HIPAA – Why You Need to Know These Basic Things About HIPAA

The Health Insurance Portability and Accountability Act of 1996 was a United States federal law enacted by the 404th United States Congress and signed by former President Bill Clinton on August 21, 1996. This act changed the Health Insurance Portability and Accountability Act (HIPAA) which were a primary bill for health insurance in the United States. The HIPAA was established to improve the privacy of patients’ personal health information, but was also enacted with other important changes. The main change lays in how private health insurance plans are regulated, with regard to the Privacy and Security of Health Information Act (PSHIA). An important provision of the HIPAA that has its own significance is the prohibition against releasing patient information to non-clients unless there is an explicit opt out from receiving such information. There are other important provisions as well.


The Privacy and Security Rule provide protection to individuals from certain specified categories of people who may be the subject of unsuitability, including health care providers and identity theft. These categories are defined as the person who ordered the health care, any authorized representative of the person or any entity that is acting in the behalf of the person. In short, it covers any member of the public who is in a position to receive access to protected health information. This rule was introduced to make the private health information protected under HIPAA rules.

Another important provision is the Security Rule, which prohibits certain health care professionals from disclosing non-confidential information. This includes giving a person permission to print off the identifying information or making public access to that information. In addition to this rule, the HIPAA also imposes penalties for employees who violate it. Penalties may include fines or restrictions on the parties.

The National Technical Authority for Security and Certification of Health Insurance identifies five technical standards that are addressed by the HIPAA. They are the Privacy Rule, the National Identifier Standards, the National Data Entry System, the Security Rule, and the Physician Billing Model. According to the HIPAA title II overview, the Security Rule establishes federal minimum standards for determining the suitability of software used to identify individuals. On the other hand, the National Identifier Standards establishes specifications for systems used to create patient health information. According to the overview, title II of the HIPAA provides guidelines for organizations that choose to meet their technical requirements through the administrative simplification process rather than through the statutory process.

The next important part of the HIPAA Rules is the Exceptions section. Basically, this part permits some specific types of disclosures. Specifically, it addresses the specific types of disclosures that are permitted by federal law – not by state law. As a result, the exception list from the HIPAA rules covers confidential disclosures, attorney/client communications, protected medical records, memoranda, faxes, reports and documents, tests and samples, test results and information used in the design and development of pharmaceutical products. With regard to the covered entities within the organization, disclosures made by an employee to a third party who does not represent the covered entity can be held confidential.

Another significant area of confusion lies in the Security Rule. While security is one of the primary concerns of people who want to protect their privacy and financial assets, many people fail to see that it applies only to protected parties within the organization. In short, the Security Rule makes sure that the protected entities do not disclose information outside the organization without first getting authorization. Again, according to the summary of HIPAA regulations, these safeguards apply to third party vendors as well.

As has been discussed previously, the Security Rule is aimed at protecting the privacy and financial assets of the individual who signs up for a private health care plan. One way that companies can determine whether they are compliant with the Security Rule or not is through the Obligation Notice process. In short, the Obligation Notice is the first step that a company must take in order to satisfy the security rules of HIPAA.

One can understand how difficult it can be to comply with the Security Rule and the other administrative safeguards set forth by HIPAA. According to the aforementioned summary of HIPAA regulations, these rules were enacted in order to “promote accurate and timely disclosure of health information to the intended receiver.” In short, the goal is to reduce the number of unauthorized disclosures of protected health information. In a nutshell, the aim of HIPAA is to reduce the risk to the protected individual. A risk analysis tool is used to determine whether the risks of accepting a certain level of risk are justified based on the anticipated benefits. If the benefits do not outweigh the risk, then there will be a rejection of the offer.