Looking for our new resources?
- Our collection of single page Fast Facts on key issues under HIPAA is here. Topics include:
- What is Protected Health Information (PHI)?
- Are You a Business Associate Under the HIPAA Privacy and Security Rules?
- Our collection of single page Myth Busters breaking down common misconceptions about HIPAA is here. Myths include:
- MYTH: Patients may not restrict the release of their health information to their health insurance plans
- MYTH: A patient may sue a provider under HIPAA for disclosing their health information without authorization
- Our Decision Support Tool, which helps entities determine who is a business associate under the new definition, is here.
HIPAA: An Overview
The HIPAA Statute
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), made up of five titles.1
- Title I amended the Employee Retirement Income Security Act (ERISA), the Public Health Service Act (PHSA), and the Internal Revenue Code of 1986 (IRC) to improve the portability and continuity of health insurance coverage in the group and individual markets. The non-discrimination provisions of Title I prohibit a group health plan from restricting benefits for a specific disease or treatment, or from setting lifetime coverage limit, unless the restriction or limit is applied uniformly to all similarly situated individuals and is not directed at any individual based on a health factor. Title I limited the time period in which a group health plan or issuer may exclude an individual’s preexisting condition for coverage, and permitted individuals to reduce this time period by applying prior “creditable coverage” to the new plan. Finally, Title I created special enrollment rights for individuals who lose their coverage under certain circumstances, such as termination of employment, divorce or death.
- Title II amended the Social Security Act and the federal criminal code. Title II is made up of seven subtitles, the provisions of which were intended to combat fraud, waste, and abuse in and simplify the administration of the health insurance and health care delivery systems.
- Title III amended the IRC to provide certain tax deductions for medical insurance, specify the amount from a pre-tax medical savings account that may be used for medical expenses, and regulate long-term care insurance and long-term care services that must be treated as medical care.
- Title IV amended the IRC and the PHSA to establish guidelines for the enforcement of the Title I provisions relating to coverage for preexisting conditions and continuation of coverage. Title V amended the IRC to regulate employers’ tax deductions for company-owned life insurance and income tax treatment of individuals who lose U.S. citizenship.
- Title V also repealed the IRC’s financial institution rule to interest allocation rules.
With respect to health information, Title II is the most significant provision of HIPAA. The provisions of its Subtitle F, known as the HIPAA Administrative Simplification provisions, serve as the basis for the regulations governing the use and disclosure of individually identifiable health information. Subtitle F has two primary regulatory functions. First, the provisions required the Secretary of Health and Human Services (the Secretary) to adopt standard transaction formats, code sets and unique identifiers for covered entities (i.e., health care providers that transmit health information in electronic form in connection with a transaction covered in the rules, health plans, and health care clearinghouses) to use when electronically transmitting health information. Second, the provisions set forth guidelines for the security and privacy of individually identifiable health information and required the Secretary to adopt standards and safeguards to implement those guidelines.
The HIPAA Administrative Simplification Regulations: 2000 – 2008
HHS promulgated and modified several regulations to carry out its responsibilities and implement the Administrative Simplification provisions. These regulations are known as the Privacy Rule, the Security Rule, the Enforcement Rule, the Transactions and Code Sets Rule, and the Unique Identifier Rule.2
- The Transactions and Code Sets Rule defines administrative and financial transactions in which individually identifiable health information is exchanged electronically between covered entities and identifies standard formats for those transactions based on electronic data interchange (EDI) standards defined by the Accredited Standards Committee (ASC) X12 and the National Council for Prescription Drug Programs (NCPDP). The standard formats are primarily focused on the content of the transactions, and all covered entities are required to use and accept these standard formats. The Rule also identifies standardized medical data code sets (HCPCS, CPT-4, CDT-2, NDC, and ICD-9-CM; in 2009, the ICD-9-CM code set was replaced with the ICD-10-CM and ICD-10-PCS code sets, which will go into effect in October 1, 20143) to be used as applicable by covered entities conducting any of the electronic transactions.4 The Transactions and Code Sets Rule was originally published on August 17, 2000, modified on February 20, 2003 and again on January 16, 2009.
- The Unique Identifier Rule created the Employer Identification Number (EIN) as the standard identifier for employers and the National Provider Identifier (NPI) for health care providers, to be used by covered entities in any standard transaction. 5 The EIN rule was published on May 31, 2002, and the NPI rule was published on January 23, 2004.
