HIPAA Provides Important Health and Private Information Protections
HIPAA refers to the Health Insurance Portability and Accountability Act, which was signed into law by President Bill Clinton in 1996.
As per the legislation itself, the primary objective of HIPAA was “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”1
HIPAA is a comprehensive law that impacted various facets of Americans’ health coverage, yet it is frequently misconstrued as solely pertaining to information privacy. While privacy is a significant component of HIPAA, the law covers much more than that (information privacy is included in the “other purposes” provision of the objective).
This article aims to clarify the various aspects of HIPAA, the individuals it safeguards, and the evolution of those safeguards over time.
HIPAA Rules and Regulations
HIPAA is composed of five major sections, also known as titles.
Title I is focused on Health Care Access, Portability, and Renewability, which aims to protect individuals’ access to health insurance regardless of preexisting conditions or medical history, mostly for employer-sponsored health plans.
Title II, named Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform, addresses the protection of personal health information privacy and includes administrative provisions to improve communication between health plans and providers.
Title III is about Tax-Related Health Provisions, which allows self-employed individuals to increase the percentage of health insurance premiums that could be tax-deductible, introduces medical savings accounts (later replaced by health savings accounts), and provides a tax-advantaged approach to long-term care services and long-term care insurance premiums.
Title IV is about the Application and Enforcement of Group Health Plan Requirements, which focuses on access, portability, and renewability under group health plans or employer-sponsored plans.
Finally, Title V, also known as Revenue Offsets, prohibits the tax-deduction of interest on company-owned life insurance loans and changed income tax rules for individuals who lose U.S. citizenship, including allowing the expatriation tax to be applicable if a person gives up their citizenship for tax reasons.
Health Care Access, Portability, and Renewability
At the time of its enactment, this part of HIPAA, along with Title IV (which pertains to group health plan requirements), was arguably the most significant component of the law. These sections ensured that workers had consumer protections related to their health benefits.
The Affordable Care Act (ACA) further strengthened HIPAA’s provisions and extended them to include self-purchased individual and family health coverage. Since 2014, the combined protections of HIPAA and ACA have provided robust safeguards to ensure access to health coverage in the United States.
Preexisting Conditions and HIPAA
HIPAA established regulations to prevent employer-sponsored health plans from indefinitely excluding coverage for preexisting conditions. A preexisting condition is a medical condition that an individual has prior to applying for health insurance coverage.
Under HIPAA, group health plans were permitted to exclude preexisting conditions for a maximum of 12 months or 18 months for late enrollees. However, if an enrollee had prior creditable coverage without a break of more than 63 days, the preexisting condition exclusion period would be reduced by the length of time the person had prior coverage.
This provision allowed individuals to switch from one employer-sponsored plan to another without being subjected to a preexisting condition waiting period under the new plan.
Guaranteed Issue and Renewability
HIPAA included a provision that required health insurers offering small group health coverage to make their plans guaranteed issue. This means that a health insurer could not reject a small group based on the medical history of one or more employees or their dependents.
Small group plans generally covered two to 50 employees, a definition still used in most states. Additionally, HIPAA ensured guaranteed renewability for individual/family health coverage that people purchased themselves, unrelated to an employer.
As long as a person continued to pay their premiums on time and resided within the health plan’s service area, their coverage had to be renewed each year, regardless of medical conditions, with exceptions for fraud, misrepresentation, or if the insurer stopped offering coverage in that area.
Gaps
Despite its provisions, HIPAA still left many gaps in coverage protections. In particular, the law’s protections were not as comprehensive for individuals transitioning to individual/family health coverage, whether from another individual/family plan or from an employer-sponsored plan.
Although HIPAA provided important protections for people’s health insurance coverage, there were still gaps in the law. One such gap was the lack of robust protections for people transitioning to individual/family health coverage or gaps in employer-sponsored coverage.
In most states, individual/family health plans were not guaranteed-issue even for HIPAA-eligible individuals. Instead, most states relied on a carrier of last resort or high-risk pool to provide guaranteed-issue options. Additionally, although small group plans had to be guaranteed issue under HIPAA, insurers could adjust total premiums based on a group’s medical history.
