The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a broad federal law that is in part designed to provide national standards for protection of certain information related to the provision of or payment for health care. As required by HIPAA, the federal Department of Health and Human Services (HHS) established regulations that implement the federal law. This site addresses the regulations commonly known as the Privacy and Security Rules.
In general, the Privacy Rule prohibits health care providers and health plans from using or disclosing an individual’s protected health information (PHI) without written authorization from the individual except for treatment, payment and health care operations. However, the Privacy Rule provides exceptions to this prohibition for a number of public policy reasons. Such exceptions include, but are not limited to, reporting certain injuries to law enforcement officials, reporting child abuse or vulnerable adult abuse, reporting the occurrence of certain diseases to public health officials, and complying with court orders and subpoenas.
When determining whether a health care provider may use or disclose PHI without authorization, both state and federal laws must be considered. The Privacy Rule provides an extensive list of permitted disclosures. However, where state laws provide greater privacy protections or privacy rights with respect to patients’ PHI, state laws will apply and supersede HIPAA.
The HHS’ Office for Civil Rights (OCR) is responsible for enforcing HIPAA’s Privacy and Security Rules. Additionally, the HITECH Act granted State Attorneys General the authority to bring civil actions and obtain damages on behalf of state residents for violations of the HIPAA Privacy and Security Rules.
HIPAA establishes civil monetary penalties and federal criminal penalties for the impermissible use or disclosure of unsecured PHI in violation of HIPAA’s Privacy and Security Rules. Civil penalties range from $100 per violation per incident, to $1.5 million for all such violations of a single provision in a calendar year. Criminal penalties include fines up to $250,000 and up to 10 years imprisonment. Penalties may be imposed on employees as well as the University.