HIPAA 101: What Does HIPAA Mean?
“HIPAA: The federal law many people don’t actually understand.”
That’s the telling title of a recent news article, which goes on to state that it’s not spelled “HIPPA” or “HIPPO,” but rather HIPAA, the elusive healthcare-related act that even healthcare professionals sometimes get wrong.
Many hear about HIPAA within a healthcare setting: HIPAA violations, HIPAA compliance, and similar terms. But they don’t necessarily know what HIPAA means, why it started, what it stands for, or why they should care.
And they certainly should care; in 2021 alone, approximately 45 million healthcare records were stolen or compromised. In 2022, this number reached nearly 50 million records. The HIPAA Security Rule requires entities to conduct annual Security Risk Assessments as a way of mitigating threats like these and protecting individuals from experiencing life-altering privacy breaches, so understanding what it means and what it entails is more crucial than ever.
Read on to learn more about what HIPAA means, including its five main components, three key players, and more.
What Does HIPAA Stand For?
The acronym HIPAA refers to the Health Insurance Portability and Accountability Act of 1996.
Also known as the Kennedy-Kassebaum act, HIPAA was first enacted by the United States Congress and officially signed into federal law by Bill Clinton on August 21, 1996.
HIPAA was established, according to the National Library of Medicine, “with the dual goals of making health care delivery more efficient and increasing the number of Americans with health insurance coverage.” HIPAA also sought to combat fraud and abuse in health insurance, introduce tax breaks for medical savings accounts, and generally incentivize and simplify the administration and management of health insurance.
HIPAA has evolved and seen amendments and additions throughout the years, including the United States Department of Health and Human Services (HHS) Privacy Rule, which lays out standards for protecting sensitive patient health information. In most cases, when someone refers to a HIPAA violation, they’re talking about the Privacy Rule.
With the computerization of most medical records, compliance with the Privacy Rule and HIPAA at large is an even more critical piece of healthcare and patient privacy than ever before.
The 5 Main Components of HIPAA
At its inception, HIPAA was divided into five main parts, or titles, each of which tackled a different insurance-related area:
- Title I: HIPAA Health Insurance Reform – Title I seeks to protect health insurance coverage for those who lose or change jobs. It also disallows healthcare plans from withholding coverage to patients with preexisting conditions and setting lifetime coverage limits.
- Title II: HIPAA Administrative Simplification. Title II requires the HHS to establish national standards for processing electronic healthcare transactions. It also states that healthcare organizations must conduct transactions securely and comply with Privacy Rule regulations.
- Title III: HIPAA Tax-Related Health Provisions. Title III focuses on exemptions, deductions, and other tax-related areas.
- Title IV: Application and Enforcement of Group Health Plan Requirements. Title IV goes a step further in defining health insurance reform and specifies regulations for group health plans.
- Title V: Revenue Offsets. Title V touches on HIPAA regulations for company-owned life insurance and discusses the treatment of people who lose U.S. Citizenship for income tax purposes.
The 3 Key HIPAA Players
HIPAA involves three key players:
- Enforcers: HIPAA’s rules are primarily enforced by the Office for Civil Rights (OCR). The OCR may conduct compliance reviews, investigate reported breaches and complaints, and even refer more complex cases to the Department of Justice (DOJ). If the OCR finds a HIPAA violation, they’ll often establish corrective action or a resolution agreement to resolve the case. Other times, the OCR might require a violating organization to pay hefty fines, like in the recent case of a large health system that has agreed to pay $1.25 million, not including the expense of directly dealing with the breach.
- Covered entities: A breach of HIPAA can – and often does – result in costly fines and reputational damage, so entities must be aware if HIPAA covers them. HIPAA applies to any healthcare entity that possesses patient records, including health plans, healthcare clearinghouses, and certain healthcare providers that conduct certain financial transactions electronically. The rules still apply even if these entities contract out to a Business Associate (BA).
- Individual patients: The HIPAA Privacy Rule was designed to protect identifying information of an individual, including social security number, birthday, medical record numbers, and 15 other identifiers. Under HIPAA, patients have a right to access and control their protected health information (PHI), obtain copies of their records, and be notified if there is a privacy breach with expedience.
Why Should HIPAA Matter to You?
If you’re part of a healthcare organization, understanding and complying with HIPAA is not just a suggestion. The Security Rule requires covered entities to conduct periodic risk assessments to identify security risks, vulnerabilities, and threats to PHI. If you don’t do this, you risk potential security breaches, financial penalties, and reputational damage. You also won’t have the information you need to prioritize your budget and focus your efforts on the vulnerabilities that need it most.
It’s worth noting that HIPAA should matter to all healthcare organizations, regardless of size. As OCR director Melanie Fontes Rainer put it, “We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.” The OCR’s enforcement of HIPAA is not biased toward larger entities, so it’s imperative that all covered entities, including SMBs, take the necessary steps to remain HIPAA-compliant year-round.
For more on conducting a security risk assessment and understanding your role in HIPAA compliance, visit our HIPAA Security Checklist.
HIPAA is a complex law with a slew of moving pieces. Understanding the meaning, history, and key elements of HIPAA is the first step toward individuals being aware of their rights and entities abiding by regulations.
To ensures consistent compliance and maximum protection for everyone involved, many entities enlist the help of a HIPAA expert or solution. The right software and partner will provide you with comprehensive guidance through HIPAA assessments, interpretation of your results, and a careful action plan for remediation to ensure all elements and nuances of HIPAA are accounted for throughout the year.
Don’t let compliance fall through the cracks. Learn more about ensuring full HIPAA compliance by getting in touch with the HIPAA experts at Intraprise Health.