Skip Ribbon Commands
Skip to main content
What is HIPAA Information?

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA was signed into federal law in 1996 (Public Law 104-191). The intent of HIPAA is to improve the efficiency and effectiveness of the health care system through the establishment of standards and requirements for the electronic transmission of certain health information, by combating fraud, waste, and abuse and by establishing security and privacy standards.

HIPAA is the single most significant Federal legislation affecting the health care industry since the creation of the Medicare and Medicaid programs in 1965. Title I of the Act improves the portability and continuity of health insurance coverage for millions of American workers and their families. Title II provides for administrative simplification that requires the development of standards for the electronic exchange of health care information.

Health Privacy Laws

State and Federal Health Privacy Laws

Privacy and security of your health information is an important part of your care.  Federal and state laws have been created to protect your health information through various requirements and provisions that limit uses and disclosures, prevent unauthorized access and sharing, and provide appropriate safeguards.  Whether your information is stored on paper or electronically, your health information is protected by various laws.  The following list of Federal and State laws (and links) provide information about many of the protections that you have as a California patient.


HIPAA Privacy Rule:

The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

The Rule also gives patients' rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

The privacy regulation specifies how health care organizations and their business partners transfer, receive, handle, protect and disclose protected health information (PHI). The regulation applies to all forms of PHI, whether paper, oral or electronic. Health care organizations are required to create privacy conscious business practices and data systems, which include the requirement that only the minimum amount of health information necessary is used or disclosed to conduct business.

The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164


HIPAA Security Rule:

The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI). 

The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164

The security rule is divided into four categories:

  • Administrative Procedures: These are the documented, formal procedures for selecting and executing information security measures. The procedures also address staff responsibility for the protection of data.
  • Physical Safeguards: These safeguards protect the physical computer systems and related building and equipment from fire, and other environmental hazards, as well as intrusion.
  • Technical Security Data Issues: These include the process used to protect, control and monitor information access.
  • Technical Security Mechanisms: These include process used to prevent unauthorized access to data transmitted over a communications network.

    For additional information, visit

The complete suite of HIPAA Administrative Simplification Regulations can be found at 45 CFR Parts 160, 162, and 164.



Genetic Information Nondiscrimination Act (GINA):

Under Title II of GINA, it is illegal to discriminate against employees or applicants because of genetic information. Title II of GINA prohibits the use of genetic information in making employment decisions, restricts employers and other entities covered by Title II (employment agencies, labor organizations and joint labor-management training and apprenticeship programs - referred to as "covered entities") from requesting, requiring or purchasing genetic information, and strictly limits the disclosure of genetic information.



Confidentiality of Medical Information Act (CMIA) – Civil Code § 56.10-56.16:

This law protects the privacy of medical information by limiting disclosures of providers of health care, health care service plans, and contractors.

Civil Penalties for Unauthorized Access, Use, or Disclosure of Medical Information – Civil Code § 56.36:

This law was amended to further define administrative fines or civil penalties for any person or entity including licensed health care professionals who knowingly and willfully obtains, discloses, or uses medical information in violation of the Confidentiality of Medical Information Act.

Health Facilities Data Breach – Health & Safety Code § 1280.15: 

This law requires certain health facilities to prevent unlawful or unauthorized access to, or use or disclosure of, a patient's medical information. It sets fines and notification requirements for breaches of patient medical information and requires facilities to report such breaches to the California Department of Public Health.


Establishment of CA OHII to Ensure Enforcement of Confidentiality of Medical Information – Health & Safety Code § 130200:

This law establishes within the California Health and Human Services Agency the Office of Health Information Integrity to ensure the enforcement of state law mandating the confidentiality of medical information. The law requires every provider to establish and implement safeguards to protect the privacy of patients' medical information.

Medical Information, Collection for Direct Marketing Purposes - Civil Code § 1798.91:

This law prohibits a business from seeking to obtain medical information from an individual for direct marketing purposes without, (1) clearly disclosing how the information will be used and shared, and (2) getting the individual's consent.

