HIPAA Overview

HIPAA is the federal Health Insurance Portability and Accountability Act of 1996, passed with bipartisan and widespread support of the health care industry. HIPAA had three goals:

  1. Health Insurance Portability ensures the portability and continuity of health insurance coverage for individuals and groups.
  2. Accountability to combat waste, fraud, and abuse in health insurance and health care delivery.
  3. Administrative Simplification to simplify health care billing and other transactions by adopting standards to transmit data electronically.

HIPAA Administrative Simplification is implemented through federal regulations issued by the Department of Health and Human Services (DHHS). HIPAA Administrative Simplification goals required the development of standards for the electronic exchange of health care information. Administrative simplification also required rules to protect the privacy of personal health information and the establishment of security requirements to protect that information and the development of standard identifiers.

At the core are standards for the content and format of electronic transactions used in billing, payment and other health care administrative functions. These standards use Electronic Data Interchange (EDI) technology which has become widely used in banking and other industries.

Other standards enable the core transaction standards.

  • Because automated information can be more accessible and more easily abused, new regulations will govern the privacy and security of patient information.
  • Another set of regulations will provide nationwide, standard identifiers for providers, health plans and employers.
  • A final regulation now covers enforcement of the rules.

All standards are based on existing, national, industry standards whenever possible.

The Administrative Simplification provisions of HIPAA apply to three kinds of "covered entities" specified in the law.

  • Health plans are generally defined as any individual or group plan that provides or pays for medical care. Not all public programs which provide or pay for health care are covered. Covered health plans must be able to process any standard electronic transactions they receive.
  • Any health care provider that transmits health information in electronic form in connection with one of the transactions used in providing or paying for health care. Providers may continue to conduct transactions manually, but any covered transactions they do electronically must meet the standards (unless they are using a clearinghouse).
  • Healthcare clearinghouses, which translate electronic transactions between standard and non-standard forms.

Whether an entity is "covered" under HIPAA applies to the privacy as well as the transactions rule (only these two rules are final as of the writing of this summary). Business associates of covered entities are also impacted by HIPAA when they perform covered transactions on behalf of a covered entity, or when they receive protected patient health information from the same.

Last Revised: September 9, 2019