer-sponsored health plan could not exclude an enrollee’spreexisting conditionsindefinitely. Preexisting conditions are those you have before applying for health insurance coverage.
Group health plans were still allowed to exclude preexisting conditions under HIPAA, but only for a maximum of 12 months (or 18 months for people who enrolled after they were initially eligible; note that using a special enrollment period did not count as late enrollment).
This rule allowed people to switch from one employer-sponsored plan to another without going through a preexisting condition waiting period under the new plan.
Guaranteed Issue and Renewability
HIPAA also required all health insurers that offered small group health coverage to make their small group plansguaranteed issue. Guaranteed issue means that a health insurer could not reject a small group due to the medical history of one or more employees or their dependents.
Small group generally meant a plan that covered two to 50 employees, which is still the definition used in most states.
HIPAA also ensured guaranteedrenewabilityfor individual/family health coverage (i.e., the coverage that people purchase themselves, unrelated to an employer).
So as long as a person with individual/family health coverage continued to pay their premiums on time and reside within the health plan’s service area, their coverage had to be renewed each year, regardless of medical conditions.
There were exceptions for fraud, misrepresentation, or situations in which the insurer simply stopped offering coverage altogether in that area.
Gaps
In most states, most individual/family health plans were not guaranteed-issue, even for people who wereHIPAA-eligible. Instead, most states relied on a carrier of last resort or a high-risk pool to provide a guaranteed-issue option.
For employer-sponsored coverage, there were also various gaps in the HIPAA protections. For example, although small group plans had to be guaranteed-issue, insurers could adjust a group’s total premiums based on the group’s overall medical history.
There were no requirements that employer-sponsored plans offer health coverage at all. And if they did, there were very few federal rules regarding how comprehensive the coverage had to be.
How HIPAA Protects Private Medical Information
Although information privacy is probably the HIPAA provision that’s most well-known, it’s often misunderstood. The COVID-19 pandemic exacerbated this, with some people erroneously believing that businesses asking about a person’s vaccination status were violating HIPAA (they are not).
HIPAA’s protection of personal health information is still something that requires compliance from numerous individuals and entities. Let’s take a look at what HIPAA does to protect a person’s sensitive medical information.
HIPAA Privacy Rule
Under Part C of Title II of HIPAA (the Administrative Simplification section), the legislation directs the Department of Health and Human Services (HHS) to make “detailed recommendations on standards with respect to the privacy of individually identifiable health information.”
This is often the case with legislation; the law enacts a general framework, and then all of the regulatory details are spelled out in subsequent regulations. HHS proposed privacy regulations in 1999, finalized them in 2000, and has issued various modifications and updates to the rules since then.
The regulations created what is known as the HIPAA Privacy Rule. This rule details how protected health information (PHI) must be safeguarded.
PHI is defined in the U.S. Code of Federal Regulations as “individually identifiable health information” transmitted or maintained in electronic or any other format. So it includes medical histories, test results, insurance information, or data that can be used to identify a patient.
However, it excludes information in education records (the HIPAA Privacy Rule generally does not apply to schools), employment records, or about a person who has been dead for more than 50 years.
The HIPAA Privacy Rule limits how, when, and to whom a person’s PHI can be disclosed without the person’s authorization. The rule also allows a person to request their own PHI (and request corrections, if necessary) and authorize its transmittal to someone else.
Entities that are subject to the HIPAA Privacy Rule (covered entities) include:
If a covered entity (or business associate of a covered entity) experiences a data breach in which PHI is compromised, the HIPAA Breach Notification Rule requires the entity to provide notification within 60 days to people whose PHI was improperly accessed.
You Can Be Asked to Provide PHI
A person might choose not to provide the requested information (and might find that they’re denied entry to the business, for example), but HIPAA has nothing to do with this.
HIPAA Security Rule
The purpose of the Security Rule, officially known as “The Security Standards for the Protection of Electronic Protected Health Information,” is to impose safeguards on how electronic PHI is stored, used, and transmitted. The intent is to “ensure the confidentiality, integrity, and security” of electronic protected health information.
The HIPAA Security Rule applies to health plans, healthcare clearinghouses, and medical providers who transmit PHI electronically. The Security Rule clarifies the operational safeguards these entities must take when storing or transmitting electronic PHI to ensure that the Privacy Rule is upheld.
But while the Privacy Rule applies to all types of PHI, including those stored or transmitted orally or on paper, the Security Rule only applies to electronic PHI. Covered entities that run all or most of their records electronically will find a significant overlap between the requirements of the Privacy Rule and the Security Rule.
