Understanding the HIPAA Laws

The Health Insurance Portability and Accountability Act (HIPAA) consist of five Titles, each with their own set of HIPAA laws. Four of the five sets of HIPAA laws are straightforward and cover topics such as the portability of healthcare insurance between jobs, the coverage of persons with pre-existing conditions, and tax provisions for medical savings accounts.

However, Title II – the section relating to administrative simplification, preventing healthcare fraud and abuse, and medical liability reform – is far more complicated. It contains subsets of HIPAA laws which sometimes overlap with each other and several of the HIPAA laws in Title II have been modified, updated, or impacted by subsequent acts of legislation.

Furthermore, since HIPAA was enacted, the U.S. Department for Health and Human Services (HHS) has promulgated six sets of “Rules”; which, as they are codified in 45 CFR Parts 160, 162, and 164, are strictly speaking HIPAA laws within HIPAA laws. These are most commonly referred to as the Administrative Simplification Rules even though they may also address the topics of preventing healthcare fraud and abuse, and medical liability reform.

The HIPAA Laws Within HIPAA Laws

When the original HIPAA Act was enacted in 1996, the content of Title II was much less than it is today. Mostly Title II focused on definitions, funding the HHS to develop a fraud and abuse control program, and imposing penalties on Covered Entities that failed to comply with standards developed by HHS to control fraud and abuse in the healthcare industry. However, the first two Rules promulgated by HHS were the Transactions and Code Set Standards and Identifier Standards.

The HIPAA Transactions and Code Set Standards

The HIPAA Transactions and Code Set Standards standardize the electronic exchange of patient-identifiable, health-related information in order to simplify the process and reduce the costs associated with payment for healthcare services. They are based on electronic data interchange (EDI) standards, which allow the electronic exchange of information from computer to computer without human involvement.

The HIPAA Identifier Standards

The HIPAA Identifier Standards require covered healthcare providers, health plans, and healthcare clearinghouses to use a ten-digit “National Provider Identifier” number for all administrative transactions under HIPAA, while covered employers must use the Employer Identification Number issued by the IRS. A subsequent Rule regarding the adoption of unique Health Plan Identifiers and Other Entity identifiers was rescinded in 2019.

The HIPAA Privacy and Security Rules

One of the clauses of the original Title II HIPAA laws instructed HHS to develop privacy regulations for individually identifiable health information if Congress did not enact its own privacy legislation within three years. Consequently, the first draft of the HIPAA Privacy Rule was not released until 1999 and, due to the volume of stakeholder comments, not finalized until 2002. The HIPAA Security Rule was issued one year later.

The HIPAA Privacy Rule

The HIPAA Privacy Rule – also known as the “Standards for Privacy of Individually Identifiable Health Information” – defines Protected Health Information (PHI), who can have access to it, the circumstances in which it can be used, and to whom it can be disclosed without authorization of the patient. The Privacy Rule also includes a sub-rule – the Minimum Necessary Rule – which stipulates that the disclosure of PHI must be limited to the minimum necessary for the stated purpose for which it is used or disclosed.

The HIPAA Security Rule

Although the HIPAA Privacy Rule applies to all PHI, an additional Rule – the HIPAA Security Rule – was issued specifically to guide Covered Entities on the Administrative, Physical, and Technical Safeguards to be implemented in order to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI). Out of all the HIPAA laws, the Security Rule is the one most frequently modified, updated, or impacted by subsequent acts of legislation.

The HIPAA Enforcement and Breach Notification Rules

The HIPAA Enforcement Rule (2006) and the HIPAA Breach Notification Rule (2009) were important landmarks in the evolution of the HIPAA laws. They gave HHS the authority to investigate violations of HIPAA, extended the scope of HIPAA to Business Associates with access to PHI/ePHI, and paved the way for the HIPAA Compliance Audit Program which started in 2011 and revealed where most Covered Entities and Business Associates fail to comply with the HIPAA laws.

The HIPAA Enforcement Rule

HHS had originally intended to issue the HIPAA Enforcement Rule at the same time as the Privacy Rule in 2002. However, due to a further volume of stakeholder comments relating to the definitions of covered entities and addressable requirements, and the process for enforcing HIPAA, the HIPAA Enforcement Rule was delayed for four years. The version issued in 2006 has since been amended by the HITECH Act (in 2009) and the Final Omnibus Rule (in 2013).

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires Covered Entities and Business Associates to report when unsecured PHI has been acquired, accessed, used, or disclosed in a manner not permitted by the HIPAA Privacy Rule. This was the first time reporting HIPAA breaches had been mandatory. Covered Entities or Business Associates who fail to comply with the HIPAA Breach Notification Requirements can face additional penalties in addition for those imposed for the breach.

HITECH and the Final Omnibus Rule

Although the HITECH Act of 2009 and the Final Omnibus Rule of 2013 only made subtle changes to the text of HIPAA, their introduction had a significant impact on the enforcement of HIPAA laws. The passage of the HITECH Act in particular resulted in higher fines for non-compliance with HIPAA, providing the HHS’ Office of Civil Rights with more resources to pursue enforcement actions. It also gave state attorneys general the authority to take civil action for HIPAA violations on behalf of state residents.


The HITECH Act is possibly best known for launching the Meaningful Use program which incentivized healthcare providers to adopt technology in order to make the provision of healthcare more efficient. However, it also extended patients’ rights to enquire who had accessed their PHI, why, and when. The extension of patients’ rights resulted in many more complaints about HIPAA violations to HHS’ Office for Civil Rights.

The Final Omnibus Rule

While the Final Omnibus Rule mostly codified the provisions of the HITECH Act relevant to HIPAA, it also reversed the burden of proof when a HIPAA violation is identified. Previously, when a violation of HIPAA laws was identified that could potentially expose PHI to authorized acquisition, use, or disclosure, the burden of proof to prove a data breach had occurred rested with the HHS. With the Final Omnibus Rule, the onus is on a Covered Entity to prove a data breach has not occurred.

Ongoing Changes to HIPAA Laws

Although the last major change to HIPAA laws occurred in 2013, minor changes are more frequent. For example, HHS is currently seeking stakeholder comments on proposed changes to the Privacy Rule that would further extend patients’ rights, improve coordinated care, and reduce the regulatory burden of complying with the HIPAA laws.

If you would like further information about the HIPAA laws, please read our HIPAA Compliance Guide, which goes into greater detail about the background and objectives of HIPAA, who the laws apply to, and how technology solutions are helping Covered Entities and Business Associates better comply with the HIPAA laws.