The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the first national standards for protecting personal health information. The passage of HIPAA reflected increasing public concern about the use and disclosure of health and other personal information as technological advances made access to such information much less difficult. The rules are intended to protect and enhance the rights of consumers regarding their health information, control the inappropriate use of medical records and improve the quality of health care in the U.S. by restoring trust in the health care system.

HIPAA is intended to protect and enhance the rights of consumers regarding their health information.

Five basic principles govern the HIPAA privacy rules:

  • Consumer Control – Patients have rights to control the release of their medical information.
  • Boundaries – With few exceptions, a patient’s health information can be used for health purposes only.
  • Accountability – There are specific federal penalties for people and organizations that violate HIPAA privacy regulations. The penalties range from a $100 fine per violation for disclosures made in error, to up to $250,000 and 10 years in prison for malicious use of medical records.
  • Public Responsibility – HIPAA provides standards for how medical information should be released for public health, research, fraud and abuse investigations, and quality assessment purposes.
  •  Security – Health care organizations must establish clear procedures to protect patients’ privacy.

HIPAA also protects workers and their families by:

  • Limiting exclusions for preexisting medical conditions (known as preexisting conditions);
  • Providing rights that allow individuals to enroll for health coverage when they lose other health coverage, get married or add a new dependent; and
  • Prohibiting discrimination in enrollment and in premiums charged to employees and their dependents based on health status-related factors.

​Additionally, HIPAA mandates that employers provide employees with certificates of creditable coverage when an individual loses coverage under the employer’s plan, becomes entitled to elect COBRA continuation coverage or exhausts COBRA continuation coverage. A certificate must also be provided free of charge upon request while employees have health coverage or anytime within 24 months after their coverage ends.

HIPAA also includes discrimination prohibitions to ensure that individuals are not excluded from coverage, denied benefits, or charged more for coverage offered by a plan or issuer, based on health status-related factors.