What Is HIPAA?

HIPAA Provides Important Health and Private Information Protections

Fact checked by Nick Blackmer

HIPAA refers to the Health Insurance Portability and Accountability Act, which was signed into law by President Bill Clinton in 1996.

According to the legislation itself, the stated goal of HIPAA was “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”

Although HIPAA is a wide-ranging law that affected many aspects of Americans’ health coverage, it’s often misunderstood as being just about information privacy. That is an important aspect of HIPAA, but there’s a lot more to the law (information privacy falls under the “other purposes” catchall in the goal).

This article will explain what HIPAA does, who it protects, and how those protections have evolved over time.

HIPAA Rules and Regulations

HIPAA is divided into five major sections or titles. Here’s an overview:

• Title I is called Health Care Access, Portability, and Renewability. This is all about protecting access to health insurance (mostly regarding employer-sponsored health plans), regardless of preexisting conditions or medical history.

• Title II is called Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform. This section addresses the protection of private personal health information. It also includes administrative simplification provisions designed to improve and streamline communications between health plans and medical providers.

• Title III is called Tax-Related Health Provisions. This section increased the percentage of health insurance premiums that could be tax-deductible for self-employed people. It also created medical savings accounts (subsequently replaced by health savings accounts) and implemented a tax-advantaged approach to long-term care services and long-term care insurance premiums.

• Title IV is called Application and Enforcement of Group Health Plan Requirements. This section pertains to access, portability, and renewability under group health plans (i.e., employer-sponsored plans).

• Title V is called Revenue Offsets. This section prohibits the tax-deduction of interest on company-owned life insurance loans. It also changed the income tax rules for people who lose U.S. citizenship, including allowing the expatriation tax to be applicable if a person gives up their citizenship for tax reasons.

Health Care Access, Portability, and Renewabilty

This section of HIPAA, along with Title IV (application and enforcement of group health plan requirements), was arguably the most important part of the law at the time it was enacted. Without it, workers would have had far fewer consumer protections related to their health benefits.

The Affordable Care Act (ACA) enhanced HIPAA’s provisions and extended them to apply to individual/family (self-purchased) health coverage. So since 2014, HIPAA and ACA protections have provided robust protections to ensure access to health coverage in the U.S.

Preexisting Conditions and HIPAA

HIPAA implemented rules to ensure that an employer-sponsored health plan could not exclude an enrollee’s preexisting conditions indefinitely. Preexisting conditions are those you have before applying for health insurance coverage.

Group health plans were still allowed to exclude preexisting conditions under HIPAA, but only for a maximum of 12 months (or 18 months for people who enrolled after they were initially eligible; note that using a special enrollment period did not count as late enrollment).

If an enrollee had prior creditable coverage (which was broadly defined and included most types of health coverage) without a break of more than 63 days, the preexisting condition exclusion period would be reduced by the length of time the person had prior creditable coverage.

This rule allowed people to switch from one employer-sponsored plan to another without going through a preexisting condition waiting period under the new plan.

Guaranteed Issue and Renewability

HIPAA also required all health insurers that offered small group health coverage to make their small group plans guaranteed issue. Guaranteed issue means that a health insurer could not reject a small group due to the medical history of one or more employees or their dependents.

Small group generally meant a plan that covered two to 50 employees, which is still the definition used in most states.

HIPAA also ensured guaranteed renewability for individual/family health coverage (i.e., the coverage that people purchase themselves, unrelated to an employer).

So as long as a person with individual/family health coverage continued to pay their premiums on time and reside within the health plan’s service area, their coverage had to be renewed each year, regardless of medical conditions.

There were exceptions for fraud, misrepresentation, or situations in which the insurer simply stopped offering coverage altogether in that area.

Gaps

But there were still a lot of gaps in the protections provided by HIPAA. For example, the rules weren’t nearly as robust if a person was transitioning to individual/family health coverage (either from another individual/family health plan or from an employer-sponsored plan).

In most states, most individual/family health plans were not guaranteed-issue, even for people who were HIPAA-eligible. Instead, most states relied on a carrier of last resort or a high-risk pool to provide a guaranteed-issue option.

For employer-sponsored coverage, there were also various gaps in the HIPAA protections. For example, although small group plans had to be guaranteed-issue, insurers could adjust a group’s total premiums based on the group’s overall medical history.

There were no requirements that employer-sponsored plans offer health coverage at all. And if they did, there were very few federal rules regarding how comprehensive the coverage had to be.

Many of these gaps were filled in by the Affordable Care Act (also known as Obamacare). The ACA made various changes to the rules for employer-sponsored health coverage and substantial changes to the rules for individual/family health insurance. They included:

• Preexisting condition waiting periods were eliminated altogether (regardless of whether a person had prior creditable coverage). This applies to both individual/family and employer-sponsored health plans.

