HIPAA compliance Summary guide

Electronic protected health information (ePHI) is important from a cybersecurity perspective because it contains sensitive and personal information that, if compromised, could have serious consequences for individuals. ePHI can include a wide range of information, such as medical records, insurance information, and treatment plans.

If ePHI is not properly protected, it could potentially be accessed or disclosed by unauthorized individuals or organizations, leading to a number of potential issues. For example, if ePHI is accessed without authorization, it could lead to identity theft or financial fraud. Additionally, the unauthorized release of ePHI could potentially compromise an individual’s privacy, as it could reveal sensitive information about their health or medical history.


HIPAA compliance helps to ensure that ePHI is kept secure and that healthcare organizations have the necessary safeguards in place to protect it.

One of the key provisions of HIPAA is the protection of electronic protected health information (ePHI).

ePHI is defined by HIPAA as any electronic information that relates to the individual’s physical or mental health, the provision of healthcare to the individual, or the payment for healthcare services. This can include a wide range of information, such as medical records, insurance information, and treatment plans.

HIPAA establishes national standards for the protection of ePHI and sets forth rules for its use and disclosure. It requires covered entities (such as healthcare providers, payers, and clearinghouses) and their business associates (such as contractors or subcontractors) to implement appropriate administrative, physical, and technical safeguards to protect ePHI.

What is HIPAA Compliance?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that was enacted in 1996. It is designed to protect the privacy and security of individuals’ personal health information. HIPAA consists of several different regulations that apply to different groups of people and organizations.

The HIPAA Privacy Rule regulates the use and disclosure of personal health information by covered entities, which are defined as health plans, healthcare providers, and healthcare clearinghouses. The HIPAA Security Rule sets national standards for the protection of electronic personal health information. The HIPAA Breach Notification Rule requires covered entities to notify individuals when their personal health information has been compromised.

HIPAA also includes provisions related to the portability of health insurance coverage, which are designed to help individuals maintain their health insurance coverage when they change jobs or experience other life events.

Overall, HIPAA is intended to protect the privacy and security of individuals’ personal health information and to ensure that this information is used appropriately.

HIPAA Compliance History Timeline

August 21, 1996

HIPAA Signed into Law by President Bill Clinton

Congress passes the Health Insurance Portability and Accountability Act (HIPAA). Bill Clinton adds his signature to the legislation and the process of modernizing information exchange in the healthcare industry begins. The bill also ensures workers do not lose health insurance coverage when changing employment.

August 21, 1996
August 12, 1998

Security and Electronic Signature Standards rule (Security Rule) proposed

To improve security standards & better protect individual health information stored by health plans, healthcare clearinghouses and healthcare providers. It also covers use of electronic signatures by HIPAA covered entities.

August 12, 1998
November 3, 1999

Privacy rule proposed

The Privacy Rule is proposed to improve privacy standards and to restrict the disclosure of Protected Health Information and personal identifiers to unauthorized individuals. Patients will also be given better access to their health data.

November 3, 1999
December 28, 2000

HIPAA proposed Privacy Rule Proposed

The Privacy Final Rule is issued, only to receive technical corrections the following day. The correction over compliance dates and access to Protected Health Information by the clergy while the Office for Civil Rights is delegated the responsibility of policing HIPAA.

December 28, 2000
February 28, 2001

HIPAA Stumbles

The Privacy Final Rule technical corrections came into force on February 26; however the new Bush administration reopened the comment period, delaying the introduction of the new legislation.

February 28, 2001
March 27, 2002

Proposed Privacy Rule Modified

The DHHS makes changes to the proposed Privacy Rule to clarify its provisions and to ease the administrative burden on healthcare providers.

March 27, 2002
February 20, 2003

HIPAA Security Standards Final Rule Issued

The HIPAA Security Standards Final Rule (Security Rule) is issued and demands that all covered entities use the appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and security of electronic Protected Health Information.

February 20, 2003
April 14, 2003

HIPAA Privacy Rule Compliance deadline

The Privacy rule came into effect and requires all covered entities to allow patients access to their health information on request, while limits are placed on how, when and to whom health records can be disclosed.

April 14, 2003
October 16, 2003

Transactions and Code Sets Rule Deadline

The deadline is reached for adopting new codes for transactions and electronic exchanges, including new diagnosis and procedure codes. The change is intended to increase standards and improve efficiencies in the healthcare industry.

October 16, 2003
April 18, 2005

HIPAA Enforcement rule – proposed rule

HIPAA Enforcement rule is proposed which will pave the way for OCR investigations into HIPAA violations and issuing the financial penalties for HIPAA violations. A procedure for hearing is also introduced.

April 18, 2005
April 21, 2005

HIPAA Security Rule Compliance Deadline

All covered healthcare organizations must now comply with the new requirements of the Security Rule and implement greater controls to keep health records secure and confidential, The OCR can now issue civil penalties for violations.

April 21, 2005

Who does HIPAA Apply To?

HIPAA regulations apply to a wide range of individuals and organizations that handle personal health information. These have been classified into:

  • Covered Entities
  • Business Associates

HIPAA Covered Entity

A Health Care ProviderA Health PlanA Health Care Clearinghouse
DoctorsHealth Insurance CompaniesEntities that process non-standard healthcare information they receive from other entities into a standard such as standard electronic data format or data content and vice versa
ClinicsHealth Maintenance Organization (HMO)
PsychologistsCompany Health Plans
DentistsGovernment Programs that pay for healthcare e.g. Medicare, Medicaid, and the Military and Veteran Health Care programs
Nursing Homes
…but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard

HIPAA Compliance for “Covered entities” include:

  1. Health plans: This includes group health plans, health insurance companies, and government programs that pay for healthcare, such as Medicare and Medicaid.
  2. Healthcare providers: This includes doctors, hospitals, nursing homes, and other healthcare providers who transmit health information in electronic form in connection with certain transactions.
  3. Healthcare clearinghouses: These are organizations that process nonstandard health information they receive from another entity into a standard format, or vice versa.

What Is a HIPAA Business Associate Agreement (BAA)?

In addition to covered entities, HIPAA regulations also apply to “business associates,” which are individuals or organizations that perform certain functions or activities on behalf of, or provide certain services to, a covered entity. Business associates are required to protect the privacy and security of personal health information in the same way that covered entities are.

HIPAA regulations do not apply to every individual or organization that handles personal health information. For example, they do not apply to most employers or to life insurance companies. However, HIPAA regulations may still apply if an employer sponsors a group health plan or if a life insurance company receives personal health information as part of the underwriting process.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top