What is HIPAA?

Enacted in 1996, HIPAA is a federal statute that provided guidelines for data privacy and modernized the process of how patients’ health information is maintained and protected. Under HIPAA, there is personally identifiable information in a patient’s medical record that cannot be shared without the patient’s express approval.

Key Takeaways

  • HIPPA stands for the Health Insurance Portability & Accountability Act
  • HIPAA established national standards to protect medical records and other personal health information for the first time.
  • HIPAA holds violators accountable for violating patients’ privacy using both civil and criminal penalties.
  • HIPAA has become increasingly important as electronic medical records are becoming more prominent as healthcare becomes increasingly digitized.
What is HIPPA

What is protected under HIPAA? 

There is specific data and information that HIPAA protects. Now, as electronic medical records are widespread in healthcare, a new wave of HIPAA concerns are rising, such as data mining, identity theft, and cyber-attacks. 

Most information that makes a patient identifiable cannot be shared without the patient’s express decision to do so. So, what information is protected?

  • Any information that health professionals and providers put in your medical record

  • Conversations your health professional has about the patient with other health professionals regarding care or treatment

  • The patient’s billing information 

  • Any information regarding a patient that is in a health insurance database

HIPAA is not just a protective mechanism for accessing medical information. It also provides a more accessible way for patients to see their medical records and for those records to be shared to coordinate treatment plans and provide continuity of care. When utilized correctly, electronic health records have been instrumental in increasing efficiency in health care. 

Who needs to follow HIPAA

These are called “covered entities” and include:

  • Health Plans: HMOs

  • Medicare/Medicaid, company plans and any health insurance company

  • Most healthcare providers, especially those that use electronic health records including billing information 

Other entities that may have access to health information when providing services to these covered entities are also responsible under HIPAA and are called “business associates.” These include:

  • Companies that are in charge of storing or destroying medical records

  • Lawyers, accountants, IT specialists, etc.

  • Companies that are conduits for health plans, billing, and claims

Who does NOT need to follow HIPAA

There are some organizations that do not have to follow these laws, including:

  • Life insurers

  • Employers

  • Most schools and school districts

  • State agencies such as child protective services

  • Most law enforcement agencies

  • Most municipal offices

When covered entities can disclose protected health information

Covered entities are sometimes allowed to use and disclose someone’s protected health information without their authorization in situations such as:

  • Disclosing their medical information to themselves 

  • Communicating treatment, payment, and healthcare operation plans to those in charge of managing these

  • Supporting public interest and benefit, including 12 national priority purposes

    • When required by law

    • Public health activities

    • Victims of abuse/neglect/domestic violence

    • Health oversight activities

    • Judicial and administrative proceedings

    • Law enforcement

    • Functions (such as identification) concerning deceased persons

    • Cadaveric organ/eye/tissue donation 

    • Research under certain conditions

    • To prevent or lessen a serious threat to health or safety

    • Essential government functions

    • Workers Compensation

HIPAA during the new wave of telemedicine

Telemedicine has been up and coming for the past couple of years and has gained a lot of traction because of COVID-19. Several changes were made during the pandemic to make health delivery more accessible. Some of these changes were directly pushed for due to the pandemic. 

Starting in April 2020, penalties were not enforced against providers utilizing telehealth services via applications that are not fully compliant with HIPAA, such as Zoom, FaceTime, and Google Hangouts. This was made possible under the “good faith” clause in HIPAA that allows for special circumstances to be taken into account when allowing for such uses in telemedicine. 

A new “Right of Access” initiative rule is also being considered soon. If passed, it would require healthcare providers to give patients access to their own health information electronically without exorbitant fees or long wait times. This initiative would also allow health information exchanges to share health information with public health authorities, even without express permission from a covered entity. 


Outside the Huddle


Reviewed by Geetika Rao, MPH | Edited by and Fact checked by Jared Dashevsky, M.Eng.