Skip to main content

Introduction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a broad federal law that is in part designed to provide national standards for protection of certain information related to the provision of or payment for health care. As required by HIPAA, the federal Department of Health and Human Services (HHS) established regulations that implement the federal law. This site addresses the regulations commonly known as the Privacy and Security Rules.

In general, the Privacy Rule prohibits health care providers and health plans from using or disclosing an individual’s protected health information (PHI) without written authorization from the individual except for treatment, payment and health care operations. However, the Privacy Rule provides exceptions to this prohibition for a number of public policy reasons. Such exceptions include, but are not limited to, reporting certain injuries to law enforcement officials, reporting child abuse or vulnerable adult abuse, reporting the occurrence of certain diseases to public health officials, and complying with court orders and subpoenas.

When determining whether a health care provider may use or disclose PHI without authorization, both state and federal laws must be considered. The Privacy Rule provides an extensive list of permitted disclosures. However, where state laws provide greater privacy protections or privacy rights with respect to patients’ PHI, state laws will apply and supersede HIPAA.

Enforcement

The HHS’ Office for Civil Rights (OCR) is responsible for enforcing HIPAA’s Privacy and Security Rules.  Additionally, the HITECH Act granted State Attorneys General the authority to bring civil actions and obtain damages on behalf of state residents for violations of the HIPAA Privacy and Security Rules.

HIPAA establishes civil monetary penalties and federal criminal penalties for the impermissible use or disclosure of unsecured PHI in violation of HIPAA’s Privacy and Security Rules. Civil penalties range from $100 per violation per incident, to $1.5 million for all such violations of a single provision in a calendar year. Criminal penalties include fines up to $250,000 and up to 10 years imprisonment. Penalties may be imposed on employees as well as the University.

HIPAA News

Colorado Hospital Agrees to Settlement for Failing to Terminate Former Employee’s Access to Protected Health Information

December 11, 2018

Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a substantial corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

Categories: General News, HIPAA News


Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

October 15, 2018

Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led…

Categories: General News, HIPAA News


Unauthorized Disclosure of Patients’ Protected Health Information During ABC Television Filming Results in Multiple HIPAA Settlements Totaling $999,000

September 20, 2018

Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising the privacy of patients’ protected health information (PHI) by inviting film crews on…

Categories: General News, HIPAA News