The ACA made substantial changes to these rules, including the elimination of preexisting condition waiting periods and requiring large employers to offer comprehensive and affordable health coverage. The ACA also required individual/family health insurance to be guaranteed issue and mandated that certain essential health benefits be covered.
Although HIPAA provided important protections for people’s health insurance coverage, there were still gaps in the law. One such gap was the lack of robust protections for people transitioning to individual/family health coverage or gaps in employer-sponsored coverage. In most states, individual/family health plans were not guaranteed-issue even for HIPAA-eligible individuals. Instead, most states relied on a carrier of last resort or high-risk pool to provide guaranteed-issue options. Additionally, although small group plans had to be guaranteed issue under HIPAA, insurers could adjust total premiums based on a group’s medical history.
The ACA made substantial changes to these rules, including the elimination of preexisting condition waiting periods and requiring large employers to offer comprehensive and affordable health coverage. The ACA also required individual/family health insurance to be guaranteed issue and mandated that certain essential health benefits be covered.
How HIPAA Protects Private Medical Information
The provision of HIPAA that is most commonly known is an information privacy, but it is often misunderstood. During the COVID-19 pandemic, this misunderstanding has been exacerbated, with some people mistakenly believing that businesses asking about a person’s vaccination status are violating HIPAA, when in fact, they are not.
Although HIPAA has many provisions beyond medical privacy, it’s not surprising that medical privacy is often the most widely known aspect. However, the ACA has replaced or enhanced many of the health insurance portability and preexisting condition protections that were part of HIPAA.
HIPAA’s protection of personal health information is a critical aspect of the law that requires compliance from various individuals and entities. HIPAA aims to protect a person’s sensitive medical information from being disclosed without their permission or used inappropriately. This protection applies to all forms of medical records, whether they are in paper or electronic format.
Under HIPAA, covered entities such as healthcare providers, insurance companies, and business associates must comply with strict rules on how they handle and protect personal health information. For example, they must obtain written consent from patients before using or disclosing their medical information for any purpose other than treatment, payment, or healthcare operations.
HIPAA also requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information. These safeguards include measures such as access controls, encryption, and backups to prevent unauthorized access, alteration, or destruction of personal health information.
Additionally, HIPAA provides individuals with certain rights regarding their medical information, including the right to access their medical records and to request corrections to any inaccuracies. Individuals also have the right to file a complaint with the Department of Health and Human Services if they believe their privacy rights have been violated.
Overall, HIPAA’s protection of personal health information is a crucial aspect of the law that ensures patients’ privacy and security are safeguarded in the healthcare system.
HIPAA Privacy Rule
HIPAA’s Administrative Simplification section directed the Department of Health and Human Services (HHS) to provide recommendations for standards on the privacy of individually identifiable health information. This led to the development of the HIPAA Privacy Rule, which outlines how protected health information (PHI) must be safeguarded.
PHI refers to any individually identifiable health information transmitted or maintained electronically or otherwise, such as medical histories, test results, or insurance information. However, the Privacy Rule excludes information in education and employment records or about someone deceased for more than 50 years.
The HIPAA Privacy Rule limits the disclosure of a person’s PHI without their authorization and allows them to request access and corrections, as well as authorize its transmission to someone else. Covered entities subject to the Privacy Rule include health plans, healthcare providers, healthcare clearinghouses, and business associates with access to PHI. The HIPAA Breach Notification Rule requires covered entities to notify people within 60 days if a data breach compromises their PHI.
If a covered entity or business associate experiences a data breach in which PHI is compromised, the HIPAA Breach Notification Rule requires notification to people whose PHI was improperly accessed within 60 days.
You Can Be Asked to Provide PHI
It is important to note that HIPAA’s Privacy Rule only applies to the unauthorized disclosure of PHI by a covered entity or a business associate of a covered entity.
It does not prevent or restrict a business or employer from requesting PHI directly from the patient. A person may choose not to provide the requested information, but HIPAA is not relevant in this case.
