The term HIPAA law most often refers to the standards that have been developed as a consequence of the Health Insurance Portability and Accountability Act – particularly the Rules that evolved from the Administrative Simplification provisions in HIPAA Title II. This article discusses the background to the HIPAA law, who it applies to, what the Rules are, and the penalties for HIPAA law violations.

The Background to HIPAA Law

As suggested by the title of the Act, HIPAA started life as a Health Insurance Reform Bill. This Bill had the objective of expanding the scope of the Consolidated Omnibus Budget Reconciliation Act (COBRA), limiting the restrictions that group health plans could place on benefits for preexisting conditions, and allowing workers to take out an individual health plan when leaving a group plan.

As these reforms to the health insurance industry would have increased costs for health plans – which would have been passed on to employers and individuals as increased premiums – Congress combined the provisions of the Health Insurance Reform Bill with a companion bill that proposed measures to reduce costs by preventing health care fraud and abuse and improving efficiency.

Health care fraud and abuse by unscrupulous healthcare organizations at the time accounted for approximately 10% of total health spending (around $7 billion according to a Congressional Report). It was felt that, by standardizing the administration of health care claims, a lot of the fraud and abuse could be prevented, and the administration of claims could be streamlined.

The combined bill was renamed as the Health Insurance Portability and Accountability Act HIPAA); and, at the time it was passed, HIPAA instructed the Secretary of Health and Human Services to develop standards for electronically transacted claims that were “consistent with the goals of improving the operation of the health care system and reducing administrative costs”.

The Standards for Electronic Transactions and Code Sets was published in 2000 so all health plans engaged in health care transactions in a standardized way. The standards also applied to healthcare clearinghouses and healthcare providers that submit claims electronically – and this led to the publication of further standards to protect the security of data elements included in the claims (i.e., personally identifiable information such as names, medical conditions, and payment details).

The further standards are more commonly known as the Privacy Rule and Security Rule. Collectively, these two HIPAA Rules, subsequent HIPAA Rules published by the Department of Health and Human Services, and amendments to the HIPAA Rules introduced by other Acts of Congress are frequently referred to as HIPAA law. So, let’s now discuss who HIPAA law applies to, what it consists of, and what penalties can be enforced for HIPAA law violations.

Who HIPAA Law Applies To

HIPAA law applies to all organizations that transmit healthcare or payment information in electronic form. These organizations are known as Covered Entities and include all health plans, all healthcare clearinghouses and healthcare providers that submit claims electronically. In addition, some HIPAA standards apply to third-party service providers that create, use, process, receive, or store Protected Health Information (PHI) on behalf of the Covered Entity they are providing the service to.

These third-party organizations are known as Business Associates (BAs). Potential BAs of Covered Entities include vendors of E-prescribing software, third-party disposal services, and Managed Service Providers. Under HIPAA regulations, all BAs must sign a contract which states what PHI is being disclosed to the BA and the permissible uses and disclosures of PHI by the BA. This contract is known as a Business Associate Agreement.

What are the Rules of HIPAA Law?

Until the passage of the HITECH Act in 2009, there were five Rules of HIPAA law – The Transaction Rule and the Identifiers Rule governs electronic transactions, what they related to and who they were sent to and from. The Privacy Rule sets nationwide minimum standards for the safeguarding of PHI in any format, while the Security Rule standards control the confidentiality, integrity, and availability of electronic PHI (ePHI).

In 2005, the Department for Health and Human Services also issued an Enforcement Rule that explained the criteria for investigations into HIPAA law violations, how investigations would be conducted, how liability would be determined, and what civil penalties would be imposed. However, it was not until 2013 that any effective enforcement action took place.

As the Transaction Rule and the Identifiers Rule are simply code sets, and the Enforcement Rule is discussed in further detail alongside the Breach Notification Rule, we´ll focus for the present on the Privacy and Security Rules – two sets of HIPAA regulations that ultimately shaped how the healthcare service operates today.

The HIPAA Privacy Rule

The HIPAA ‘Standards for Privacy of Individually Identifiable Health Information’ or Privacy Rule was put in place with the intention of protecting the privacy of PHI, while allowing for the flow of patient health information when it is required to provide health care and protection of the public’s well-being. The Privacy Rule stipulates who can have access to PHI, who it can be disclosed to, and the circumstances in which it can be used. HIPAA Privacy Laws permit the use and disclosure of PHI, without an individual’s authorization, when:

  • The disclosure is to the subject of the information.
  • The disclosure is made for treatment, payment, and health operations.
  • The use or disclosure authorized by the individual the data pertains to.
  • The disclosure is made accidentally to an otherwise permitted use and disclosure.
  • The disclosure is made incidentally to an otherwise permitted use and disclosure.
  • The disclosure of PHI is limited to certain specified data identifiers of individuals for the purpose of research, health care operations, and public health purposes.

