Health Insurance Portability and Accountability Act

HIPAA was enacted by Congress to ensure health care coverage and privacy for patients.
Sean Justice/Getty Images

Congress enacted the Health Insurance Portability and Accountability Act, or HIPAA, in 1996 to help ensure both health coverage and privacy for patients. The need for privacy was realized when more and more health information was being recorded and exchanged electronically. Before HIPAA, there were very few laws in place to help retain a patient's privacy when their medical records were recorded on a computer rather than in the once-standard paper chart.

HIPAA is divided into two main titles:


  • Title I works with group and individual health insurance plans to ensure availability to you.
  • Title II lists health care system rules and penalties but is most well known for its "Administrative Simplification" rules.

These rules are drafted by the Department of Health and Human Services and are used to help make the exchange of your electronic health information safe and efficient throughout the nation's health care system.

In this article, we'll find out more about each of these titles. First, we'll start with Title I.


HIPAA's Title I

HIPAA sets the guidelines for
Ed Taylor/Taxi/Getty Images

As mentioned in the previous section, HIPAA's Title I primarily involves group health insurance plans and their access to you. First, HIPAA ensures that a group health plan can't deny coverage or establish the amount of your monthly premium based on your health status, which includes your medical history, genetic information or any disability you may have. This means, for example, that you'll be offered the same coverage that your older, diabetic co-worker is offered, both at the same premium amount.

Secondly, Title I establishes rules on how a group plan handles a pre-existing condition. Before HIPAA, there were many people who were completely denied health insurance based on chronic medical conditions, regardless of how well the condition was controlled. Today, thanks to HIPAA, group health insurance plans must follow rules regarding what's considered a pre-existing condition and how long they can exclude coverage for these conditions.


Specifically, under the HIPAA guidelines, the maximum amount of time that you have to wait in order to get coverage for your pre-existing condition can't exceed 12 months, or 18 months for late enrollees (someone who doesn't enroll during general open enrollment). However, most of us who go from one job's group insurance plan to another without a break won't have to endure an exclusion period at all. In these cases, HIPAA uses what's known as "credible coverage" in order to reduce, or eliminate, this pre-existing condition exclusion period. "Credible coverage refers to any health care insurance you had before your new insurance plan as long as it wasn't interrupted by a period of 63 or more days. This time period can be longer depending on your state laws and the type of insurance plan you were on.

Once you've proven that you've had uninterrupted insurance, that insurance coverage can be added up and credited toward any pre-existing condition exclusion you may have. In fact, if you had at least one year of group health insurance at one job and then received health insurance at a new job without a break of more than 63 days, the new health insurance plan can't impose a pre-existing condition exclusion on you at all. But if the break in coverage was greater than 63 days, no health insurance coverage before the break is counted toward your pre-existing condition exclusion period.

In addition to governing group insurance plans, HIPAA does have some power over individual insurance plans. In cases where someone moves from a group plan to an individual plan, an "eligible individual" can't be denied health coverage or given a pre-existing condition exclusion [source: AARP]. However, these individual plans can hike up your monthly premium based on your health status, and oftentimes, the offered plans have higher monthly premiums and fewer benefits than those offered in a group plan. To qualify as an eligible individual you must have been covered by a group health plan for a minimum of 18 months without a 63-day break in coverage. In addition, the loss of your group coverage couldn't be because you failed to pay your premiums or you committed insurance fraud. Finally, you may be considered eligible if you can't get any other type of insurance like COBRA, Medicaid or Medicare.

Now that HIPAA has helped ensure you get health care, it can also make sure that your care is kept private. We'll find out more about Title II of HIPAA in our next section.


HIPAA's Title II

HIPAA protects people from electronic transactions made in regards to their health insurance. These transactions can include enrolling in your plan, filing a claim or checking on the status of a claim.
Beard & Howell/Getty Images

As most of us living in this high-tech world have noticed, paper isn't used very much anymore. And technology has certainly invaded health care. In many health care settings, providers open a computer file instead of a file cabinet when getting a patient's medical record. While these electronic filing systems are generally deemed efficient, they may also prove dangerous to your privacy. Because technology was outgrowing our paper-based privacy laws, HIPAA was to ensure the patient's privacy while allowing electronic access to his or her information. HIPAA also makes sure that the efficiency of the electronic information system improves each year. Both of these goals are accomplished in HIPAA's Title II "Administrative Simplification" rules, which are issued by the Department of Health and Human Services: the Standards for Electronic Transactions, the Unique Identifiers Standards, the Security Rule, the Privacy Rule and the Enforcement Rule.

Standards for Electronic Transactions

The first section of the Administrative Simplification rules involves the implementation of a national standard for electronic health care transactions. These types of transactions include plan enrollment, health claims, eligibility determination, claim status verification and care and premium payments. While these transactions may have been available on some health care systems before, HIPAA intends for all transactions to be processed using the same electronic format so that your health information can be shared, when you request it to be, to providers across the country.


However, there are exceptions to this standardization. If, for example, your family doctor is still using paper files, he or she doesn't have to start using an electronic transaction system if they're only seeing clients with commercial health insurance plans. However, Medicaid or Medicare require the use of these electronic systems, they'll have to start using it or pay for a translator company to enter their non-electronic information into the standard system.

Unique Identifiers Standards

The second section deals with Unique Identifiers Standards, which requires a national provider identifier (NPI) for all health car providers, plans and clearinghouses that use an electronic system. This NPI is a 10-digit number -- usually an employer's tax ID number or an employee's ID number -- that providers use to log in to the system. This rule is ultimately intended to reduce confusion and error between health care organizations during electronic transactions.

We'll continue with the next three rules of Title II on the following page.


Rules of Title II

The privacy rule, perhaps the most recognizable rule of HIPAA, protects all health information -- electronic and paper.
Lester Lefkowitz/Stone/Getty Images

The Security Rule

The third section of the Administrative Simplification rules includes the Security Rule. This rule, as the name implies, involves security safeguards used with each patient's Electronic Protected Health Information, or ePHI. Basically, this section deals with the various security standards each provider should abide with to ensure the highest level of confidentiality of all your ePHI that your provider creates, receives, updates or sends. Also, providers are expected to protect their entire electronic system from any threats to its security like computer bugs or even indiscreet office personnel.

The Privacy Rule

Unlike the other sections mentioned, the privacy rule applies to health information in any form, be it paper or electronic. When people mention HIPAA in health care, this rule is usually what they're referring to. Your personal health information not only includes your entire medical record, but even includes your payments made for health care.


Because of the importance of this rule, there are comprehensive compliance requirements involved for both employees and patients of any given health care facility. For example, if you work in the health care field you should have been required to watch a video or take a quiz on privacy and HIPAA. Most of these videos focus on the privacy rule rather than the other sections of HIPAA discussed in this article. If you aren't in health care, you've probably been exposed to this rule when your doctor or other health care provider asked you to sign a HIPAA form during check-in. This form is given in order to prove that you've been formally notified of your doctor's privacy practices in regard to your health information.

As part of the privacy rule, you have full access to their medical records, can restrict others from gaining access to their records, and can even tell who has accessed their medical record. In addition, you can request changes be made to your medical record if you believe the information isn't accurate. As a part of this rule, the amount of your health information shared is kept to the minimal amount needed in order for treatment or business operations. This rule also allows you to decide if you want, or don't want, your health information to be used for purposes not related to your treatment or payment issues, such as in a research project.

The Enforcement Rule

This rule, which became effective in March 2006, involves the civil money penalties against those who violate any of the Administrative Simplification rules. Before this rule came into effect, these civil penalties were only applied to those who were noncompliant with the Privacy Rule. Now, violators of any rule in the Administrative Simplification process can be punished. This rule also details how an investigation should take place, how the penalty is determined and how to appeal a ruling.

To learn more about HIPAA, health insurance and related topics, follow the links found on the next page.


Lots More Information

Related HowStuffWorks Articles

More Great Links


  • CDC: HIPAA Privacy Rule and Public Health.
  • CMS: What HIPAA Does and Does Not Do.
  • HIPAAdivsory: HIPAA Primer.
  • US Department of Labor: HIPAA Fact Sheet.