HIPAA Security Rule
Part C of Title II of HIPAA also established the HIPAA Security Rule. In 1998, HHS proposed regulations to implement this rule, which have been updated and modified several times since then.13
The Security Rule, also known as “The Security Standards for the Protection of Electronic Protected Health Information,” aims to ensure that electronic PHI is stored, used, and transmitted with appropriate safeguards in place to maintain its confidentiality, integrity, and security.13
The Security Rule applies to health plans, healthcare clearinghouses, and medical providers who transmit PHI electronically. It provides specific guidance on the operational safeguards that these entities must have in place to protect electronic PHI and uphold the Privacy Rule. However, it’s important to note that while the Privacy Rule applies to all types of PHI, including those stored or transmitted orally or on paper, the Security Rule only pertains to electronic PHI.14 Covered entities that rely heavily on electronic records will find a significant overlap between the requirements of the Privacy Rule and the Security Rule.
HIPAA Transactions and Code Set Rules (TCS)
The Administrative Simplification section of HIPAA requires HHS to establish standardized code sets that are used to transmit different medical information, such as diagnoses, treatments, and health insurance claim status. A code set refers to a set of codes used to encode data elements, including medical concepts, diagnostic codes, and procedure codes. The aim is to simplify healthcare communication by having all entities use the same code sets, making it easier for them to understand each other with the help of computers that process the code sets.
The following code sets are used to transmit various medical data:15
- International Classification of Diseases (ICD-11): Used for diagnoses and procedures, this replaced ICD-10 as of 2022.
- Current Procedure Terminology (CPT): This is used for outpatient treatment.
- Healthcare Common Procedure Coding System: This is used for Medicare and for services and equipment not covered by CPT.
- Code on Dental Procedures and Nomenclature (CDT): This is used for dental procedures.
- National Drug Codes (NDC): This is used for medications.
Covered Entities
Only covered entities and their business associates are subject to HIPAA’s privacy protections for PHI. Health plans, medical providers, and healthcare clearinghouses are considered covered entities.
A healthcare clearinghouse is an entity that processes nonstandard health information to meet standard requirements or vice versa, and it can include entities such as medical billing services, IT consultants, and community health information systems.
Business associates are individuals or entities that work on behalf of a covered entity and have access to PHI.
Who Does Not Have to Follow HIPAA Rules?
HIPAA’s Privacy Rule only applies to covered entities and their business associates. While there are some exceptions for certain types of employers, such as those with self-funded health plans, generally speaking, most employers are not covered entities and therefore not subject to HIPAA’s rules protecting PHI. Similarly, schools, law enforcement agencies, and many other entities are not subject to these rules. However, some of these entities may be subject to other federal or state privacy laws that protect personal information.
Other Rules and Regulations
HIPAA Title III of HIPAA pertains to medical liability reform. In addition to the healthcare provisions mentioned earlier, HIPAA Title III also included several other important provisions related to healthcare. One of these provisions was the establishment of standards for electronic transactions and code sets. This helped to improve the efficiency and accuracy of healthcare transactions by creating a standard set of codes that could be used to transmit healthcare data.
Another provision of Title III was the requirement for national identifiers for healthcare providers, health plans, and employers. This helped to standardize the way that healthcare entities are identified and tracked, which made it easier for patients and providers to navigate the healthcare system.
Title III also included provisions related to fraud and abuse in healthcare. It established new penalties for individuals and entities that engage in fraudulent or abusive practices, and created new tools for investigating and prosecuting these practices.
Finally, Title III included several provisions related to administrative simplification in healthcare. It required the development of standard forms and procedures for healthcare transactions, and created a mechanism for resolving disputes related to healthcare claims and payments. These provisions helped to streamline the healthcare system and reduce administrative burdens on patients and providers.
HIPAA and the Self-Employed Health Insurance Deduction
Prior to HIPAA, self-employed individuals were allowed to deduct only 25% of their health insurance premiums from their taxable income. However, HIPAA’s Title III, Subsection B increased this deduction to 30% in 1996 and mandated it to gradually increase to 80% by 2006.
Additional legislation passed in 1999 further accelerated this timeline, allowing self-employed individuals to deduct 100% of their health insurance premiums starting in 2003. This deduction is still in use today and plays a crucial role in making health coverage more affordable for self-employed individuals.
Additionally, under the Affordable Care Act (ACA), self-employed individuals may also be eligible for premium subsidies if they purchase coverage through the health insurance marketplace. However, any premiums that they pay out of their own pocket can still be deducted on their tax returns without the need to itemize deductions.