Furthermore, the HIPAA Privacy Rules provides patients with access rights to PHI and requires Covered Entities to notify patients of their rights via a Notice of Privacy Practices. These rights include:

  • The right to examine and receive a copy of their health record and request alterations if necessary.
  • The right to obtain a copy of who their PHI has been disclosed to.
  • The right to request the transmission of an electronic copy of their PHI by a Covered Entity to a third party.

The HIPAA Security Rule

While the Privacy Rule is concerned with the protection of certain health information managed by Covered Entities in any format, the Security Rule requires both Covered Entities and BAs to comply with standards relating to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).

The implementation specifications of the HIPAA Security Rule are either ´required´ or ‘addressable’. In order to avoid a HIPAA law violation, Covered Entities and BAs must decide whether a given addressable implementation specification is a necessary measure for the security of the ePHI they maintain. Covered Entities and BAs can implement an alternative measure if the alternative measure achieves the same objective, or to not implement the addressable implementation specification at all if justifiable in the given circumstance. This decision will be made based on a multitude of factors. These include:

  • A risk analysis.
  • A risk mitigation strategy.
  • What security measures are already in place.
  • The cost of implementation.

The Security Rule applies to all Covered Entities and BAs ranging from small dental practices to large-scale health insurance plans and data processors to cloud service providers. Therefore, the Rule is designed to be flexible and comprehensive to allow for all Covered Entities and BAs to implement appropriate policies, procedures, and technologies. It is the responsibility of Covered Entities and BAs to maintain reasonable and appropriate Safeguards for protecting ePHI. Specifically:

  • Ensure the confidentiality, integrity, and availability of all ePHI
  • Identify and protect against reasonably anticipated threats to security;
  • Protect against impermissible uses or disclosures; and
  • Ensure workforce compliance with HIPAA Law.

Both Covered Entities and Business Associates must comply with 3 sets of Implementation Specifications. Physical, Administrative, and Technical.

The Physical Safeguards are a set of security procedures that prevent unauthorized access to a Covered Entity’s or Business Associates’ systems or buildings. Physical Safeguards include:

  • Facility Access and Control.
  • Device Security.
  • Workstation Use.

The Administrative Safeguards ensure the necessary administrative actions are taken by Covered Entities and BAs in order to prevent a breach of unsecured ePHI. Administrative Safeguards include:

  • A Security Management Process that reduce risks and vulnerabilities to a reasonable level
  • The designation of a Security Officer who is responsible for developing the Entity’s security policies and procedures and supervising the workforce’s compliance to HIPAA.
  • Periodic assessments of adhering to security policies and procedures.

The Technical Safeguards relate to the technology used by Covered Entities and BAs to safeguard ePHI. The Technical Safeguards are designed to prevent authorized access to ePHI. Technical Safeguards include:

  • Implementing hardware, software and/or procedural mechanisms to record access and activity on information systems.
  • Implementing integrity controls that monitor the alteration of ePHI.
  • Implementing transmission security to restrict unauthorized access to ePHI being transmitted from one system to another.

Subsequent Changes to HIPAA Laws

The reach of HIPAA law was expanded by the passage of the HITECH Act in 2009, and the enactment of the HIPAA-related provisions of the HITECH Act via the Final Omnibus Rule of 2013.


The Health Information Technology for Economic and Clinical Health Act or HITECH Act was a large component of a large economic stimulus package called the American Recovery and Reinvestment Act. One of the goals of the HITECH Act was to promote the adoption of Electronic Health Records (EHRs) by healthcare providers via the Meaning Use program. However, the adoption of EHRs raised concerns about the privacy and security of electronically transmitted PHI.

Subtitle D of the HITECH Act attempts to address the concerns by strengthening the civil and criminal enforcement of HIPAA. Under this subtitle, many of the enforcement provisions of HIPAA took immediate effect and BAs were required to comply with The Security Rule, certain provisions of the Privacy Rule, and the newly created Breach Notification Rule. State Attorneys General were also given the authority to pursue civil and criminal actions on the behalf of citizens.

The Breach Notification Rule

HIPAA Law requires organizations subject to HIPAA to provide notification following a breach of unsecured PHI. The HHS defines a breach as the unauthorized access, use, or disclosure under the Privacy Rule that compromises the security and privacy of sensitive individually identifiable health information.

The HHS maintains that the unauthorized use or disclosure of unsecured PHI is considered to be a breach unless the Covered Entity or BA displays how there is a low probability the PHI has been compromised based on a risk assessment consisting of at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized individual who accessed the PHI or to whom the PHI was made available;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

HIPAA law requires individual notifications to be provided without reasonable delay and in no case later than 60 days following the discovery of a breach. If the breach affects more than 500 residents of a jurisdiction, media outlets must be notified within days also. Additionally, breaches of unsecured PHI must be notified to HHS´ Office for Civil Rights (OCR) via the HHS web site.

