When the Health Insurance Portability and Accountability Act (HIPAA) came into effect in 1996, the law governed a very different information landscape than that of today. Then, individuals did far less online, including relating to their healthcare. We produced less data, especially digitally, so there was less need to regulate access to it and use of it.
However, today the HIPAA law is more relevant and important than ever, particularly because digital footprints have proliferated, including the ways that people create and disseminate their data — often without knowing it — including for healthcare. There are also a startling variety of ways health data can be used, from diagnosis and treatment to online advertising, thus creating an ever-expanding need for clear guidelines and robust protections.
Here, we look at what HIPAA is, why it’s so relevant today in data privacy, how it’s become interlinked with other regulations, and what its requirements mean for individuals and companies in healthcare and related industries.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal regulation that was signed into law in 1996, and is managed by the U.S. Department of Health and Human Services. Its purpose is to protect the privacy and security of American citizens’ protected health information. The HIPAA law has been updated several times, most recently in 2020.
The US does not have a universal healthcare system like the majority of countries in the world, and a significant portion of the regulation’s contents reflect resulting requirements for managing healthcare and how it’s paid for, including through insurance.
The Act’s main provisions are five “Titles” to protect healthcare data and establish responsibilities for organizations using it. Within Title sections there are also a number of Rules governing access to and use of data, plus security requirements and enforcement.
HIPAA is designed to protect individuals’ privacy and promote security for healthcare data, but also to increase efficiency in healthcare services and management, and the portability of healthcare information.
More about HIPAA Title II: Privacy Rule
Within Title II, maybe the most relevant section of HIPAA for data privacy and compliance, and most connected to requirements in other data privacy laws, is the Privacy Rule. It addresses the use and disclosure of individuals’ protected health information by organizations, and provides privacy rights for individuals and requirements for them to understand and control the use of their health information. The Privacy Rule also outlines compliance requirements and enforcement.
Overall, a major goal of the Privacy Rule is to ensure adequate protection of health information, while maintaining the flow of that information as needed to provide quality healthcare and promote health and well-being.
Key definitions in HIPAA
Like all regulations, the terms included in the Definitions section of HIPAA provide a lot of information about the focus of the law and how it views individuals and organizations and the expectations on them. Below we summarize some of these key definitions.
Administrative simplification provision
This provision refers to any requirement or prohibition established by HIPAA or other relevant regulation, primarily designed to improve standardization and efficiency. It governs how providers, health plans, and clearinghouses must conduct electronic administrative transactions, and sets standards for transmitting electronic health information.
Business associate
A business associate is a person who creates, receives, maintains, or transmits protected health information on behalf of a covered entity, with exceptions. Comparable to a third-party data processor under many data privacy laws.
Covered entity
Refers to:
- a health plan
- a healthcare clearinghouse
- a healthcare provider who transmits any health information in electronic form in connection with a transaction.
This definition is comparable to a data controller under many data privacy laws, but in the healthcare context.
Disclosure
The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.
Electronic media
Electronic storage material on which data is or may be recorded digitally, including computer hard drives, external portable drives, or removable/transportable digital memory media such as memory cards or USB keys.
Healthcare clearinghouse
A public or private entity that processes or facilitates processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. Includes billing services, repricing companies, community health management information systems, or community health information systems, or value-added networks and switches.
Health information
Any information, including genetic information, whether oral or recorded in any form or medium, that is:
- created or received by:
- a healthcare provider
- health plan
- public health authority
- employer
- life insurer
- school or university
- healthcare clearinghouse
and
- relates to:
- the past, present, or future physical or mental health or condition of an individual
- the provision of healthcare to an individual
- the past, present, or future payment for the provision of healthcare to an individual
Information can be written, on paper, spoken, or electronic data. Data size does not matter. It can be transmitted within or outside a healthcare facility. It applies to anyone or any institution involved with the use of healthcare-related data.
Electronic protected health information
Protected health information in electronic form, defined in the relevant paragraphs under the definition of protected health information per HIPAA Definitions.
Individually identifiable health information
Like personally identifiable information as defined in other data privacy laws, but specific to health and healthcare. A subset of health information, including demographic information collected from an individual, that is:
- created or received by:
- a healthcare provider
- health plan
- employer
- healthcare clearinghouse
and
- relates to:
- the past, present, or future physical or mental health or condition of an individual
- the provision of healthcare to an individual
- the past, present, or future payment for the provision of healthcare to an individual
and
- that identifies an individual or could reasonably be used to identify an individual
Person
A natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.