• Large employers (50+ full-time equivalent employees) were required to offer health coverage that’s comprehensive and considered affordable.

• It modified community rating for small group and individual/family health insurance. Health insurers can no longer base small group or individual/family health insurance premiums on medical history. The only factors that can be used to adjust the premiums are age, location, and tobacco use.

• Individual/family health insurance is now guaranteed-issue, regardless of a person’s medical history or prior coverage history. This was not the case under HIPAA; very few individual/family health plans were guaranteed-issue before the ACA, even for HIPAA-eligible individuals, unless they lived in one of a handful of states that had more robust laws).

• Individual and small group health plans with effective dates of 2014 or later are required to cover various essential health benefits.

How HIPAA Protects Private Medical Information

Although information privacy is probably the HIPAA provision that’s most well-known, it’s often misunderstood. The COVID-19 pandemic exacerbated this, with some people erroneously believing that businesses asking about a person’s vaccination status were violating HIPAA (they are not).

While medical privacy is only one part of HIPAA, it’s understandable that it’s the part that people hear about the most. Many of HIPAA’s health insurance portability and preexisting condition protections were improved or replaced by ACA.

HIPAA’s protection of personal health information is still something that requires compliance from numerous individuals and entities. Let’s take a look at what HIPAA does to protect a person’s sensitive medical information.

HIPAA Privacy Rule

Under Part C of Title II of HIPAA (the Administrative Simplification section), the legislation directs the Department of Health and Human Services (HHS) to make “detailed recommendations on standards with respect to the privacy of individually identifiable health information.”

This is often the case with legislation; the law enacts a general framework, and then all of the regulatory details are spelled out in subsequent regulations. HHS proposed privacy regulations in 1999, finalized them in 2000, and has issued various modifications and updates to the rules since then.

The regulations created what is known as the HIPAA Privacy Rule. This rule details how protected health information (PHI) must be safeguarded.

PHI is defined in the U.S. Code of Federal Regulations as “individually identifiable health information” transmitted or maintained in electronic or any other format. So it includes medical histories, test results, insurance information, or data that can be used to identify a patient.

However, it excludes information in education records (the HIPAA Privacy Rule generally does not apply to schools), employment records, or about a person who has been dead for more than 50 years.

The HIPAA Privacy Rule limits how, when, and to whom a person’s PHI can be disclosed without the person’s authorization. The rule also allows a person to request their own PHI (and request corrections, if necessary) and authorize its transmittal to someone else.

Entities that are subject to the HIPAA Privacy Rule (covered entities) include:

• Health plans

• Healthcare providers (doctors, hospitals, etc.)

• Healthcare clearinghouses: Any entity that processes nonstandard health information so that it conforms to standard requirements, or vice versa; (this can include entities like billing services and health information systems)

• Business associates of covered entities who have access to PHI (entities or individuals who work on behalf of a covered entity)

If a covered entity (or business associate of a covered entity) experiences a data breach in which PHI is compromised, the HIPAA Breach Notification Rule requires the entity to provide notification within 60 days to people whose PHI was improperly accessed.

You Can Be Asked to Provide PHI

It’s important to understand that HIPAA’s Privacy Rule only applies to the unauthorized disclosure of PHI by a covered entity or a business associate of a covered entity. It does not in any way prevent or restrict a business or employer from requesting PHI directly from the patient.

A person might choose not to provide the requested information (and might find that they’re denied entry to the business, for example), but HIPAA has nothing to do with this.

HIPAA Security Rule

The HIPAA Security Rule also stems from Part C of Title II of HIPAA. Regulations to implement the Security Rule were first proposed by HHS in 1998 and have been updated and modified several times.

The purpose of the Security Rule, officially known as “The Security Standards for the Protection of Electronic Protected Health Information,” is to impose safeguards on how electronic PHI is stored, used, and transmitted. The intent is to “ensure the confidentiality, integrity, and security” of electronic protected health information.

The HIPAA Security Rule applies to health plans, healthcare clearinghouses, and medical providers who transmit PHI electronically. The Security Rule clarifies the operational safeguards these entities must take when storing or transmitting electronic PHI to ensure that the Privacy Rule is upheld.

But while the Privacy Rule applies to all types of PHI, including those stored or transmitted orally or on paper, the Security Rule only applies to electronic PHI. Covered entities that run all or most of their records electronically will find a significant overlap between the requirements of the Privacy Rule and the Security Rule.

HIPAA Transactions and Code Set Rules (TCS)

HIPAA’s Administrative Simplification section directs HHS to establish standardized code sets that are used to transmit various medical information, including diagnoses, treatments, health insurance claim status information, etc.

The legislation defines “code set” as a “set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.”