- The Security Rule identifies administrative, technical, and physical safeguards that covered entities must implement with respect to electronic protected health information.6 The Security Rule was originally published on February 20, 2003.
- The Privacy Rule sets forth requirements governing a covered entity’s use and disclosure of protected health information (maintained electronically or in paper format), identifies the rights an individual has with respect to his or her health information, and specifies the procedures by which an individual may exercise those rights.7 The Privacy Rule was originally published on December 28, 2000, and modified on August 14, 2002.
- The Enforcement Rule sets forth requirements governing investigations, hearings, and civil monetary penalties applicable to violations of the requirements of any of the five rules.8 The Enforcement Rule was published as an Interim Final Rule on April 17, 2003, and was modified and published in final form on February 16, 2006. The Office of Civil Rights (OCR) administers and enforces the provisions of the Security and Privacy Rules in accordance with the requirements established in the Enforcement Rule.9 The Centers for Medicare & Medicaid Services (CMS) oversees and enforces the provisions of the Transactions and Code Sets and Unique Identifier Rules in accordance with the requirements established in the Enforcement Rule.10
Modifications to the HIPAA Regulations: 2009 - present
Several laws and regulations have been issued since HIPAA was signed into law that modify and expand the Administrative Simplification implementing regulations. The Health Information Technology for Economic and Clinical Health (HITECH) Act 11 made several modifications applicable to HIPAA.
- HITECH required the Secretary to create a Breach Notification Rule governing a covered entity’s responsibilities when unsecured protected health information is inappropriately disclosed. The Breach Notification Rule was issued as an Interim Final Rule on August 24, 2009; the requirements in this rule applied to breaches occurring on or after September 23, 2009.12
- HITECH enhanced liability for violations of the HIPAA rules, increased penalties, and modified enforcement mechanisms. The Secretary issued an Interim Final Rule modifying the Enforcement Rule to include these provisions on October 30, 2009; these modifications applied to violations occurring on or after February 18, 2009.13
- HITECH also made changes to provisions governing business associates, the sale of protected health information, and use of protected health information for marketing and research. The Secretary issued a Proposed Rule modifying the Privacy, Security, and Enforcement Rules in accordance with these changes on July 14, 2010.14
An overview of the proposed changes to HIPAA implementing the HITECH requirements is here [healthinfolaw.org/federal-law/proposed-hipaa-regs-hitech].
While HITECH made the most substantial changes to HIPAA, several other laws required substantive changes to the HIPAA regulations. The Genetic Information Nondiscrimination Act of 2008 (GINA) 15required the Secretary to modify the Privacy Rule to clarify that genetic information is health information, and to prohibit the use and disclosure of genetic information for underwriting purposes. The Secretary issued a Proposed Rule implementing these requirements on October 7, 2009.16 The Patient Safety and Quality Improvement Act of 2005 (PSQIA) required the Secretary to modify HIPAA to include patient safety activities as a covered activity.17
On January 17, 2013, HHS issued a Final Omnibus Rulemaking finalizing the implementation of the GINA, PSQIA, and HITECH requirements, which included changes and additions to the Privacy, Security, Breach Notification, and Enforcement Rules.18 The requirements in the Final Rule are in effect as of March 26, 2013, and covered entities must be in compliance with these rules as of September 23, 2013.
- A brief overview of the Final Omnibus Rule is here [healthinfolaw.org/article/overview-final-hipaa-rule].
- A detailed summary of the Final Omnibus Rule, including stakeholder comments, HHS' responses, and analysis of significant provisions is here [healthinfolaw.org/article/summary-final-hipaa-rule].
- A side-by-side table comparing the pre-2009 HIPAA regulations to the Proposed/Interim Final Rules, and to the Final Omnibus Rule is here [healthinfolaw.org/article/table-hipaa-regs-proposed-final-rules].
HIPAA Modifications under the Affordable Care Act
The Patient Protection and Affordable Care Act of 2010 (ACA) also expanded and added to the HIPAA requirements. The ACA identified a new electronic health care transaction for which the Secretary must adopt a standard transaction format, and required the Secretary to adopt operating rules for each HIPAA transaction. These operating rules are business rules and guidelines that identify the method by which information should be transmitted and clarify ambiguities in existing transaction format standards. Under the ACA, health plans must certify their compliance with standards and operating rules. The ACA also required the Secretary to establish a unique identifier for health plans.19
HIPAA Regulations and State Law
The requirements in the HIPAA statute and any applicable implementing regulations will preempt any contrary provisions of state law unless such state law is considered “more stringent” than the HIPAA requirement. All states have enacted their own laws and regulations governing health information, and many have enacted laws that may be considered contrary to or more stringent than HIPAA. Preemption of a state law is determined on a case-by-case basis, and it can be challenging for patients, providers, payers, and other stakeholders to know which law applies and under what circumstances.