Protected health information (PHI)
Individually identifiable health information, except that which is maintained or transmitted via electronic medium, or in certain records, e.g. education or employment, or regarding a person who has been deceased for more than 50 years. PHI is at the core of HIPAA requirements and restrictions.
PHI vs. PII
Data privacy laws often refer to personally identifiable information (PII). This is data that, using individual pieces or a combination of pieces of data, can be used to identify an individual. It can include first and last name, email addresses, credit card numbers, passport numbers, and more. Some PII is also categorized as “sensitive” as misuse of it can cause considerable harm. Protected health information (PHI) would typically be considered sensitive PII.
Respondent
A covered entity or business associate upon which a civil monetary penalty has been imposed, or proposed to be imposed.
Trading partner agreement
An agreement related to the exchange of information in electronic transactions, whether the agreement is distinct or part of a larger agreement, between each party to the agreement. May specify, among other things, the duties and responsibilities of each party to the agreement in conducting a standard transaction.
Transaction
The transmission of information between two parties to carry out financial or administrative activities related to healthcare.
Includes:
- healthcare claims or equivalent encounter information
- healthcare payment and remittance advice
- coordination of benefits
- healthcare claim status
- enrollment and disenrollment in a health plan
- eligibility for a health plan
- health plan premium payments
- referral certification and authorization
- first report of injury
- health claims attachments
- healthcare electronic funds transfers (EFT) and remittance advice
- other transactions prescribed by regulation
Use
With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
To what organizations does the HIPAA law apply?
Generally, HIPAA applies to organizations that deal with healthcare data in digital or analog form, ranging from healthcare providers to insurance companies, and their business associates. The entities that typically handle PHI include:
- healthcare providers, e.g. hospitals, doctors, dentists, pharmacies
- health plans, e.g. health insurance companies, employee-sponsored health plans, government programs like Medicare and Medicaid
- healthcare clearinghouses, e.g. organizations that perform administrative functions for healthcare providers or plans, or that process or facilitate processing of healthcare information, like from paper to electronic format
- business associates that provide services to covered entities involving use or disclosure of PHI, e.g. third-party service providers like those doing billing, data storage, or legal consulting
- consultants, like experts providing advice or analysis relating to health information or healthcare operations that requires handling of PHI
- contractors or subcontractors, like vendors providing services such as claims processing or data analysis involving PHI
Who does HIPAA protect?
HIPAA protects individuals, their privacy, and their healthcare information as it is created, received, maintained, or transmitted with regards to use of healthcare services or payment for healthcare services.
What protections does HIPAA provide?
HIPAA requires that healthcare information be protected from the time it’s generated to when it’s destroyed. It must also be protected and access to it limited when it’s used or transmitted for healthcare purposes. This helps to prevent identity theft and fraud that victimizes individuals, and also helps prevent fraud and abuse of health plans, including private health plans and Medicare.
The HIPAA law helps to prevent discrimination against individuals or denial of care based on health status or use of healthcare services. Additionally, the law helps individuals take control of their healthcare data, which can also significantly help people advocate for themselves, find care or access additional services, or negotiate with insurers.
Notification and consent requirements under HIPAA
Typically prior consent is not required for use or disclosure of PHI for routine treatments, payments, or other healthcare operations, per the Privacy Rule. Individuals’ authorization is required for special uses and disclosures, however. Authorization (e.g. consent forms) must be clear for the user to understand, and include specific information about the use and/or disclosure of PHI. Individuals have the right to revoke authorization, and must be enabled to do so.
A HIPAA consent form is a legal document that authorizes covered entities to disclose PHI that is not otherwise permitted under the Privacy Rule. The consent form must be signed and retained as proof of authorization.
