The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the first national standards for protecting personal health information. The passing of HIPAA is meant to reflect increasing public concern about the use and disclosure of health and other personal information as advancing technology makes accessing such private information much less difficult. The rules are intended to protect and enhance the rights of consumers regarding their personal health information, control the unprofessional use of medical records and improve the quality of health care by restoring trust in the health care system.
Five basic principles govern the HIPAA privacy rules:
- Consumer Control – Patients have new rights to control the release of their medical information.
- Boundaries – With few exceptions, a patient’s health information can be used for health purposes only.
- Accountability – There are specific federal penalties for people and organizations that violate the HIPAA privacy regulations. The penalties range from a $100 fine per violation for disclosures made in error, to up to $250,000 and 10 years in prison for malicious use of medical records.
- Public Responsibility – HIPAA provides standards for how medical information should be released for public health, research, fraud and abuse investigations, and quality assessment purposes.
- Security – Health care organizations must establish clear procedures to protect patients’ privacy.
HIPAA protects workers and their families by limiting exclusions for preexisting medical conditions, providing new rights that allow individuals to enroll for health coverage when they lose other health coverage, get married or add a new dependent, and prohibits discrimination in enrollment and in premiums charged to employees and their dependents based on health status-related factors.
HIPAA also mandates that employers provide employees with certificates of creditable coverage when an individual loses coverage under the group plan, becomes entitled to elect COBRA continuation coverage or exhausts COBRA continuation coverage. A certificate must also be provided free of charge upon request while employees have health coverage or anytime within 24 months after their coverage ends.
In addition, HIPAA includes discrimination prohibitions which ensure that individuals are not excluded from coverage, denied benefits, or charged more for coverage offered by a plan or issuer, based on health status-related factors.