HIPAA Transactions and Code Set Rules (TCS)
HIPAA’s Administrative Simplification section directs HHS to establishstandardized code setsthat are used to transmit various medical information, including diagnoses, treatments, health insurance claim status information, etc.
The legislation defines “code set” as a “set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.”
The idea behind this was to make healthcare communication simpler and more streamlined, with all entities using the same code sets and thus able to understand each other easily (albeit with some help from computers that process the code sets).
The following code sets are used to transmit various medical data:
HIPAA Enforcement Rule
The Enforcement Rule was initially finalized in 2006. An updated final rule was issued in 2013, designed to strengthen PHI privacy and security protections, including protections for genetic information.
It modified the existing rules to comply with the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act of 2008 (GINA).
Fines for HIPAA violations can apply to any covered entities (health plans, medical providers, healthcare clearinghouses) and to business associates of any covered entity if they violate HIPAA Privacy or Security Rules or the Breach Notification Rule.
Under the Enforcement Rule, covered entities and their business associates can be subject to fines for intentional or unintentional violations of any of those rules. Financial penalties tend to be used for only the most egregious violations. Lesser violations tend to be resolved with a plan to correct the violation and prevent it in the future.
If OCR determines that a financial penalty is warranted, the penalty structure varies depending on the nature of the HIPAA violation, A four-tier system is used.
The lowest tier is for violations that the entity was unaware of and could not have realistically avoided, even with adherence to HIPAA regulations. The highest tier is for situations that involve willful neglect, with the covered entity doing nothing to prevent or correct the violation.
For the lowest-tier violations, fines are rare. If they are issued, the minimum fine under the HITECH Act was set at $100 per violation, up to a maximum of $50,000. But for the highest tier, the minimum fine was set at $50,000 per violation.
These amounts have been indexed for inflation. The maximum penalties have been adjusted downward for lower-tier violations. In 2021, the inflation-adjusted minimum penalties ranged from $120 to $60,226, depending on the tier. The annual maximum penalty ranges from a little over $30,000 to more than $1.8 million.
Covered Entities
HIPAA’s privacy protections for PHI only apply to covered entities and their business associates. Covered entities include health plans, medical providers, and healthcare clearinghouses.
A healthcare clearinghouse is defined as an entity that processes nonstandard health information to conform to standard requirementsor vice versa.This can include entities such as medical billing services, IT consultants, and community health information systems.
Business associates are defined as individuals or entities that work on behalf of a covered entity and have access to PHI.
Any entity that is not a covered entity (or their business partner) is not subject to HIPAA’s rules protecting PHI. There is a long list of entities that are not subject to these rules. They include employers, schools, law enforcement agencies, businesses, municipal agencies, life insurers, workers’ compensation carriers, etc.
Filing a HIPAA Complaint
Other Rules and Regulations
HIPAA Title III included some important healthcare provisions that are either still in effect or that provided the groundwork for systems that we still use today.
These include an increase in the self-employed health insurance tax deduction, the creation of medical savings accounts, and tax advantages for long-term care services and long-term care insurance.
HIPAA and the Self-Employed Health Insurance Deduction
Starting in 1986, self-employed people were allowed to deduct 25% of the cost of their health insurance. This was beneficial to self-employed people, but HIPAA drastically improved the benefit.
Theself-employed health insurance deductionis still in use today and is an important part of making health coverage affordable for people who are self-employed.
Medical Savings Accounts
Just like today’s HSAs, a person was required to have ahigh-deductible health plan(HDHP) in order to contribute to an MSA, and could deduct MSA contributions on their tax return even if they didn’t itemize their deductions.
But HSAs, which debuted under the Medicare Modernization and Prescription Drug Act of 2003, offer more flexibility and have proven to be much more popular. MSAs allowed contributions to come from the account holder or their employer, but not both in the same year.
HSAs allow the individual, an employer, someone else, or any combination thereof, to make contributions to the account, up to the maximum allowable limit each year.
ExistingArcher MSAswere allowed to remain in place, but no new MSAs were created once HSAs became available. HSAs have proven to be very popular, with more than 35 million HSAs in the U.S. as of 2022.
Although HSAs and MSAs have some key differences, they also share a lot of features. And HIPAA’s creation of MSAs paved the way for today’s HSAs.
Tax-Advantaged Treatment of Long-Term Care Services and Insurance
Prior to HIPAA, there was no preferential tax treatment for long-term care services or insurance. HIPAA (Title III, Subtitle C) changed that. Under HIPAA rules, qualified long-term care benefits can be received tax-free, and employer-sponsored premiums for long-term care insurance can be paid on a pre-tax basis (this reduces the person’s taxable income).
