Joy Answer

What is HIPAA?

This guide provides an interactive overview of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is a crucial US federal law designed to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. Its primary goals are to improve the efficiency and effectiveness of the healthcare system while ensuring the privacy and security of individuals' health data.

Who Is Not Covered Under HIPAA Regulations?

Who Must Comply with HIPAA?

HIPAA rules apply to specific groups known as "Covered Entities" and their "Business Associates." However, it's equally important to understand which organizations are generally not covered by these regulations. Click the cards below to explore the definitions and see examples.

Covered Entities

These are the primary groups that must follow HIPAA rules. They create, receive, maintain, or transmit Protected Health Information (PHI) in their standard operations.

  • Health Plans: Health insurance companies, HMOs, Medicare, and Medicaid.
  • Health Care Providers: Doctors, clinics, hospitals, dentists, and pharmacies who electronically transmit health information.
  • Health Care Clearinghouses: Entities that process nonstandard health information into a standard format.

Business Associates

A person or organization that performs functions or provides services to a Covered Entity involving the use or disclosure of PHI.

  • Services: Billing companies, data analysis firms, IT providers, and legal counsel.
  • Requirement: They must have a "Business Associate Agreement" (BAA) with the Covered Entity, which makes them directly liable for HIPAA compliance.

Who Is Generally NOT Covered by HIPAA?

Many organizations handle health-related data but are not considered Covered Entities or Business Associates. Therefore, they are not required to be HIPAA compliant.

  • Most employers (in their capacity as an employer).
  • Life insurance and workers' compensation carriers.
  • Many schools and school districts.
  • State and local law enforcement agencies.
  • Many health and fitness app developers.

Penalties for Violations

HIPAA violations can result in significant civil and criminal penalties. The fines are structured in tiers based on the level of culpability. Hover over the bars to see the penalty ranges per violation.

Frequently Asked Questions

Here are answers to some common questions about HIPAA regulations and their application.

Not necessarily. HIPAA applies specifically to healthcare providers who conduct certain financial and administrative transactions electronically, such as billing insurance companies. A provider who only accepts cash payments and does not electronically transmit health information for transactions might not be a Covered Entity. However, most modern providers do fall under this definition, and many choose to follow HIPAA standards as a best practice for patient privacy regardless.

The Privacy Rule sets the standards for who may access and use Protected Health Information (PHI). It applies to PHI in all forms: electronic, paper, or oral. The Security Rule specifically deals with the protection of electronic PHI (ePHI). It outlines the administrative, physical, and technical safeguards that must be in place to secure ePHI from unauthorized access, use, or disclosure.

HIPAA itself does not include a "private right of action," meaning an individual cannot directly sue a Covered Entity or Business Associate for a HIPAA violation in federal court. However, individuals can file a complaint with the Department of Health and Human Services' Office for Civil Rights (OCR), which investigates and enforces HIPAA. Additionally, violations may sometimes be used as evidence of negligence in state-level lawsuits related to medical privacy.