HIPAA Rules & Regulations


Sponsored by Sen. Edward Kennedy (D-Mass.) and Sen. Nancy Kassebaum (R-Kan.), the Health Insurance Portability and Accountability Act were enacted by the U.S. Congress in 1996. The Act is divided in three parts.

The first part is a general overview of the Act and explains how HIPAA provides protection to workers and their family members by ensuring health insurance coverage when the workers lose or change their jobs.

The second part of the Act is Administrative Simplification or AS which explains the necessity and requirements of establishing national standards for electronic health care transactions and national identifiers for insurance providers and also health insurance policies and employers. Part II of the act also addresses provisions such as security and privacy of health data. The standards explain how efficiently and effectively the nation's healthcare system can be improved by encouraging use of electronic data interchange.

The third and last part of the Act speaks of other provisions such as Administrative Simplification, Medical Savings Accounts, and Health Insurance for Self-Employed Taxpayers etc.

HIPAA Privacy Rule
The HIPAA Privacy Rule is a national set of standards protecting individuals' medical and other personal health related information. The Privacy rule is applicable to health plans, health care clearinghouses, and health care providers who conduct health care transactions electronically. The rule needs proper safeguards to protect the privacy of personal health information. It also draws boundaries and conditions on the uses and disclosures of patient information without patient authorization. Additionally, the Privacy rule also provides rights to the patients over their health information, which includes rights to examine and obtain a copy of their health records, and to request corrections. - Read More >>

HIPAA Security Rule
The Final Rule on Security Standards was issued on February 20, 2003 and came into effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for "small plans".

Complementing the HIPAA Privacy rule, the security rule establishes a set of national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. While Privacy Rule is pertinent to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). The Security Rule requires three types of security safeguards for compliance: administrative, physical, and technical. These safeguards will ensure confidentiality, integrity, and security of electronic protected health information. - Read More >>

HIPAA Transactions and Code Sets Rule
The HIPAA Transactions and Code Set rules are meant to bring standardization in the electronic exchange of patient-identifiable health related information. On the basis of Electronic Data Interchange (EDI) standards, the transactions and code set rules permit information exchange from computer to computer without any human intervention. Implementing transactions and code set rules is a major business process reengineering which involves complex and expensive undertakings. The standards offer a rapid improvement in the quality of service provided. - Read More >>

HIPAA Unique Identifiers Rule
As per the HIPAA regulation, National Provider Identifier (NPI) should be used by all covered entities such as electronic transactions providers, large health plans, as well as healthcare clearinghouses as the NPI helps to identify covered healthcare providers in standard transactions without compromising the identity of the patients. HIPAA states that by May 23, 2008, all small health plans also must use only the NPI. - Read More >>

HIPAA Enforcement Rule
On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations; however, its deterrent effects seem to be negligible with few prosecutions for violations.

HIPAA Breach Notification Rule
On August 19, 2009 the U.S. Department of Health and Human Services (HHS) issued an interim final rule known as the Breach Notification Rule which requires all HIPAA covered entities to notify individuals about breach of their protected health information. Along with the covered entities, the rule applies to health care providers and health plans, business associates, including third-party administrators. - Read More >>