The idea behind this was to make healthcare communication simpler and more streamlined, with all entities using the same code sets and thus able to understand each other easily (albeit with some help from computers that process the code sets).

The following code sets are used to transmit various medical data:

• International Classification of Diseases (ICD-11): Used for diagnoses and procedures, this replaced ICD-10 as of 2022.

• Current Procedure Terminology (CPT): This is used for outpatient treatment.

• Healthcare Common Procedure Coding System: This is used for Medicare and for services and equipment not covered by CPT.

• Code on Dental Procedures and Nomenclature (CDT): This is used for dental procedures.

• National Drug Codes (NDC): This is used for medications.

HIPAA Enforcement Rule

Just like the Privacy Rule and the Security Rule, the HIPAA Enforcement Rule was issued by HHS in a series of regulations designed to modify and update HIPAA requirements.

The Enforcement Rule was initially finalized in 2006. An updated final rule was issued in 2013, designed to strengthen PHI privacy and security protections, including protections for genetic information.

It modified the existing rules to comply with the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act of 2008 (GINA).

The Enforcement Rule details how HIPAA Privacy and Security Rule complaints are handled, including potential fines for noncompliance. These complaints are investigated by the Office of Civil Rights (OCR) or by state attorneys general.

Fines for HIPAA violations can apply to any covered entities (health plans, medical providers, healthcare clearinghouses) and to business associates of any covered entity if they violate HIPAA Privacy or Security Rules or the Breach Notification Rule.

Under the Enforcement Rule, covered entities and their business associates can be subject to fines for intentional or unintentional violations of any of those rules. Financial penalties tend to be used for only the most egregious violations. Lesser violations tend to be resolved with a plan to correct the violation and prevent it in the future.

If OCR determines that a financial penalty is warranted, the penalty structure varies depending on the nature of the HIPAA violation, A four-tier system is used.

The lowest tier is for violations that the entity was unaware of and could not have realistically avoided, even with adherence to HIPAA regulations. The highest tier is for situations that involve willful neglect, with the covered entity doing nothing to prevent or correct the violation.

For the lowest-tier violations, fines are rare. If they are issued, the minimum fine under the HITECH Act was set at $100 per violation, up to a maximum of $50,000. But for the highest tier, the minimum fine was set at $50,000 per violation.

These amounts have been indexed for inflation. The maximum penalties have been adjusted downward for lower-tier violations. In 2021, the inflation-adjusted minimum penalties ranged from $120 to $60,226, depending on the tier. The annual maximum penalty ranges from a little over $30,000 to more than $1.8 million.

Covered Entities

HIPAA’s privacy protections for PHI only apply to covered entities and their business associates. Covered entities include health plans, medical providers, and healthcare clearinghouses.

A healthcare clearinghouse is defined as an entity that processes nonstandard health information to conform to standard requirements or vice versa. This can include entities such as medical billing services, IT consultants, and community health information systems.

Business associates are defined as individuals or entities that work on behalf of a covered entity and have access to PHI.

Who Does Not Have to Follow HIPAA Rules?

Any entity that is not a covered entity (or their business partner) is not subject to HIPAA’s rules protecting PHI. There is a long list of entities that are not subject to these rules. They include employers, schools, law enforcement agencies, businesses, municipal agencies, life insurers, workers’ compensation carriers, etc.

Filing a HIPAA Complaint

If you believe that a covered entity has compromised your PHI (or someone else’s PHI) and failed to abide by HIPAA’s rules, you can file a complaint with the Office of Civil Rights (OCR). Complaints can be filed online or in writing, and HHS has a website that will walk you through what you need to know about this process.

Other Rules and Regulations

HIPAA Title III included some important healthcare provisions that are either still in effect or that provided the groundwork for systems that we still use today.

These include an increase in the self-employed health insurance tax deduction, the creation of medical savings accounts, and tax advantages for long-term care services and long-term care insurance.

HIPAA and the Self-Employed Health Insurance Deduction

Starting in 1986, self-employed people were allowed to deduct 25% of the cost of their health insurance. This was beneficial to self-employed people, but HIPAA drastically improved the benefit.

HIPAA (Title III, Subsection B) raised the deduction to 30% in 1996 and then called for it to gradually increase to 80% by 2006. Additional legislation, enacted in 1999, accelerated this timetable and further increased the deduction by allowing self-employed people to deduct 100% of their health insurance premiums starting in 2003.

The self-employed health insurance deduction is still in use today and is an important part of making health coverage affordable for people who are self-employed.

As a result of the ACA, many self-employed people are also eligible for premium subsidies if they purchase coverage in the exchange/marketplace. But any premiums that they pay out of their own pocket (the portion that isn’t paid by a subsidy) can be deducted on their tax return, without a need to itemize deduction.

