The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that makes it easier for people to keep their health insurance when they change jobs, protects the confidentiality and security of health care information, and helps the health care industry control its administrative costs.
The Department of Health and Human Services (HSS) has developed five rules relating to the implementation of HIPAA’s Administrative Simplification (AS) provisions. If you’re a covered entity (a health care plan, a health care clearinghouse or a health care provider that electronically transmits medical information), then you must comply with:
- The Privacy Rule, which regulates the use and disclosure of Protected Health Information (PHI) held by covered entities, and protects individuals’ rights to understand and control how their health information is used.
- The Transactions and Code Sets Rule, which relates to the standardization of electronic transactions.
- The Security Rule, which complements the Privacy Rule and deals specifically with Electronic Protected Health Information (EHPI). It states that covered entities must ensure the confidentiality, integrity and availability of all EPHI they create, receive, maintain or transmit.
- The Unique Identifiers Rule, which states that all HIPAA covered healthcare providers using electronic communications must use a unique ten-digit identification number National Provider Identifier (NPI).
- The Enforcement Rule, which establishes procedures for compliance and investigations, and sets civil money penalties for violations of the HIPAA AS Rules.
Criminal penalties for HIPAA violations range from fines of $50,000 and one year’s imprisonment to fines of $250,000 and ten years’ imprisonment. Civil money penalties for HIPAA violations are set at an annual maximum of $1.5 million.
View our information page to learn more about HIPAA and how it affects you.