Patient Access to Health Records - Health & Safety Code § 123100:

With minor limitations, this law gives patients the right to see and copy information maintained by health care providers relating to the patients' health conditions. The law also gives patients the right to submit amendments to their records, if the patients believe that the records are inaccurate or incomplete.

Breach Notification – Civil Code § 1798.29 & 1798.82:

This law requires companies that collect personal information to notify each person in their database should there be a security breach involving personal information such as their Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account.

This section defines "personal information" which includes medical information and health insurance information.  It defines "medical information" as any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. The provision defines "health insurance information" as any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.

HIPAA Omnibus Rule (Mega rule)

Covered Entities & Business Associates Affected

   New rule includes stricter enforcement and short deadlines for compliance


The Department of Health and Human Services issued this final rule to: Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act ("the HITECH Act") to strengthen the privacy and security protection for individuals' health information; modify the rule for Breach Notification for Unsecured Protected Health Information (PHI)(Breach Notification Rule) under the HITECH Act; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.

The core driver behind the HIPAA Omnibus Final Rule – is to improve the quality, integrity, accessibility and confidentiality of a patient's PHI.  The federal Department of Health and Human Services ("HHS") and Office for Civil Rights ("OCR") issued the amendments which affect the Privacy, Security, Breach Notification and Enforcement Rules of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

March 26th, 2013 is the effective date, and Sept. 23rd, 2013 is the compliance enforcement date. The rule, which modifies the HIPAA privacy, security and enforcement rules as well as the HIPAA breach notification rule, includes greater accountability and documentation requirements.

The Omnibus Rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

The rule greatly enhances a patient's privacy protections,

  • Provides individuals new rights to their health information,
  • Strengthens the government's ability to enforce the law, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates (BA's).
  • Gives covered entities and BA's up to one year after the 180-day compliance date to modify contracts to comply with the rule.
  • Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
  • Require modifications to, and redistribution of  CalVet's notice of privacy practices;
  • The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
  • Extensive modifications to the HIPAA privacy, security and enforcement rules. Among the changes:
    • Applying many security and privacy requirements to business associates and their subcontractors. "Business associates ... should be able to demonstrate compliance with the security rule, which requires having a program for securing ePHI and having a patch management program in place if they are a manufacture or a servicer of a medical device.
  • A final version of the HIPAA breach notification rule. An interim final version has been in effect since September 2009. The new version clarifies requirements for when a breach must be reported to authorities.
  • A rule spelling out that using genetic information for insurance underwriting purposes is a privacy violation under HIPAA, as well as discriminatory under the Genetic Information Non-Discrimination Act.
  • Patients can ask for a copy of their electronic medical record in an electronic form.  
  • When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. 
  • The rule increases restrictions on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals' health information without their permission.
  • Many medical devices store information and contain an operating system, such as Microsoft Windows.  Under the new rule, companies that service medical devices and have access to the patient information they contain are now considered business associates. And the new rule clarifies that all BAs must comply with the HIPAA Security Rule- If the device manufacturer, or a middleman, has a service contract with the provider that gives it access to electronic protected health information (ePHI) stored within the device, then the company is considered a business associate under the broadened definition within the new rule.  So to comply with HIPAA, "medical device servicers" will need to implement a patch management program to protect against viruses.
    • Devices, such as insulin pumps and pacemakers, have resisted applying patches to the operating system within the device, expressing concern that modifications could affect performance.
    • Security for wireless implanted devices is a growing concern. For example, an "ethical hacker" recently demonstrated how an implanted wireless heart defibrillator can be hacked from 50 feet away to deliver a potentially dangerous shock.


  • The liability to a Covered Entity for actions of a BA is greater under the Omnibus Rule. The Omnibus Rule removes exceptions to a covered entity's (CE) exposure and increases CE liability for the acts of BA's in certain scenarios.
  •  As a result of the HIPAA Omnibus Rule, some covered entities, will be making more demands of their BA agreements and transfer all the costs of breach remediation to the BA when the BA is responsible for the breach.
  • BA's now face greater liability for failure to meet the security requirement measures to protect electronic PHI. – BA's will need to keep a list of all their subcontractors, "but" patients will never know who all these downstream users of their data are.

