HIPAA: What is It and Why Do I Need It?

A lot of us may have heard of HIPAA, but we might not know what it is, what it does, or why we need it. If that’s you, then let’s get down to business.

So what is it?

The Health Insurance Portability and Accountability Act (or HIPAA) is a Federal law that mandated the creation of national standards in order to protect the privacy of a patient’s health care information. The Privacy Rule—which went into effect on April 14, 2003—controls both the use and disclosure of any “Protected Health Information.” In the broadest sense, this can be defined as “Individually identifiable health information transmitted or maintained in any form which:

  • is held by a covered entity or its business associate;
  • identifies the individual or offers a reasonable basis for identification
  • is either created or received by a covered entity or an employer; or
  • relates to a past, present or future physical or mental condition, provision of health care or payment for health care.

But to whom does HIPAA apply?

HIPAA limits those covered entities from sharing any of your protected health information. Such entities include health care providers that conduct any transactions in electronic form, health care clearinghouses, and health plans. Basically, it places limits on any health care provider or insurance company that uses computers throughout the normal course of business.

So what happens if such an entity violates HIPPA?

Any such entities that violate the terms of the HIPPA are then subject to civil fines and criminal penalties, along with possible time in jail. These civil fines range from $100 per violation all the way up to an annual maximum of $25,000 for general violations of HIPPA, and $50,000 per violation up to an annual maximum of $1.5 million in the case of violations done willfully. These entities that knowingly obtain or disclose any identifying information may face some criminal penalties including fines up to $50,000 as well as imprisonment for a period of up to one year.

Any who violate the terms with an intent to either sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm, face fines of $250,000 and an imprisonment period of up to 10 years.

What does this mean for you?

Almost everyone would agree that our health care providers and insurance companies should definitely look after and protect our medical information. Still, with such high penalties associated with any violations, many of them are understandably reluctant to share medical information with anyone but their patient, including close family members like spouse or children. A well-made medical power of attorney should arguably be sufficient enough to authorize your health care provider to share any medical information with the health care agent. But if the document does not specifically authorize the transmission of health information as required by HIPAA, your doctor may choose to play it safe and refuse to share any such information with your agent, who might need it to make some informed medical decisions on your behalf. Also, your health care agent does not have the authority to act under your medical power of attorney until your doctor determines that you are indeed incompetent, so you might want someone to be able to access your records before then.

As an example, you might want your agent to call the doctor’s office about any questions on bills, or discuss medical conditions you have with your doctor in case you are hospitalized. Having a HIPAA authorization would allow them to do that for you.

Because of this, many law professionals will recommend their clients fill out and sign a separate document that authorizes the disclosure of protected health information.

Such an authorization allows you to name an individual to have access to any of your medical information so that your doctor or insurance company has no reservations about sharing any protected medical information with them.