Medical Savings Accounts
HIPAA Title III, Subtitle A created medical savings accounts (MSAs), which were the precursor to today’s health savings accounts (HSAs). MSAs were limited to self-employed people or employees of small businesses, and up to 750,000 tax-advantaged MSAs could be opened under HIPAA. However, only about 75,000 accounts were opened due to the program’s restrictions.
Like HSAs today, MSAs required a high-deductible health plan (HDHP) for contribution, and MSA contributions could be deducted on a tax return even without itemizing deductions. However, HSAs offer more flexibility and have proven to be much more popular. HSAs allow contributions from the individual, employer, or a combination of both, while MSAs only allowed contributions from the account holder or employer in a given year.
HSAs also have broader eligibility than MSAs, allowing anyone with HDHP coverage to contribute to an HSA. Existing MSAs were allowed to remain in place, but no new MSAs were created once HSAs became available. As of 2020, more than 30 million HSAs exist in the US. Despite some differences, the creation of MSAs under HIPAA paved the way for today’s popular HSAs. HIPAA Title III, Subtitle A created medical savings accounts (MSAs), which were the precursor to today’s health savings accounts (HSAs). MSAs were limited to self-employed people or employees of small businesses, and up to 750,000 tax-advantaged MSAs could be opened under HIPAA. However, only about 75,000 accounts were opened due to the program’s restrictions.
Like HSAs today, MSAs required a high-deductible health plan (HDHP) for contribution, and MSA contributions could be deducted on a tax return even without itemizing deductions. However, HSAs offer more flexibility and have proven to be much more popular. HSAs allow contributions from the individual, employer, or a combination of both, while MSAs only allowed contributions from the account holder or employer in a given year.
HSAs also have broader eligibility than MSAs, allowing anyone with HDHP coverage to contribute to an HSA. Existing MSAs were allowed to remain in place, but no new MSAs were created once HSAs became available. As of 2020, more than 30 million HSAs exist in the US. Despite some differences, the creation of MSAs under HIPAA paved the way for today’s popular HSAs.
Tax-Advantaged Treatment of Long-Term Care Services and Insurance
HIPAA’s Title III, Subtitle C introduced preferential tax treatment for long-term care services and insurance. Prior to HIPAA, long-term care services or insurance did not have any tax benefits.
Under HIPAA’s rules, qualified long-term care benefits can be received tax-free. Moreover, the premiums for long-term care insurance sponsored by employers can be paid on a pre-tax basis, which reduces the person’s taxable income.
For individuals who buy their own long-term care insurance, HIPAA allowed incorporating long-term care insurance premiums into total medical expenses, and deducting medical expenses that exceed 7.5% of their income, as long as the person itemizes their deductions. However, HIPAA did set a limit on how much can be deducted for long-term care premiums, based on age. The deduction limits have been indexed annually by the IRS, and currently range from $450 to $5,640. These tax-advantaged treatments for long-term care services and insurance are still applicable today.
Summary
In addition to the protections for preexisting medical conditions and the privacy rules, HIPAA also included provisions related to the standardization of electronic healthcare transactions and code sets, the creation of medical savings accounts, and tax advantages for long-term care services and insurance.
The law has had a lasting impact on the healthcare industry, helping to modernize and streamline healthcare communication, and providing important protections for patients and their medical information.
HIPAA’s legacy can also be seen in the ongoing efforts to improve and expand healthcare access and affordability, with the Affordable Care Act building on many of the law’s key provisions and expanding health coverage to millions of Americans. Overall, HIPAA remains an important and influential piece of healthcare legislation, with lasting impacts on the industry and on patients’ rights and protections.
In addition to the protections for preexisting medical conditions and the privacy rules, HIPAA also included provisions related to the standardization of electronic healthcare transactions and code sets, the creation of medical savings accounts, and tax advantages for long-term care services and insurance. The law has had a lasting impact on the healthcare industry, helping to modernize and streamline healthcare communication, and providing important protections for patients and their medical information. HIPAA’s legacy can also be seen in the ongoing efforts to improve and expand healthcare access and affordability, with the Affordable Care Act building on many of the law’s key provisions and expanding health coverage to millions of Americans.
Overall, HIPAA remains an important and influential piece of healthcare legislation, with lasting impacts on the industry and on patients’ rights and protections.
