Living with Chronic Pain

The Health Insurance Portability and Accountability Act (HIPAA)


The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 to protect individuals’ private health information from being shared without their consent. HIPAA education and training in the medical community is essential in enforcing the law. The law consists of five titles:

  1. Protection of health insurance coverage for workers and families
  2. Prevention of health care fraud and abuse
  3. Guidelines for tax-related health provisions
  4. Requirements for group health insurance
  5. Guidelines for corporate-owned life insurance policies and provisions for non- citizens of the United States

HIPAA Privacy Rule

The HIPAA Privacy Rule was created to enforce the requirements of HIPAA. The Privacy Rule addresses the rights of individuals to decide how their personal health information is used. An individual's health information is protected, while also protecting public health.

Covered Entities

Covered entities are specific individuals, organizations and agencies that must comply with HIPAA’s Privacy Rule. These covered entities include, but are not limited to, the following:

  • Health care providers filing insurance claims, inquiring about benefits and authorizing referrals and other HIPAA-approved transactions.
  • Health care plans paying for medical care, including health, dental, vision and prescription medications. (A group health plan with fewer than 50 participants is an exception. This plan is administered by the employer and is not a covered entity.)
  • Health care clearinghouses processing information received from another entity.
  • Business associates performing services for a covered entity, such as claims processing, billing or data analysis.

Covered entities can disclose health information without authorization if the information is required, and the individual receives notification. They can also disclose health information for treatment, payment, incidents related to other HIPAA-permitted use and public well-being. There are twelve national priority purposes of which the Privacy Rule permits disclosure of protected health information. These include the following:

  • Required by law, such as those with a gunshot or stab wound
  • Public health activities
  • Victims of abuse, neglect or domestic violence
  • Health oversight activities
  • Judicial proceedings
  • Law enforcement
  • Identification of a deceased person
  • Organ donation
  • Certain research
  • Prevention of serious health or safety threats, such as communicable diseases
  • Essential government functions
  • Workers’ compensation

HIPAA Security Rule

The HIPAA Security Rule protects a subsection of information covered by the Privacy Rule. This includes individual identifiable health information that a covered entity creates, receives, maintains or electronically transmits. In order to remain in compliance with the HIPAA Security Rule, covered entities must adhere to the following rules:

  • Ensure confidentiality, integrity and availability of electronic health information
  • Protect against threats to the security of the information
  • Preserve against impermissible uses or disclosures
  • Certify compliance by their workforce

Complaints should be reported to the HHS Office for Civil Rights and violations can result in monetary or criminal penalties. Violations of HIPAA range from civil to criminal. Penalties range from monetary fines up to imprisonment depending on the severity of violation.

For more information on HIPAA or to make a complaint, visit

Did you find this helpful?
You may also like