The Health Insurance Portability and Accountability Act of 1996 protects the privacy of health information, sets national standards for securing electronically stored health information and establishes a procedure for notifying patients in the event of unauthorized disclosure of health information, according the U.S. Department of Health and Human Services. Health care providers, insurers and clearinghouses are covered entities subject to HIPAA.
The HIPAA privacy rule protects individually identifiable health information from disclosure without authorization unless there are special circumstances, according to HHS. Patients also have the right to access their medical records for a small fee pursuant to the privacy rule.
The HIPAA security rule sets nationwide standards for covered entities to protect individually identifiable health information from disclosure and was enacted in light of medical field's shift to storing medical records electronically, explains HHS.
HIPAA requires covered entities to notify affected individuals when their health information has been disclosed without authorization, notes HHS. Covered entities must also notify the secretary of HHS of any breaches of patient health information. If the privacy breach affects more than 500 individuals, the covered entity must notify the media.
The Office of Civil Rights for HHS enforces HIPAA and is responsible for investigating complaints. Fines for HIPAA violations range from $100 to $50,000 per violation, up to $1.5 million for violations of a single provision, according to TrueVault. The U.S. Department of Justice may seek criminal penalties for egregious violations.