The Health Insurance Portability and Accountability Act (HIPAA) is US federal law that establishes standards for the protection of sensitive patient health information.
HIPAA applies to both covered entities (doctors, healthcare clinics, hospitals, etc.) and their business associates (entities that provide services to a covered entity that involve the use or disclosure of protected health information).
Key regulatory requirements:
- Privacy Rule: Protects the privacy of individually identifiable health information known as Protected Health Information (PHI).
- Security Rule: Specifies a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI.
- Breach Notification Rule:Affected individuals must be notified of a breach within 60 days of discovery of the breach. Notifications must be sent in writing. In certain cases, notification must be made to the media and the Secretary of the Department of Health and Human Services (HHS).
- Minimum Necessary Rule: Disclosures or requests of PHI should be limited to the minimum necessary to achieve the purpose.
- Omnibus Rule: This rule incorporates provisions from the HITECH Act and addresses areas like business associate responsibilities and patient rights to electronic copies of their health records.
The HHS Office for Civil Rights (OCR) enforces the Privacy and Security Rules. Violations range depending on the severity and intent behind the violation. Penalties can vary from $100 per violation to $1.5 million, plus criminal penalties.
