Health Insurance Portability and Accountability Act of 1996

Introduction
Part C of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), requires “the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.” Such standards are required to be consistent with the objective of reducing the administrative costs of providing and paying for health care. These “Administrative Simplification” provisions require the Secretary of Health and Human Services to adopt national standards to: facilitate the electronic exchange of information for certain financial and administrative transactions; establish code sets for data elements; protect the privacy of individually identifiable health information; maintain administrative, technical, and physical safeguards for the security of health information; provide unique health identifiers for individuals, employers, health plans, and health care providers; and to adopt procedures for the use of electronic signatures.

HIPAA covered entities &mdash; health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically &mdash; are required to comply with the national standards and regulations promulgated pursuant to Part C.

Under HIPAA, the Secretary is required to impose a civil monetary penalty on any person failing to comply with the Administrative Simplification provisions in Part C. The maximum civil money penalty (i.e., the fine) for a violation of an administrative simplification provision is $100 per violation and up to $25,000 for all violations of an identical requirement or prohibition during a calendar year. HIPAA also establishes criminal penalties for any person who knowingly and in violation of the Administrative Simplification provisions of HIPAA uses a unique health identifier, or obtains or discloses individually identifiable health information.

Enhanced criminal penalties may be imposed if the offense is committed under false pretenses, with intent to sell the information or reap other personal gain. The penalties include (1) a fine of not more than $50,000 and/or imprisonment of not more than one year; (2) if the offense is under false pretenses, a fine of not more than $100,000 and/or imprisonment of not more than five years; and (3) if the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years. These penalties do not affect any other penalties that may be imposed by other federal programs.

HIPAA Privacy Standard
HIPAA requires health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically to take steps to ensure the privacy of medical records and to prohibit the disclosure of certain information without patient consent. The HIPAA Privacy Rule issued by HHS in 2002 requires a covered entity to maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule. The Office of Civil Rights (OCR) in HHS is responsible for enforcing the Privacy Rule.

HIPAA Security Standards
Regulations governing security standards under HIPAA require health care covered entities to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic “protected health information”; “The term ‘individually identifiable health information; means any in