For example, a covered entity must obtain a signed HIPAA authorization before they can:
- sell or share PHI
- use or disclose PHI for marketing or fundraising purposes (e.g. patient email addresses)
- disclose psychotherapy notes
- disclose PHI to a research organization
HIPAA notification requirements
Like notification requirements of all data privacy laws, HIPAA requires consent forms to clearly and accessibly provide important information to individuals. A copy of the signed form also must be provided to the individual. Consent form information includes:
- description of the information to be used or disclosed
- purpose for which the information will be disclosed
- name of the person or entity to whom the information will be disclosed
- name of any third parties to whom the covered entity may make the requested use or disclosure
- expiration date or expiration that relates to the individual or the purpose of the use or disclosure
- date and signature of the individual
- Information about the individual’s right to revoke the authorization in writing
- any exceptions to the individual’s right to revoke the authorization
- details of how the authorization can be revoked
- that the covered entity may not make treatment, payment, enrolment or eligibility for benefits conditional on whether the individual signs the authorization
- the potential for information disclosed under the terms of the authorization to be re-disclosed by the recipient and no longer protected by the HIPAA Privacy Rule
Exceptions to HIPAA consent requirements
Covered entities are permitted to use or disclose PHI without an individual’s authorization in the following situations or for the following purposes:
- if the PHI is to be used by or disclosed to the individual it was collected from or is about (with exceptions)
- for routine treatment, payment, or healthcare operations
- to provide the opportunity to agree or object
- incident to an otherwise permitted use and/or disclosure
- for public interest and benefit activities
- as part of a limited data set for the purposes of research, public health, or healthcare operations
Companies’ responsibilities under HIPAA
For the most part, the companies that are required to comply with HIPAA’s requirements will be those categorized as covered entities or business associates. HIPAA is referenced in many of the state-level data privacy laws in the US, but mainly regarding exceptions to compliance with them, as HIPAA has its own set of requirements. Alternatively, where relevant to companies’ operations, HIPAA requirements may supersede those of state-level or other laws. Broadly, companies have the following responsibilities under HIPAA.
Contracts and documentation responsibilities
Covered entities under HIPAA need to ensure they have Business Associate Agreements (BAA) with any entities categorized as business associates under HIPAA, and which handle PHI on the company’s behalf.
Such agreements must specify the business associate’s responsibilities for processing PHI, as well as safeguarding it and complying with other HIPAA requirements. There are templates available to assist companies in getting started drafting such agreements, but consulting qualified legal counsel is also strongly recommended.
Companies need to keep detailed records of individuals’ requests and resulting actions, as well as documenting any breaches and efforts for mitigation. They also need to document and keep their PHI handling policies and processes up to date, maintain records of employee training, and other efforts. Auditors or investigators may require this information.
HIPAA enforcement
HIPAA’s Enforcement Rule covers requirements for compliance, as well as investigations, procedures for hearings, and the potential imposition of penalties. The Enforcement Rule has been amended and updated a number of times since the law came into effect.
The HHS Office for Civil Rights (OCR) is primarily responsible for enforcing HIPAA’s Privacy and Security Rules. While it is less common for them to wield authority under HIPAA, state attorneys general and the Centers for Medicare and Medicaid Services (CMS) can also take enforcement action.
The OCR investigates complaints and breaches, conducts compliance reviews, and handles education about compliance for organizations required to comply. It can also levy penalties and/or pursue legal action against noncompliant organizations and/or refer them to the Department of Justice, though voluntary compliance is the preferred resolution.
Priority is given to investigations of data breaches affecting more than 500 people, but smaller breaches have been subject to investigation.
Maximum fines for HIPAA violations are USD 1.5 million per violation, per year. The OCR takes the following factors into account when determining specific fines:
- size of the covered entity
- type of PHI exposed
- duration of the violation
- number of individuals affected
- severity and extent of damage due to the violation
- the covered entity’s cooperation during the investigation
Data management requirements under HIPAA
Though HIPAA is a federal-level law in the US, it does not always supersede state-level laws. We look at compliance requirements — and variances — for PHI regarding data retention and destruction.
Data retention requirements
Data retention under HIPAA applies to both medical records containing PHI and other records related to HIPAA compliance, e.g. authorization forms. Covered entities need to be aware of other data retention requirements beyond HIPAA, like those governing medical records at a state level, which may require longer retention.
The type of documentation may determine which requirements take precedence. It’s important to consult qualified legal counsel for clarity.
HIPAA requires some types of documents be retained for six years from the date they were created or the date when they were last in effect, whichever is later. This applies to:
- Privacy Rule and Security Rule documentation: policies, procedures, compliance documentation, etc.