    Among its many provisions, it clarifies that BA's and their subcontractors must comply with HIPAA.  Under HIPAA Omnibus, covered entities, BA's and subcontractors can be held responsible for the compliance conduct of their "downstream" partners under certain circumstances. BA's must update their agreements with their subcontractors and carefully monitor their partners' efforts to protect patient data. BA and their subcontractors must now "immediately" document their privacy and security practices.

     Note: For example, a health care facility could be responsible for the conduct of a downstream BA if the vendor qualifies as an "agent" of the facility; the term "agent" refers to vendors that have received certain instructions from the covered entity, like a hospital, about how to perform various functions.  As a result, if there is a breach in which an "agent" - such as a BA - is at fault, the hospital/healthcare provider could face civil penalties.

Vendors providing services to healthcare organizations need to take the initiative to carefully determine if they qualify as a BA under the expanded definition which includes subcontractors that handle protected health information (PHI). HIPAA Omnibus makes it clear that BA's and their subcontractors must comply with most HIPAA provisions.   

Transactions and Code Sets

The first HIPAA Final Rule, federal legislation issued in October 2000, adopts standards for eight electronic health transactions and for code sets to be used in those transactions. Health claims, health plan eligibility, enrollment and disenrollment in a health plan, payments for care and health plan premiums, claim status, referral certification and authorization, coordination of benefits, and related transactions, are all examples of electronic health transactions. Today, health providers and plans use many different electronic formats for these transactions. This rule requires everyone to use specific electronic formats for these transactions. Standards for the first report of injury and claims attachments will be adopted at a later date.

Use of standard code sets will also be required in all health transactions. Standards will be adopted for coding systems that describe diseases, injuries, and other health problems, as well as their causes, symptoms, and actions taken to prevent, diagnose, treat, or manage these diseases, injuries, and other health problems. Standards will be set for any substances, equipment, supplies, or other items used to perform these actions as well.

National standards for electronic health care transactions will encourage electronic business in the health care industry and simplify the processes involved. Standardization will improve the overall data quality, reduce handling and processing time, eliminate the risk of lost paper documents and inefficiencies of handling paper documents, and decrease administrative costs for providers.

Virtually all health plans will have to adopt these standards, even if a transaction is submitted by paper, phone or FAX. Providers using non-electric transactions are not required to adopt the standards; although if they don't, they will have to contract with a clearing-house to provide translation services.


Health care organizations are currently able to assign proprietary identifiers to identify health care providers, employers, health plans and individuals. This lack of standardization has lead to system incompatibilities, administrative inefficiencies and accuracy problems. These rules will eventually establish standards for unique identifiers for providers, plans, employer and individuals.

Under a proposed standard related to EDI (electronic data interchange) formats, National Provide Identifiers (NPI) would be assigned to all providers and used by both public and private health plans. As proposed in the Federal standard, NPIs would be used by all health organizations that conduct HIPAA-specific electronic transactions. The NPI was proposed as an 8-digit alphanumeric identifier. However, many of those who have commented on the proposed rule prefer a 10-digit numeric identifier. Finalization of the specifications are expected in the future.

Employers frequently also have to be identified in electronic health care transactions. The adoption of the Employer Identification Number (EIN) as the standard unique identifier for employers in the filing and processing of health care claims and other transactions becomes effective July 30, 2002. The EIN is issued and maintained by the Internal Revenue Service (IRS). Businesses that pay wages to employees already have EIN's. The identifier has nine digits with the first two digits separated by a hyphen as follows: 00-0000000.

MyCalVet: Sign up today!


Glossary of HIPAA Terms

Off-site link to the Centers for Medicaid and Medicare Services (CMS) a Federal agency within the U.S. Department of Health and Human Services. (The CMS HIPAA glossary should not be considered a legal document.)


Content Page General

What is HIPAA Information?