> For the complete documentation index, see [llms.txt](https://docs.assenteo.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.assenteo.com/key-legislation/hipaa.md).
# HIPAA
### Contents
* [1. What is HIPAA?](#id-1.-what-is-hipaa)
* [2. Does HIPAA apply to you?](#id-2.-does-hipaa-apply-to-you)
* [3. What are HIPAA's key provisions?](#id-3.-what-are-hipaas-key-provisions)
* [4. HIPAA compliance checklist](#id-4.-hipaa-compliance-checklist)
* [5. What are the penalties for non-compliance?](#id-5.-what-are-the-penalties-for-non-compliance)
* [6. What counts as Protected Health Information (PHI)?](#id-6.-what-counts-as-protected-health-information-phi)
* [What determines ‘identifiability’?](#what-determines-identifiability)
### 1. What is HIPAA?
The **Health Insurance Portability and Accountability Act**, or **HIPAA**, was enacted on 21 August 1996, signed by President Bill Clinton. This law sets national standards for protecting the sensitive health information of individuals. It calls this data ‘protected health information’, or ‘PHI’.
HIPAA is largely designed to protect patient privacy, prevent fraud and improve healthcare portability in the US.
The national standards set out in HIPAA are enforced by the Department of Health and Human Services’ Office for Civil Rights (HHS).
### 2. Does HIPAA apply to you?
HIPAA applies to any entity operating in the US which handles protected health information (PHI) in the following contexts:
* Healthcare providers
* Health plans, e.g. insurance companies, health maintenance organisations and government programs such as Medicare.
* Healthcare clearinghouses.
* These are organisations that process nonstandard PHI into standard formats (or the other way around). They often act between healthcare providers and insurers.
It also applies to any third parties that perform services for the entities above involving the use or disclosure of PHI. Under HIPAA, these third parties must sign a Business Associate Agreement (BAA) with the HIPAA-bound healthcare entity. This details how the associated business must also safeguard PHI.
### 3. What are HIPAA's key provisions?
HIPAA operates around **several key rules**:
* **Privacy** rule
* Standards for how PHI can be used and disclosed
* Including the ‘minimum necessary standard’. This dictates that PHI must only be used and disclosed to the minimum degree it is needed to achieve the intended purpose.
* Patient rights, including the right to amend and the right to access
* **Security** rule
* Details various safeguards which should be implemented to achieve PHI security
* **Transaction and code sets** rule
* Standards for healthcare information electronic processes (e.g. billing)
* **Enforcement** rule
* Sets out procedures for investigations and penalties for non-compliance
* **Breach notification** rule
* Entities must notify affected individuals and organisations (and in certain cases the media) if PHI is compromised/ breached
* **Omnibus** final rule (issued in 2013)
* Updates and clarifies HIPAA provisions, including implementing HITECH Act provisions and expanding patient rights
### 4. HIPAA compliance checklist
HIPAA compliance can feel like an overwhelming task, but appoint a [Privacy Partner ](/privacy-professionals-when-do-you-need-them/when-do-you-need-a-privacy-partner.md)and the rest will follow in no time. A [Privacy Partner](/privacy-professionals-when-do-you-need-them/when-do-you-need-a-privacy-partner.md) will help develop and implement HIPAA compliance procedures.
This includes helping draft and review BAAs and setting up systems which implement a range of administrative, hardware and software safeguards detailed in HIPAA. These safeguards include:
Documentation demonstrating:
* [ ] An ongoing training program educating employees on responsible handling of PHI
* [ ] A clear set of privacy procedures available for government access
* [ ] Checks to ensure that any relevant business associates are also HIPAA compliant
* [ ] A clear contingency plan and protocol for responding to security breaches
* [ ] Frequent and comprehensive audits
* [ ] Careful disposal of PHI-related equipment
* [ ] Monitored access to PHI-related equipment, e.g. visitor sign-ins. Access controls allow PHI access only to those employees who require it to complete their jobs. Documentation of who these employees are.
* [ ] PHI is encrypted in transit and at rest
* [ ] Technical measures and policies to ensure data integrity
### 5. What are the penalties for non-compliance?
Civil penalties of HIPAA non-compliance are tiered by degree of negligence: unknowing violations, reasonable cause, corrected wilful neglect and uncorrected wilful neglect.
The minimum and maximum fines vary for each category but can currently reach **up to $2.1 million annually**. However, state attorneys may also assess their own penalties on top of federal ones.
* The HHS imposed a penalty of **$1.19 million** on a Florida pain management clinic for failing to terminate an employee’s access rights at the end of 2024.
**Criminal penalties** range from fines of up to $50,000 for knowingly obtaining or disclosing PHI, to fines of up to $250,000 and imprisonment up to 10 years if the intent was to sell, share or use PHI for personal gain or malicious harm.
Non-compliance, of course, significantly **erodes the trust of your users and investors**. In this sense, there is also a **huge reputational risk**.
### 6. What counts as Protected Health Information (PHI)?
The [Health Insurance Portability and Accountability Act (HIPAA)](https://www.hhs.gov/hipaa/for-professionals/index.html) works to protect individuals’ health data, or **‘protected health information’ (PHI)**. PHI is generally recognised as any individually identifiable health information.
This generally encompasses information regarding:
* Past, present or potential future **health status** (e.g. medical records)
* Healthcare **services accessed** (e.g. communication records)
* **Payment** for healthcare related matters (e.g. billing and insurance information)
Genetic information, demographic information and biometric data are also common examples of PHI.
PHI is PHI regardless of whether it exists in an electronic, paper or spoken format.
#### What determines ‘identifiability’?
Under HIPAA, information is considered ‘identifiable’ if it either directly identifies an individual or if there is reasonable basis to believe it could be traced back to an individual if manipulated and cross-referenced in a certain way.
To qualify as de-identified, information must have been de-identified by one of two methods:
1. **Safe Harbour** (removal of the 18 identifiers)
2. **Expert Determination**
Under the **‘safe harbour’** method, all 18 identifiers listed in the relevant section of the Act must be removed. Among other identifiers, this provision requires names, geographic subdivisions smaller than a state, all elements of dates (except year) related to an individual, phone numbers and emails be removed.
Otherwise, under the **‘expert determination’** method, a qualified expert must determine and document that the risk of any individual being identified from the information is ‘very small’. They must determine and document that this remains the case when the information is used in combination with other reasonably available information.
Unless one of the above requirements has been met, if your company is processing any information connected to an individual’s health, it qualifies as PHI under HIPAA.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.assenteo.com/key-legislation/hipaa.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.