What is Protected by HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an important legislative Act that requires healthcare organizations that conduct transactions electronically to develop and implement controls to ensure the privacy of patients and security of healthcare data is safeguarded, but specifically, what is protected by HIPAA?

What is Protected by HIPAA and How Must PHI be Safeguarded?

All HIPAA covered entities should be well aware of the types of data that must be safeguarded in order to comply with HIPAA Rules, but many patients are unsure exactly what is protected by HIPAA.

The HIPAA Privacy Rule requires HIPAA covered entities and their business associates to protect virtually all individually identifiable health information that is created, stored, maintained, or transmitted by HIPAA covered entities – typically healthcare providers, health plans and healthcare clearinghouses – and their business associates.

The HIPAA Privacy Rule refers to individually identifiable health information as ‘Protected Health Information’ which includes past, present, and future information on an individual’s physical or mental health condition and data relating to the provision of healthcare or the payment for healthcare services. The HIPAA Privacy Rule also places restrictions on the allowable uses and disclosures of PHI.

While PHI can include information such as names, addresses, and phone numbers, it would only be considered PHI if it was included along with health data.

Deidentified protected health information is not protected by HIPAA Rules. This is healthcare information that has been stripped of all identifiers that would allow an individual to be identified.

The HIPAA Security Rule requires covered entities to implement safeguards to ensure the confidentiality, integrity and availability of PHI which must include administrative, technical, and physical safeguards. HIPAA is deliberately not technology specific to ensure that regular updates to HIPAA Rules are not required when new technology becomes available. The exact safeguards that must be implemented should be based on a risk analysis and are left to the discretion of the covered entity.

Can a Patient Sue for a HIPAA Violation?

If a patient or health plan member believes their privacy has been violated or HIPAA Rules have not been followed, they can submit a complaint to the Department of Health and Human Services’ Office for Civil Rights (OCR). OCR takes all complaints seriously and will investigate complaints, provided they are not submitted anonymously.

If a HIPAA-covered entity or business associate is discovered to have violated HIPAA Rules, OCR has the power to issue fines and other sanctions. In many cases, when the violation is not severe and corrective action is voluntarily taken to correct the violation and ensure similar privacy breaches do not occur in the future, that may be deemed to be sufficient by OCR.

When particularly egregious violations of HIPAA Rules have occurred, widespread compliance issues are discovered, or there have been willful violations of HIPAA Rules, financial penalties may be deemed appropriate.

There is no private cause of action in HIPAA, so it is not possible for patients to sue for a HIPAA violation. However, it may be possible to take legal action against an individual or healthcare organization under state laws.

What are the Penalties for HIPAA Violations?

Civil penalties for HIPAA violations can be issued to HIPAA covered entities, business associates of HIPAA-covered entities, and healthcare employees by the HHS’ Office for Civil Rights and state attorneys general. Criminal penalties for HIPAA violations are also a possibility when HIPAA has been willfully violated.

The penalties for HIPAA violations for covered entities and business associates are detailed in the infographic below.


Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.