- Business Associate Agreements: copies signed and shared with business associates, including any amendments or other updates
- Notices of Privacy Practices: copies provided to individuals and records of acknowledgements
- Breach notification records: including notifications to the Secretary of HHS, affected individuals, and the media
- Authorization forms: copies of individuals’ authorizations and consent forms for use/disclosure of PHI
HIPAA Privacy Rule and lack of medical records retention stipulations
One might expect that HIPAA would explicitly include requirements for how long medical records should be retained. However, this is not the case, because each state has its own laws covering this, and on the topic of data retention, HIPAA does not preempt state-level laws.
As a result, covered entities and business associates must comply with relevant state-level data retention laws with regards to medical records. These retention periods can vary quite a bit state by state.
For example, a doctor in Florida must retain records for five years after the last patient contact, but a Florida hospital must retain the records for seven years. In Arkansas hospitals, medical records of adult patients must be retained for ten years after discharge, but master patient index data — information stored in a central database that organizes and links and patient data across healthcare systems and facilities — must be retained permanently. In North Carolina, hospitals must retain minors’ medical records until those individuals reach the age of 30.
Records destruction
As with many data privacy laws, the principles of data minimization and storage limitation are important, so only the least amount of necessary data is obtained and processed, and it is only kept as long as it is needed for the specific, communicated purpose(s).
When the legally required retention period ends, or when covered entities otherwise no longer need PHI, it must be securely destroyed, whether the data is in physical or digital format. Physical destruction methods include shredding or incineration, and electronic destruction methods can include secure wiping, overwriting, and/or destruction of the storage medium.
HIPAA and other US data privacy laws
The US continues to pass state-level data privacy laws, as there is not yet a comprehensive federal law to manage data privacy and protection, consumers’ rights, and other relevant factors. The lack of a federal data privacy law makes the US somewhat unusual, and in other countries with comprehensive federal or regional data privacy laws, health and healthcare is usually covered in those without need for additional regulations covering those areas.
The existing state-level data privacy laws do tend to reference HIPAA, most commonly in the exemptions to requirements. This is primarily because in some areas, HIPAA supersedes these state-level laws. However, as noted, for some requirements, like data retention, state-level law can supersede HIPAA.
There is some movement regarding healthcare-specific laws at the state level as well. A good example is the Washington My Health My Data Act. Though interestingly, Washington state does not have a general data privacy law yet, as of late 2024.
It is quite common in the US, especially for certain industries — like healthcare or the financial sector — for there to be a number of regulations and guidelines specific to that industry, the work done there, and the data required for it. Because of this, state-level privacy laws often defer to industry-specific regulations, at least in some areas.
The Children’s Online Privacy Protection Act (COPPA), for example, is another federal US law that is referenced by and relevant to a variety of other regulations and to a variety of industries.
Increasingly, HIPAA and compliance with it could become more relevant to companies in and outside the United States as the generation and flow of personal data continues to proliferate on digital platforms, like apps. People increasingly use their phones to track health and activities, and some of the data generated can be quite sensitive. Insurance companies also increasingly provide apps to enable customers to manage their coverage, claims, and other functions.
All of these and more could require HIPAA compliance. PHI and financial information could also further intersect and involve laws like the Gramm-Leach-Bliley Act (GLBA) where health-related financial information is processed, for example, like in insurance claims, payment for services, etc.
Laws like HIPAA around the world
In other countries, comprehensive data privacy regulations often include healthcare information, so separate PHI-specific laws have not been passed. PHI is typically categorized as “sensitive” information, alongside data types such as sexual orientation, religious beliefs, or financial information, which requires greater restrictions in collecting and using it, and stronger measures for storing and protecting it.
Some of the data privacy laws in other countries relevant to PHI management include:
- General Data Protection Regulation (GDPR) in the European Union
- Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
- Lei Geral de Proteção de Dados (LGPD) in Brazil
- Protection of Personal Information Act (POPIA) in South Africa
- Australian Privacy Act in Australia
- Health Information Privacy Code in New Zealand
- Data Protection Act in the United Kingdom
Achieving HIPAA compliance
As with any other data privacy laws, noncompliance can be expensive, time- and resource-consuming, and devastating to consumers’ trust and brand reputation in the case of a breach or other violation. Healthcare information is among the most sensitive types of information that people share, and needs to be protected and respected accordingly.
HIPAA applies to a narrower subset of companies, but still applies to more than many might think, given the size of the ecosystem involved in managing delivery, recordkeeping, and payment for healthcare in the United States.
The Privacy and Security Rules, particularly, provide the best blueprint for HIPAA compliance. In addition, these actions are also important.