For individuals who buy their own long-term care insurance, HIPAA also introduced the ability to incorporate long-term care insurance premiums into total medical expenses, and deduct any medical expenses that exceed 7.5% of income, as long as the person itemizes their deductions.
HIPAA did impose a limit on how much could be deducted for long-term care premiums, with the amount based on the person’s age. When the law debuted, the annual deduction limits for long-term care insurance ranged from $200 for a person no more than 40 years old, to $2,500 for a person older than 70.
Summary
HIPAA was a landmark piece of legislation enacted in 1996. Although it is well known for its rules regarding the protection of private health information, the law included many other provisions.
HIPAA’s information privacy rules have been updated numerous times to keep pace with changing technology. They continue to provide robust protection, with covered entities required to ensure that patient data is stored and transmitted securely, is made available to patients upon request, and is not disclosed unnecessarily without authorization.
A Word From Verywell
For over 25 years, HIPAA has provided a framework for protecting access to health coverage for people with preexisting conditions as well as protection of sensitive personal health information.
Various regulations have been issued and updated over the years to keep up with changes in how healthcare information is used and transmitted, and HIPAA continues to protect Americans’ private health data.
Covered entities, which include health plans, medical providers, and people or businesses that transmit medical data, are subject to strict privacy and security rules, and face potential fines for violations.
HIPAA ensures that you have access to your own medical records, that you can request corrections in your medical records if necessary, and that you can control who has access to your medical records.
Frequently Asked Questions
HIPAA’s three main rules are the Privacy Rule (with a Breach Notification Rule in case a data breach is discovered), the Security Rule, and the Enforcement Rule. Together, these rules help to ensure that protected health information (PHI) is properly safeguarded.
Protected health information (PHI) includes information such as demographic data, a person’s medical history, test/lab results, prescriptions, and health insurance details. It can include any information about healthcare services or information that can be used to identify a patient.
HIPAA rules do not apply to anyone who isn’t a covered entity or business associate of a covered entity. Covered entities include health plans, medical providers, and healthcare clearinghouses (entities that transmit protected health information into or out of standard formats).Information in education records or employment records is not protected under HIPAA, and neither is information about a person who died more than 50 years ago.HIPAA does not forbid a business, employer, or individual from asking you to provide medical information, such as showing your proof of immunization.
HIPAA rules do not apply to anyone who isn’t a covered entity or business associate of a covered entity. Covered entities include health plans, medical providers, and healthcare clearinghouses (entities that transmit protected health information into or out of standard formats).
Information in education records or employment records is not protected under HIPAA, and neither is information about a person who died more than 50 years ago.
HIPAA does not forbid a business, employer, or individual from asking you to provide medical information, such as showing your proof of immunization.
21 Sources
Verywell Health uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read oureditorial processto learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.
Government Publishing Office.Public Law 104 - 191 - Health Insurance Portability and Accountability Act of 1996.
Centers for Medicare and Medicaid Services.Administrative simplification fact sheet.
Centers for Medicare and Medicaid Services.The Health Insurance Portability and Accountability Act of 1996 — helpful tips.
Government Publishing Office.Public Law 111 - 148 - Patient Protection and Affordable Care Act.
Kaiser Family Foundation.Health insurance market reforms: guaranteed issue.
Department of Health and Human Services.HIPAA Privacy Rule.
Department of Health and Human Services.Does the HIPAA Privacy Rule apply to an elementary or secondary school?.
Department of Health and Human Services.Do the HIPAA Privacy Rule protections apply to the health information of deceased individuals?.
Centers for Medicare and Medicaid Services.Are you a covered entity?
Centers for Medicare and Medicaid Services.Adopted standards and operating requirements.
Department of Health and Human Services.Breach notification rule.
Department of Health and Human Services.The security rule.
Centers for Medicare and Medicaid Services.Overview of coding and classification systems.
Department of Health and Human Services.The HIPAA Enforcement Rule.
Department of Health and Human Services.Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other modifications to the HIPAA rules.Federal Register. 2013;78(17):5565-5702.
HIPAA Journal.What are the penalties for HIPAA violations?.
Department of Health and Human Services.Filing a complaint.
Centers for Medicare and Medicaid Services.Health Insurance Marketplace.
Devenir Research.2022 Year-end Devenir HSA research report.
Internal Revenue Service.Revenue Procedure 2022-38.
Meet Our Medical Expert Board
Share Feedback
Was this page helpful?Thanks for your feedback!What is your feedback?OtherHelpfulReport an ErrorSubmit
Was this page helpful?
Thanks for your feedback!
What is your feedback?OtherHelpfulReport an ErrorSubmit
What is your feedback?
