What is the HIPAA Safe Harbor Law?
The HIPAA Safe Harbor Law (HR 7898) is an amendment to the HITECH Act passed by Congress in 2021 which instructs the Secretary of Health and Human Services to take into account existing security practices when determining penalties for HIPAA violations. Organizations that have adopted a recognized security framework will also benefit from less disruptive corrective action plans and audits. In 2009, the HITECH Act amended the HIPAA Enforcement Rule by introducing a four-tiered penalty structure and by increasing the maximum civil monetary penalties that could be imposed by HHS’ Office for Civil Rights for HIPAA violations. The structure has stayed in place ever since and the penalties have increased annually since 2015 to account for inflation. The 2021 amendment to the HITECH Act came as the result of a Request for Information issued by the Department of Health and Human Services (HHS). The Request for Information had the objectives of exploring ways the administrative burden on Covered Entities and Business Associates could be reduced and data sharing could be improved for better...
Illinois Department of Human Services Exposes Sensitive Data of 700,000 Individuals Online
The Illinois Department of Human Services (IDHS) has announced a major data breach affecting hundreds of thousands of state residents, whose sensitive data has been exposed online. IDHS created planning maps to assist with resource allocation and decision-making, which were added to a mapping website. On or around September 22, 2025, IDHS discovered that the website, which was intended for internal department use only, was accessible via the public Internet. Upon discovery, the website was immediately secured, and an investigation was launched to determine the cause of the error and the extent of any data exposure. The investigation revealed that sensitive data had been exposed online for up to four years between 2021 and 2025. The planning maps had been created by the IDHS Division of Family and Community Services’ Bureau of Planning and Evaluation, which inadvertently misconfigured the privacy settings. Following a comprehensive review, IDHS determined that the protected health information of approximately 672,616 Medicaid and Medicare Savings Program recipients had been exposed...
HIPAA Explained
Our HIPAA explained article provides information about the Health Insurance Portability and Accountability Act (HIPAA) and the Administrative Simplification Regulations – which include the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) is an Act passed in 1996 that primarily had the objectives of enabling workers to carry forward healthcare insurance between jobs, prohibiting discrimination against beneficiaries with pre-existing health conditions, and guaranteeing coverage renewability multi-employer health insurance plans. At the time, the cost of health insurance was rising rapidly. To prevent health insurance companies further increasing premiums and deductibles due to the costs associated with the portability and accountability provisions, cost-cutting measures were added as the Act passed through Congress to reduce health care fraud and to make the administration of health claims processing more efficient. Further measures relating to medical liability reform,...
What is HIPAA Authorization?
A HIPAA authorization is a form that must be completed by a patient or a health plan member when a covered entity wishes to use or disclose PHI for a purpose not permitted by the HIPAA Privacy Rule. The failure to obtain a valid HIPAA authorization is considered a serious violation of HIPAA compliance. What is HIPAA Authorization? The HIPAA Privacy Rule (effective since April 14, 2003) introduced standards covering allowable uses and disclosures of health information, including to whom information can be disclosed and under what circumstances protected health information can be shared. The HIPAA Privacy Rule permits the sharing of health information by healthcare providers, health plans, healthcare clearinghouses, business associates of HIPAA-covered entities, and other entities covered by HIPAA Rules under certain circumstances. In general terms, permitted uses and disclosures are for treatment, payment, or health care operations, and reporting issues such as domestic abuse to public health agencies. HIPAA authorization is written consent obtained from a patient or health plan...
What are the HIPAA Photography Rules?
The HIPAA photography rules vary according to the nature of the photograph, its purpose, and whether it is part of a designated record set. The HIPAA rules for photos also may or may not apply depending on who is taking the photos, while the environment in which photos are taken can also influence hospital policies. Photos are only mentioned twice in HIPAA – once in the Safe Harbor method of de-identifying PHI, and once in the list of individually identifiable health information that has to be removed from a designated record set to make it a limited data set. Because these are the only mentions of photographs in HIPAA, many covered entities assume that every photograph should be classified as Protected Health Information (PHI) and subject to HIPAA Privacy and Security Rule standards. But this is not the case. Individually identifiable information such as photos and videos only become individually identifiable health information when they are created or received by a covered entity and relate to “the past, present, or future physical or mental health or condition of an individual;...