A Word From TGH Urgent Care
HIPAA has been in place for more than 25 years to safeguard both access to health coverage for people with preexisting conditions and the confidentiality of personal health information. To keep up with evolving healthcare practices, regulations have been regularly updated, and HIPAA continues to protect the privacy of Americans’ health data. Covered entities, which encompass health plans, medical providers, and data transmission entities, are bound by stringent privacy and security regulations and face potential penalties for any violations. HIPAA also empowers individuals to access their own medical records, request corrections when necessary, and manage who can access their medical information.
FREQUENTLY ASKED QUESTIONS – HIPAA
What is the Office of Civil Rights (OCR)?
The Office for Civil Rights (OCR) is a division of the U.S. Department of Health and Human Services (HHS) responsible for enforcing HIPAA’s Privacy, Security, and Breach Notification Rules. OCR investigates complaints of HIPAA violations and conducts compliance audits to ensure that covered entities are adhering to the law.
What is a Business Associate Agreement (BAA)?
A Business Associate Agreement (BAA) is a legal contract between a covered entity (such as a healthcare provider) and a business associate (such as an outside contractor or vendor) that ensures the business associate will also comply with HIPAA’s Privacy and Security Rules. A BAA is necessary when a business associate will have access to a covered entity’s protected health information.
What are the three rules of HIPAA?
The Privacy Rule, Security Rule, and Enforcement Rule are the three primary rules of HIPAA. They work together to ensure that protected health information (PHI) is securely protected and managed, including guidelines for privacy and security measures, breach notifications, and penalties for noncompliance.
What is protected by HIPAA?
Protected health information (PHI) refers to sensitive health information, including demographic details, medical history, test/lab results, prescriptions, and health insurance details, as well as any other data related to healthcare services that can identify a patient. However, HIPAA’s rules strictly limit unauthorized disclosures by covered entities, such as health plans, medical providers, medical clearinghouses, and their business associates.
What is not protected by HIPAA?
HIPAA regulations only apply to covered entities and their business associates. Health plans, medical providers, and healthcare clearinghouses are considered covered entities. HIPAA protections do not extend to education records or employment records, nor to information about deceased individuals who have been deceased for more than 50 years. HIPAA does not prohibit businesses, employers, or individuals from requesting medical information, such as proof of immunization.
Mamabee uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles.
- Health Insurance Portability and Accountability Act of 1996. Public Law 104-191–Aug. 21, 1996.
- Edemekong PF, Annamaraju P, Haydel MJ. Health Insurance Portability and Accountability Act. StatPearls.
- Centers for Medicare and Medicaid Services. Administrative simplification fact sheet.
- Centers for Medicare and Medicaid Services. The Health Insurance Portability and Accountability Act of 1996 — helpful tips.
- Healthcare.gov. Read the Affordable Care Act.
- Kaiser Family Foundation. Health insurance market reforms: Guaranteed issue.
- U.S. Department of Health and Human Services. HIPAA Privacy Rule.
- Cornell Law School, Legal Information Institute. 45 CFR § 160.103 – Definitions.
- U.S. Department of Health and Human Services. Does the HIPAA Privacy Rule apply to an elementary or secondary school?
- Centers for Medicare and Medicaid Services. Are you a covered entity?
- Centers for Medicare and Medicaid Services. Adopted standards and operating requirements.
- U.S. Department of Health and Human Services. Breach Notification Rule.
- U.S. Department of Health and Human Services. The Security Rule.
- Ouellette P. HIPAA Security Rule v. Privacy Rule for covered entities. Health IT Security.
- Centers for Medicare and Medicaid Services. Code sets basics.
- U.S. Department of Health and Human Services. The HIPAA Enforcement Rule.
- U.S. Department of Health and Human Services. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other modifications to the HIPAA rules. Federal Register. 2013;78(17):5565-5702.
- HIPAA Journal. What are the penalties for HIPAA violations?
- U.S. Department of Health and Human Services. Filing a complaint.
- EveryCRSReport.com. Federal tax treatment of health insurance expenditures by the self-employed: Current law and issues for Congress.
- Healthcare.gov. Still need health insurance?
- Devenir Research. 2020 year-end HSA market statistics & trends executive summary.
- Internal Revenue Service. Revenue Procedure 2020-45.
Comments are closed.