The first step to understanding HIPAA / NIST compliance is understanding what HIPAA is, what is does, and why it’s important. Read on for some basic facts about the HIPAA law as provided by CSCi, a company which specializes in HIPAA / NIST compliance in San Diego.

What Is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This U.S. federal law was applied to all 50 states and the District of Columbia when it was signed by then-president Bill Clinton. Significant updates were made to the HIPAA law in 2003 and 2006.

What Does the HIPAA Act Do?

As the act is written, HIPAA is divided into two major parts, called Title One and Title Two, each with a slightly different purpose. Both are designed to protect people from certain potentially damaging practices within the healthcare industry.

Part of the HIPAA act was designed to protect individuals who have health insurance through their places of work. It protects them and their families from losing their health care coverage when they lose their jobs or transition into new jobs. This part of the law is covered under Title One of the HIPAA act.

Those who’ve visited a doctor’s office since the law went into effect may be familiar with Title Two, the part of the law that requires patients to sign a document stating that they’ve been informed of their medical record confidentiality rights. Lawmakers designed this part of the law to protect individuals from losing their health insurance and/or their jobs due to health-related information (called Protected Health Information, or PHI) being shared with an employer or an employer’s representatives without the employee’s knowledge and/or permission. Title Two limits the sharing of PHI to only those individuals and organizations that the patient has agreed to share this information with.

Under Title Two of HIPAA, hospitals and other health care providers are permitted to share relevant PHI with law enforcement agencies about individuals who are under investigation. Other laws, such as the mandatory reporting of suspected child abuse, also supercede the individual’s right to privacy when it comes to PHI.

What Is the Penalty for Violating the HIPAA Act?

According to the enforcement clause of the HIPAA act, violations of an individual’s privacy rights under the HIPAA act are divided into either criminal offenses or civil rights violations. For a civil rights violation, the penalty is typically a fine. An individual or healthcare organization can be fined a maximum of $500,000 per violation up to $1.5 million per year if found responsible for a civil rights violation under HIPAA. If found responsible for a criminal offense under HIPAA, the individual can serve up to ten years in prison and be fined up to $250,000.