Happy 25th Birthday HIPAA!

A Back-to-Basics Review

The Health Insurance Portability and Accountability Act of 1996 turned 25 on August 21st.

You will notice that there is no mention of information, privacy, or security in its title. So, how did we end up with the Privacy, Security, and Breach Notification Rules? Electronic health information and the internet were just becoming common in the 1990s, so including privacy and security sections in the law was almost an afterthought. To avoid delays, a general requirement was included for the Secretary of the U.S. Department of Health and Human Services to create regulations to protect people’s health information. HIPAA calls this “protected health information” (PHI).

What is the purpose of HIPAA?

HIPAA had several goals related to the healthcare industry. Two of the primary goals were to:

  1. Make it easier for people to maintain health insurance coverage when changing jobs.
  2. Simplify and standardize health insurance transactions (claims) and related information. This was meant to help make the first goal possible and assist with detecting fraud, waste, and abuse. 

Who has to follow HIPAA?

Healthcare providers who submit insurance claims and related transactions electronically are required to follow HIPAA and are called Covered Entities. Business associates of these providers must also follow the HIPAA Rules. These are vendors that require access to PHI to provide their services to covered entities. Collection services, billing companies, IT management and support, and shredding services are some examples of business associates.

What do the rules do?

The Privacy Rule

  • Gives patients ownership of their own health records and the rights to know how their PHI is being used and disclosed, to restrict its use and disclosure, correct it, and access it.
  • Determines what uses and disclosures are permitted and required by law and how the privacy of PHI should be protected by covered entities.

The Security Rule

  • Establishes guidelines on how electronic PHI must be protected.
  • Sets standards for the appropriate access, transmission, and storage of electronic PHI and managing risks to its confidentiality, integrity, and availability. 

The Breach Notification Rule

  • Defines a breach of the privacy or security of the health information and provides exceptions.
  • Outlines documentation and reporting/notification requirements to patients and HHS.

Entities must have policies and procedures that support HIPAA’s requirements and train workers regularly. It is very important to use forms, software, and vendors that comply with the rules. Everyone is responsible to participate in compliance and help monitor and report potential risks and issues.


Once past the basics of HIPAA, things can quickly get complex. Detailed solutions and guidance are often entity and situation-specific. TMC clients not only have immediate access to forms and guidance in the Client Portal but have a personal consultant as well as easy expert support by contacting Client Services.