- Access our 50-state surveys comparing the laws of each state to relevant HIPAA provision here.
- Browse a library of all health information laws and regulations summarized by state here [healthinfolaw.org/state].
- Browse a library of all health information-related resources by topic here [healthinfolaw.org/topics].
- 1. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
- 2. These rules are all located within Title 45 of the Code of Federal Regulations (CFR), Subtitle A, Subchapter C (regulations governing public welfare, promulgated and enforced by HHS, setting forth administrative data standards and related requirements). General administrative requirements applicable to all rules are located at 45 C.F.R. Part 160, Subpart A; state law preemption requirements applicable to all rules are located at 45 C.F.R. Part 160, Subpart B. Additional provisions applicable only to the Security, Privacy, and as of 2010, Breach Notification Rules, are located at 45 C.F.R. Part 164, Subpart A.
- 3. HIPAA Administrative Simplification: Modifications to Medical Data Code Set Standards to Adopt ICD-10-CM and ICD-10-PCS; Final Rule, 74 Fed. Reg. 3328 (January 16, 2009); the compliance date for adoption was changed from October 1, 2013 to the current compliance date of October 1, 2014 in Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for the International Classification of Diseases, 10th Edition (ICD–10–CM and ICD–10–PCS) Medical Data Code Sets; Final Rule, 77 Fed. Reg. 54664 (September 5, 2012).
- 4. Transactions and Code Sets Rule, codified as amended at 45 C.F.R. Part 162, Subparts I – S (note that code sets requirements are located in Subpart J) (2009).
- 5. Unique Identifier Rule, codified at 45 C.F.R Part 162, Subparts D (Provider Identifier) and F (Employer Identifier) (2008) (note that a Subpart E, adding a health plan unique identifier, was added in 2012).
- 6. The Security Rule, codified at 45 C.F.R. Part 164, Subpart C (2008).
- 7. The Privacy Rule, codified as amended at 45 C.F.R. Part 164, Subpart E (2008).
- 8. The Enforcement Rule, codified as amended at 45 C.F.R. Part 160, Subparts C, D, and E (2008).
- 9. Office for Civil Rights Homepage. Health Information Privacy: HIPAA Administrative Simplification Statute and Rules. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html (last accessed March 12, 2013).
- 10. Centers for Medicare & Medicaid Services Homepage. Regulations and Guidance: Enforcement. Available at: http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Enforcement/index.html (last modified March 11, 2013).
- 11. American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5 (Feb. 17, 2009), Division A, Title XIII and Division B, Title IV, Health Information Technology for Economic and Clinical Health Act (HITECH Act) (codified at 42 U.S.C. § 17930, et seq).
- 12. Breach Notification for Unsecured Protected Health Information; Interim Final Rule with Request for Comments, 74 Fed. Reg. 42740 (August 24, 2009); the Breach Notification Rule is specifically located at 45 C.F.R. Part 164, Subpart D.
- 13. HIPAA Administrative Simplification: Enforcement; Interim Final Rule with Request for Comment, 74 Fed. Reg. 56123 (October 30, 2009).
- 14. Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act; Notice of proposed rulemaking, 75 Fed. Reg. 40868 (July 14, 2010).
- 15. The Genetic Information Nondiscrimination Act of 2008 (GINA), Pub. L. No. 110-233, 122 Stat. 881 (codified in scattered sections of 26, 29, and 42 U.S.C.).
- 16. HIPAA Administrative Simplification: Standards for Privacy of Individually Identifiable Health Information; Notice of Proposed Rulemaking, 74 Fed. Reg. 51698 (October 7, 2009).
- 17. The Patient Safety and Quality Improvement Act of 2005 (PSQIA), Pub. L. No. 109-41, 119 Stat. 424, amending Title IX of the Public Health Service Act (codified at 42 U.S.C. § 299b-21, et. seq., §299b-22).
- 18. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 Fed. Reg. 5566 (January 25, 2013) (to be codified at 45 CFR pts 160 and 164).
- 19. HPID selected as unique identifier by the Secretary, codified at 45 C.F.R. Part 162, Subpart E (2012).