The Health Insurance Portability and Accountability Act (HIPAA)

Executive Summary

We came across some useful information from TechTarget and the U.S. Department of Human and Health Services and have combined it into the summary below on the topic of HIPAA compliance. Please refer to the original sources below for more detailed information.

The Health Insurance Portability and Accountability Act  (HIPPA) is US legislation that provides data privacy and security provisions regarding medical information. HIPPA contains five sections or titles, including it's most significant section known as the Privacy Rule. The Privacy Rule component establishes national standards to protect individuals’ medical records as well as personal health information. This law applies to health plans and health care providers among other entities. 

Contact Organizations:


We are interested in generating some discussion on this topic - please check out our Healthcare Privacy Community and join the conversation. 



The Health Insurance Portability and Accountability Act (HIPAA) 

The five main sections of HIPAA are as follows:

  • HIPAA Title I: protects health insurance coverage for those who lose or change jobs. It prevents group health plans from denying coverage to individuals with specific diseases and pre-existing conditions, and from setting lifetime coverage limits.
  • HIPAA Title II: directs the U.S. Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. It also requires that healthcare remains in compliance with privacy regulations set by HHS.
  • HIPAA Title III: includes tax-related provisions and guidelines for medical care.
  • HIPAA Title IV: defines health insurance reform, including individuals with pre-existing conditions and those seeking continued coverage.
  • HIPAA Title V: includes provisions on company-owned life insurance and treatment of those who lose their U.S. citizenship for income tax purposes.

HIPAA Title II is most prevalent in IT circles. Also known as the Administrative Simplification provisions, Title II includes the following HIPAA requirements:

  • National Provider Identifier Standard 
    • Each healthcare entity must have a unique 10-digit national provider identifier number (NPI).
  • Transactions and Code Sets Standards 
    • Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) when submitting and processing insurance claims.
  • HIPAA Privacy Rule 
    • The Standards for Privacy of Individually Identifiable Health Information establishes standards to protect patient health information.
  • HIPAA Security Rule 
    • The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security.
  • HIPAA Enforcement Rule 
    • Establishes guidelines for investigations into HIPAA compliance violations.

​​HIPAA Violations

The HIPAA Breach Notification Rule requires all covered entities and those concerned to notify patients in the instance of a data breach. Additionally, healthcare organizations can receive fines after HIPAA audits mandated by the HITECH Act and conducted by the Office for Civil Rights (OCR). Providers could also face criminal penalties.

Organizations can lower their risk of regulatory action through HIPAA compliance training programs. The OCR has six educational programs; consultancies and training groups offer programs as well. Healthcare providers may also choose to create their own training programs, encompassing each organization's current HIPAA privacy policies, the HITECH Act, and other guidelines.

Training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act, as there are currently no official HIPAA compliance certification programs. 

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes protection towards individuals’ medical records and personal health information. It also requires appropriate measures to protect the privacy of said information and sets limits on the uses of such information without proper authorization. Moreover, it also gives patients rights over their health information, including but not limited to, rights to examine and obtain a copy of their health records and to request corrections.

Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes and administrative requests when necessary.

Key Takeaways

The principles outlined by the HIPAA were designed to establish the roles and responsibilities of those who hold and exchange electronic health information. These principles provide a good foundation upon which an organization may build its privacy infrastructure. 

References & External Links: 
  1. The HIPAA Privacy Rule
  2. What is HIPAA?