The Health Insurance Portability and Accountability Act (HIPAA) is intended to protect the confidentiality of personal healthcare information. HIPAA imposes separate data-privacy and data-security rules on three types of covered entities: (1) health plans (insurance companies and self-ensured employers); (2) healthcare providers (physician and dental practices, as well as any organization that offers healthcare and treatment to its employees on-site); and (3) healthcare clearinghouses. In addition, business associates of covered entities (consultants, claims-processing firms, etc.) must comply with HIPAA's data-security rules.
HIPAA's Privacy Rule regulates the use and disclosure of protected health information (PHI) by covered entities. PHI is information that concerns (1) any past, present or future physical or mental health of an individual; (2) provision of healthcare to an individual; or (3) payment for healthcare of an individual. HIPAA prohibits covered entities from disclosing PHI to others for marketing purposes without the patient's written authorization.
HIPAA's Security Rule regulates the creation, receipt, maintenance and transmission of electronic PHI. The Security Rule is intended to maintain confidentiality of PHI, protect it from improper modification or deletion, and ensure that electronic PHI is available to authorized persons or entities when needed. The Security Rule sets out specific administrative, physical and technical security safeguards required for compliance.
Failure to comply with HIPAA can lead to significant financial and other penalties, including civil fines ranging between $100 and $50,000 per violation, and criminal penalties that may include fines of up to $250,000 and/or imprisonment for up to ten years.
© WeComply/Thomson Reuters