If a breach affects fewer than 500 individuals, the Covered Entity may notify OCR of such breaches annually. Such breaches are to be submitted in no later than 60 days after the end of a calendar year in which the breach was discovered.

The Final Omnibus Rule

HIPAA law was updated once again following the publication of the Final Omnibus Rule of 2013 to incorporate most of the privacy provisions of the HITECH Act. These included:

  • The extension of the definition of BAs to include Health Information Exchanges, E-prescribing Gateways, and Regional Health Information Organizations.
  • The strengthening of the Privacy and Security Rules regarding the uses and disclosures of PHI that required patient authorization.
  • Better defining when international, federal, or state law preempts HIPAA.

Technological advances brought forth changing work practices such as the use of personal mobile devices. The Final Omnibus Rule sought to address these advances by including new policies and procedures to account for scenarios which were unforeseen when HIPAA law was originally enacted.

The Final Omnibus Rule was most effective in raising awareness of the HIPAA safeguards that Covered Entities and Business Associates must adhere to. Additionally, the OCR were given the resources to pursue substantial enforcement action resulting in Covered Entities and Business Associates taking HIPAA compliance more seriously.

What are the Penalties for HIPAA Law Violations?

The primary enforcer of HIPAA is the HHS’ Office for Civil Rights (OCR). However, the HITECH Act gave State Attorneys General the authority to issue penalties for HIPAA law violations independent of the OCR. In addition, the Centers for Medicare and Medicaid Services, the U.S. Food and Drug Administration and the Federal Communications Commision all have some authority to enforce HIPAA law.

HIPAA law enforcement agencies can find out about HIPAA law violations in various ways. The most common ways include:

  • Complaints by employees and the public via online reporting portals.
  • Breach Notifications submitted by Covered Entities and Business Associates to the OCR following the disclosure of unsecured PHI.
  • Compliance audits and inspections conducted by the OCR when following up on technical assistance or the execution of a Corrective Action Order.

In the event of a HIPAA violation, OCR can provide technical assistance or issue a Corrective Action Order. The purpose of a Corrective Action Order is to address the underlying issue that led to a HIPAA law violation. Covered Entities and BAs will be required to develop procedures and policies to prevent further HIPAA offenses, along with subsequent updated workforce training.

If the HIPAA law violation is of a serious nature, penalties can be drastic. Fines of up to $1,806,757 per violation (2022) can be issued depending on:

  • The extent of harm the violation caused.
  • The degree of culpability.
  • The efforts made to reduce the harm of the violation.
  • The negligent party’s timely notification and cooperation.

Although rare, custodial sentences have been issued for violating HIPAA law. Criminal penalties can be the result of theft or fraud with intent to harm or for financial gain. Even when the violation does not result in criminal sentencing, the offender will likely be fined, lose their job, and have their license to practice withdrawn. Furthermore, depending on how the PHI was accessed, Covered Entities and BAs can also be subject to fines for the same violation.

Therefore, it is very important for those subject to HIPAA law to understand its requirements in order to avoid penalties for HIPAA law violations. Covered Entities and BAs often find it difficult to implement the necessary and appropriate security measures to ensure the protection of the PHI they maintain. For that reason, it is advised that organizations who are unsure of the current HIPAA compliance requirements seek advice from a HIPAA law expert.


Who can Violate HIPAA Laws?

Individuals and organizations with access to Protected Health Information can violate HIPAA laws IF they qualify as a Covered Entity or Business Associate. These include healthcare providers, health plans, and healthcare clearinghouses and any organization that provides a service on behalf of a Covered Entity.

When did HIPAA Become a Law?

HIPAA was signed into Law by President Bill Clinton on August 21st, 1996. However, HIPAA has received several major updates since:

  • The HIPAA Privacy Rule of April 2003.
  • The HIPAA Security Rule of April 2005.
  • The HIPAA Enforcement Rule of March 20065.
  • The HITECH Act and the Breach Notification Rule of September 2009.
  • The Final Omnibus Rule of March 2013.

Is HIPAA a Federal Law?

The HIPAA law is a federal law which establishes a federal floor of privacy protections in the health care and health insurance industries. However, state laws with more stringent privacy protection preempts HIPAA and where conflict exists with federal laws, HIPAA law typically often takes the back seat. To address these contradictions and conflicts with other laws, the HIPAA Privacy Rule is constantly updating. Individuals and organizations subject to HIPAA should seek professional advice to determine which Rules they should comply with.