HIPAA Executive Overview

The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA, was enacted as part of a broad Congressional attempt at incremental healthcare reform. The "Administrative Simplification" aspect of that law requires the United States Department of Health and Human Services (DHHS) to develop standards and requirements for maintenance and transmission of health information that identifies individual patients.

These standards are designed to:

• Improve the efficiency and effectiveness of the healthcare system by standardizing the interchange of electronic data for specified administrative and financial transactions
• Protect the security and confidentiality of electronic health information.

The requirements outlined by the law and the regulations promulgated by DHHS are far-reaching - all healthcare organizations that maintain or transmit electronic health information must comply. This includes health plans, healthcare clearinghouses, and healthcare providers, from large integrated delivery networks to individual physician offices. After the final standards are adopted, small health plans have 36 months to comply. Others, including healthcare providers, must comply within 24 months.

The law provides for significant financial penalties for violations:

General Penalty for Failure to Comply:

• Each violation: $100.
• Maximum penalty for all violations of an identical requirement: May not exceed $25,000.

Wrongful Disclosure of Individually Identifiable Health Information:

• Wrongful disclosure offense: $50,000, imprisonment of not more than one year, or both.
• Offense under false pretenses: $100,000, imprisonment of not more than 5 years, or both.
• Offense with intent to sell information: $250,000, imprisonment of not more than 10 years, or both.