What Is HIPAA?
HIPAA is the 1996 federal law that establishes national standards for protecting the privacy and security of individually identifiable health information held by covered entities and their business associates.
- Billing teams must train staff on minimum-necessary access, sign BAAs with every clearinghouse and software vendor that touches PHI, log all PHI access, and maintain a documented incident response plan.
- Practices that fail to perform an annual HIPAA risk analysis (required by 45 CFR 164.308(a)(1)(ii)(A)) account for the largest share of OCR enforcement actions.
HIPAA
Also known as: Health Insurance Portability and Accountability Act; HIPAA of 1996
HIPAA is the 1996 federal law that establishes national standards for protecting the privacy and security of individually identifiable health information held by covered entities and their business associates.
Definition
The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) created the Privacy Rule (45 CFR Parts 160 and 164 Subparts A and E), the Security Rule (45 CFR Part 164 Subpart C), the Breach Notification Rule (45 CFR Part 164 Subpart D), and the Transactions and Code Sets standards (45 CFR Part 162). HIPAA applies to covered entities (health plans, health care clearinghouses, and most providers who transmit health information electronically) and to their business associates. Enforcement is handled by the HHS Office for Civil Rights (OCR), with civil monetary penalties ranging from $137 to $68,928 per violation under the 2024 inflation-adjusted tiers.
Example
A medical billing company that receives PHI from a physician practice to submit claims is a HIPAA business associate and must sign a Business Associate Agreement (BAA), implement the Security Rule's administrative, physical, and technical safeguards, and report breaches affecting 500 or more individuals to OCR within 60 days.
Common Misconceptions
HIPAA does not prohibit sharing PHI for treatment, payment, or health care operations between covered entities. The Privacy Rule explicitly permits these uses without patient authorization under 45 CFR 164.506. HIPAA also does not require encryption in all cases — it requires encryption or an equivalent safeguard, and unencrypted email is permitted if the patient is informed of the risk and consents.
Practical Application
Billing teams must train staff on minimum-necessary access, sign BAAs with every clearinghouse and software vendor that touches PHI, log all PHI access, and maintain a documented incident response plan. Practices that fail to perform an annual HIPAA risk analysis (required by 45 CFR 164.308(a)(1)(ii)(A)) account for the largest share of OCR enforcement actions.
Related Terms
PHI (Protected Health Information)
PHI is any individually identifiable health information transmitted or maintained by a HIPAA covered entity or business associate, in any form or medium, that relates to a person's past, present, or future physical or mental health, treatment, or payment for care.
Read definition arrow_forwardHITECH Act
HITECH is the 2009 federal law that strengthened HIPAA by extending direct liability to business associates, increasing breach notification requirements, and creating tiered civil monetary penalties for HIPAA violations.
Read definition arrow_forwardBusiness Associate Agreement (BAA)
A Business Associate Agreement is a HIPAA-required written contract under 45 CFR 164.504(e) between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf, establishing the vendor's permitted uses, safeguards, and breach notification obligations.
Read definition arrow_forwardMinimum Necessary Rule
The Minimum Necessary Rule, codified at 45 CFR 164.502(b) and 164.514(d), requires covered entities and business associates to limit uses, disclosures, and requests of PHI to the minimum necessary to accomplish the intended purpose.
Read definition arrow_forwardWhere This Applies on MedPrecision
Need help with billing?
If this term is showing up in your denials, EOBs, or A/R aging, we can help. Get a free billing audit and we will trace the issue to its root cause.