Medical Savings Accounts

HIPAA (Title III, Subtitle A) created medical savings accounts (MSAs), which were the precursor to today’s health savings accounts (HSAs). Under HIPAA, up to 750,000 tax-advantaged MSAs could be opened by self-employed people or employees of small businesses. But the program was quite restrictive, and only about 75,000 accounts were opened.

Just like today’s HSAs, a person was required to have a high-deductible health plan (HDHP) in order to contribute to an MSA, and could deduct MSA contributions on their tax return even if they didn’t itemize their deductions.

But HSAs, which debuted under the Medicare Modernization and Prescription Drug Act of 2003, offer more flexibility and have proven to be much more popular. MSAs allowed contributions to come from the account holder or their employer, but not both in the same year.

HSAs allow the individual, an employer, someone else, or any combination thereof, to make contributions to the account, up to the maximum allowable limit each year.

HSAs can also be used by more people. Anyone who has HDHP coverage (without any additional coverage) can contribute to an HSA, whereas MSAs were limited to self-employed people and employees of small businesses.

Existing Archer MSAs were allowed to remain in place, but no new MSAs were created once HSAs became available. HSAs have proven to be very popular, with more than 35 million HSAs in the U.S. as of 2022.

Although HSAs and MSAs have some key differences, they also share a lot of features. And HIPAA’s creation of MSAs paved the way for today’s HSAs.

Tax-Advantaged Treatment of Long-Term Care Services and Insurance

Prior to HIPAA, there was no preferential tax treatment for long-term care services or insurance. HIPAA (Title III, Subtitle C) changed that. Under HIPAA rules, qualified long-term care benefits can be received tax-free, and employer-sponsored premiums for long-term care insurance can be paid on a pre-tax basis (this reduces the person’s taxable income).

For individuals who buy their own long-term care insurance, HIPAA also introduced the ability to incorporate long-term care insurance premiums into total medical expenses, and deduct any medical expenses that exceed 7.5% of income, as long as the person itemizes their deductions.

HIPAA did impose a limit on how much could be deducted for long-term care premiums, with the amount based on the person’s age. When the law debuted, the annual deduction limits for long-term care insurance ranged from $200 for a person no more than 40 years old, to $2,500 for a person older than 70.

These amounts have been indexed annually by the IRS. As of 2023, they range from $480 to $5,960. But the tax-advantaged treatment of long-term care services and insurance continue to be applicable today.

Summary

HIPAA was a landmark piece of legislation enacted in 1996. Although it is well known for its rules regarding the protection of private health information, the law included many other provisions.

Among the most important were the protections for people with preexisting medical conditions who enrolled in an employer’s health plan. Those protections were enhanced and expanded upon by the Affordable Care Act.

HIPAA’s information privacy rules have been updated numerous times to keep pace with changing technology. They continue to provide robust protection, with covered entities required to ensure that patient data is stored and transmitted securely, is made available to patients upon request, and is not disclosed unnecessarily without authorization.

A Word From Verywell

For over 25 years, HIPAA has provided a framework for protecting access to health coverage for people with preexisting conditions as well as protection of sensitive personal health information.

Various regulations have been issued and updated over the years to keep up with changes in how healthcare information is used and transmitted, and HIPAA continues to protect Americans’ private health data.

Covered entities, which include health plans, medical providers, and people or businesses that transmit medical data, are subject to strict privacy and security rules, and face potential fines for violations.

HIPAA ensures that you have access to your own medical records, that you can request corrections in your medical records if necessary, and that you can control who has access to your medical records.

If you feel that your protected health information has been compromised by a covered entity, you can file a complaint with the Office of Civil Rights and they will investigate it.

Frequently Asked Questions

What are the three rules of HIPAA?

HIPAA’s three main rules are the Privacy Rule (with a Breach Notification Rule in case a data breach is discovered), the Security Rule, and the Enforcement Rule. Together, these rules help to ensure that protected health information (PHI) is properly safeguarded.

What is protected by HIPAA?

Protected health information (PHI) includes information such as demographic data, a person’s medical history, test/lab results, prescriptions, and health insurance details. It can include any information about healthcare services or information that can be used to identify a patient.

But HIPAA rules only prevent unauthorized disclosure by a covered entity (health plan, medical provider, medical clearinghouse, or a business associate of those entities).

What is not protected by HIPAA?

HIPAA rules do not apply to anyone who isn’t a covered entity or business associate of a covered entity. Covered entities include health plans, medical providers, and healthcare clearinghouses (entities that transmit protected health information into or out of standard formats).

Information in education records or employment records is not protected under HIPAA, and neither is information about a person who died more than 50 years ago.

HIPAA does not forbid a business, employer, or individual from asking you to provide medical information, such as showing your proof of immunization.