What is HIPAA?

HIPAA history

Congress passed the Health Insurance Portability and Accountability Act in August 1996. The law provided that if Congress failed to pass health privacy legislation in three years, the Department of Health and Human Services would issue rules under the authority given to it in HIPAA.

Congress did not pass another privacy bill and in October 1999, Health and Human Services released a draft rule, called the Standards for Privacy of Individually Identifiable Health Information and known as the "privacy rule." After receiving tens of thousands of comments on the draft, the department issued a final rule in December 2000 with modifications following in August 2002.

Comments from the media -- including The Reporters Committee for Freedom of the Press, the Newspaper Association of America, the National Newspaper Association, and the American Society of Newspaper Editors -- argued that the proposed rule too harshly restricted access to information.

Despite media concerns, health care organizations were required to comply with the privacy rule beginning in April 2003. According to its authors, the goal of the privacy rule -- the part of HIPAA that governs public release of information and can prove so frustrating for reporters inquiring about a patient's condition -- was to give patients more control of the release of their medical information. Thus, the rule frequently requires written consent forms.

Affected parties

HIPAA applies to health care organizations, including providers, health plans, public health authorities, life insurers, billing agencies, service organizations, ambulance services and medical universities. If the organization electronically bills for health care or transmits health information, HIPAA applies regardless of the organization's size.

The privacy rule allows a HIPAA-covered organization that has another function in addition to providing health care to designate itself as a "hybrid entity." The entity defines what its "health care component" is and makes sure that component complies with HIPAA. A "wall" is set up between the health care component of the organization and the non-health care component. Information is not shared internally by the two sides, and the non-health care component is not bound by HIPAA. If the organization does not designate itself as a hybrid, the entire operation must comply with HIPAA.

For example, a university may designate itself a hybrid entity. Its hospital and medical school may be designated as compliant, but they would not share information with another part of the university, such as an athletics department or nursing school, that did not comply with HIPAA.

"Affiliated covered entities" are legally separate entities that have a common ownership. For example, a university hospital and a university medical foundation could have a common owner but be legally separate entities. In that case, both entities must comply with HIPAA.


For unintentionally violating the privacy rule, civil penalties of $100 per violation can be assessed up to a $25,000 annual maximum fine.

For intentional violations and misuse of individually identifiable health information, criminal penalties can lead to a fine up to $250,000 and imprisonment for up to 10 years.

A safe harbor provision exists for inadvertent disclosures made by covered entities that exercise reasonable diligence in attempting to comply with the law.

An investigation in June by The Washington Post found that no one has ever been fined for violating HIPAA. However, the Post reported that the Justice Department has prosecuted two criminal cases, one against a Seattle man who stole credit card information from a cancer patient and another against a Texas woman who sold an FBI agent's medical records.