What is HIPAA and the Laws?

What is HIPAA?

HIPAA is the abbreviation for the Health Portability and Accountability Act that was established in 1996 by the US Congress. This act provides security provisions and data privacy to ensure that a patient’s medical records are protected.

What is HIPPA?

HIPPA is the incorrect way of abbreviating Health Portability and Accountability Act. People often misspell it, but you shouldn’t let it confuse you.

What does HIPAA do?

  • Supports American workers and their families with transferring and continuing their healthcare insurance coverage when they lose or transition jobs.
  • Reduces fraudulent health care and abuse.
  • Regulates health care information on electronic billing and other processes.
  • Ensures the patient’s healthcare data is kept private and confidential

Your rights with HIPAA

Your Medical Records

The Privacy Rule gives patients permission to examine, analyze, and acquire copies of your medical information and billing records possessed by health care providers that are covered by the Privacy Rule.

Employers and Health Information in the Workplace

Under the Privacy Rule, health plans and health care providers are subject to a particular ordinance when sharing medical information with an employer.

If you work for a covered health plan or health care provider, the Privacy Rule won’t be applied to your employment records. In addition, it will not protect your medical or health plan information if you are a patient of the health plan.

Personal Representative

Personal Representatives can be appointed by a patient to make healthcare decisions for them. The personal representative is allowed to examine records and receive a copy of the patient’s health information.

Family Members and Friends

The Privacy Rule does not allow health plans or health care providers to reveal patient health information to family members or friends unless they are a personal representative.

The provider is only able to share this information under the following circumstances:

  • They are part of your health care plan or are connected to the payment of your health care.
  • You let the healthcare service provider know they can do so.
  • You do not disapprove of sharing the records.
  • The provider uses their best judgment and doesn’t think that you would object.

Court Orders and Subpoenas

Court Order

If the patient has a court order, under HIPAA, covered health care providers may reveal your protected health information. The provider or health plan may only share the records that were presented in the court order.


Before responding to the subpoena, providers and plans must ensure that the party did their due diligence to notify the subject of the information in regards to the request and search for a qualified protective order for the data from the court. As long as the notification requirements of the Privacy rule are met, providers and plans may share health information to a party issuing a subpoena.

What are the HIPAA laws?

Privacy Rule

The HIPAA Privacy Rule protects medical records and other sensitive patient health information. This rule applies to health plans, health care clearinghouses, and health care providers that handle their payments electronically. The rule designates various safeguards to segregate vulnerable health information and set barriers to the use of patient information without their permission.

While the rule protects the user from third-party usage without their consent, the Privacy Rule gives patients more control over their health records by granting them full access to any of their health records. Patients have the ability to look over their own records and make copies and inquire about any changes.

Security Rule

The HIPAA Security Rule orders the protection upon patients digitally stored, protected health information by enforcing administrative safeguards to ensure the confidentiality and security of this information. The Security Rule initiates the protections included in the Privacy Rule by addressing the technical and nontechnical safeguards that HIPAA compliant entities must execute to secure ePHI. 

All of the HIPAA compliant entities must assess their security risks, even organizations that use certified electronic health record (EHR) technology. Those entities must address administrative, physical, and technical safeguards to retain total compliance with the Security Rule and record all of the security compliance measures.

Omnibus Rule

The purpose of the Omnibus Rule is to implement Health Information Technology (HIT) actions for Economic and Clinical Health Act mandates. The act is a segment of the American Recovery and Reinvestment Act of 2009 and is available for the Electronic Health Record adoption and meaningful use incentives.

The Omnibus Rule merges the following four rulemakings:

  • Modification to HIPAA Privacy and Security rules requirements.
  • Additional requirements for data breach notifications and penalty execution
  • The approval of regulations in commends to the HITECH Act’s breach notification rule

The Omnibus Rule enforces regulations that will:

  • Supervise the usage of patient information in marketing.
  • Require healthcare providers to report data breaches that aren’t considered harmful
  • Order Business Associates and subcontractors to comply with HIPAA and ensure that they are liable for their data breaches.

Enforcement Rule

In the case that a rule is broken, the Enforcement Rule addresses how any resulting investigations are executed. After the authoritative officers have decided on the severity of the breach, appropriate fines will be issued to the perpetrators. 

Breach Notification Rule

Should a data breach be discovered, the Breach Notification Rule enforces the entity to notify the Department of Health and Human Services (DHHS). The announcement must occur within 60 days of the discovery for circumstances involving 500 or more people. The patients whose information had been breached must also be notified within 60 days. In the case that over 500 patient’s data has been infringed, a media notice to the local news outlet must be issued.

What could happen if your company violates HIPAA laws?

Your punishment for breaking HIPAA rules will depend on the severity of the violation. There are numerous factors taken into place when authorities are deciding your punishment:

  • Whether the violator did due diligence to fix the violation.
  • If there was malicious intent or if HIPAA rules were broken to benefit themself.
  • Depending on the nature of the offense.
  • Damage in effect of the violation.
  • The number of patients who were afflicted by the crime.
  • If the criminal provision of HIPAA was violated.
  • If the perpetrator had knowledge that the HIPAA rules were being broken.

There are four possible consequences if you break any of the HIPAA rules: