Changes to Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a statutory regulation that mandates the development of national guidelines to prevent confidential patient health details from being exposed without the patient’s permission or approval. To enforce HIPAA standards, the US Department of Health and Human Services (HHS) created privacy policy (CDC, 2018). The HIPAA Security Rule safeguards a portion of the data protected by the Privacy Rule. Indeed, the Privacy Rule is essential as its requirements govern how organizations liable to the Privacy Rule utilize and disclose individuals’ health details.

These people and organizations are referred to as “covered entities” (CDC, 2018). The policy also includes guidelines for citizens’ privileges to recognize and regulate the usage of their health records. The Privacy Rule’s main purpose is to guarantee that patients’ private information is adequately secured while facilitating the flow of health information required to deliver and facilitate standard health services and preserve the health and well-being of the public (DHS, 2019). The Privacy Rule establishes a balance between allowing essential usage of patient details and preserving their privacy. Personal health care information is protected by law in the United States of America, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The law provides guidelines for health care professionals to follow in order to keep patients’ privileged information private.

Background/Law and Applications

In implementing the HIPAA legislation, Congress mandated the formation of regulatory standards that maintain security of electronic protected health information for confidentiality, reliability, and accessibility of health information records that protect patients’ health details while allowing access for healthcare practitioners, healthcare plans and clearinghouses for continued medical services (Edemekong et al., 2021). Individuals and organizations that fall within the following categories comply with the Privacy Rule as covered entities:

  1. Healthcare workers: All health professionals, irrespective of the scale of practice, and those that transmit patient details electronically in connection with specific transactions comply with the Privacy Rule. These transactions include claims, inquiries about benefits, referral requests, and other transfers that HHS has provided guidelines within the HIPAA Transactions Policy.
  2. Health plans: These include organizations that offer or compensate for medical services. Healthcare plans include medical, visual, and prescription drugs among others excluding nursing home regulations. Other health plans include company sponsored community wellness programs, religious and governmental sponsored health systems, and multi-employer health arrangements (Edemekong et al., 2021). An exemption is a health plan comprising less than 50 members and is exclusively managed by the entity that developed and manages the plan.
  3. Healthcare clearinghouses: These are firms that convert nonstandard knowledge received from another agency into a standardized one. For certain cases, medical clearinghouses can only receive personally identified patient records when serving as corporate partner with healthcare company.
  4. Business associates: Include people or agencies that use or discloses personally identified health records to perform tasks, programs, or services for an entity complying to the policy. These services, activities, or functions include claims, billing, utilization review, and data analysis.

The Privacy Act covers confidential health details, while the Security Policy safeguards a subset of the data contained in the Privacy Law. This section includes any individually identified health records created, received, maintained, or transmitted in digital format by a protected entity. When reviewing demands for these permissive regulations, covered companies can focus on professional integrity and their best judgement. HIPAA laws are enforced by the HHS department of Civil Rights, and all reports are submitted to the office (CDC, 2018). HIPAA breaches can cause both criminal and civil penalties for both individuals and companies covered.

Personal Position on the Law

This paper supports and advocates for the HIPAA because of its role in improving the effectiveness and efficiency of health care services. Cybersecurity is common and patient records may contain private information that when disclosed, can affect the psychological health and reputation of patients and that of their loved ones (“Health insurance portability and Accountability”). Existing inadequacies include difficulties in getting all involved parties to voluntarily comply with a single set of regulations. Thus, at the bipartisan and the healthcare industry report, the US Congress was forced to incorporate the Administration Simplifications regulations in HIPAA (U.S. Department of Health & Human Services, n.d.). Here, an aspect of concern is how such healthcare systems fail to understand the importance of securing patient data in the age of cybersecurity issues.

Compliance with HIPAA rules offer internet safety for patients while preventing legal sanctions that can be associated with unauthorized patient data exposure. To implement internet safety for all patient data, Insureon (n.d.) advocates for a cyber liability insurance to cover healthcare providers handling sensitive data. The policy includes legal costs and vital resources needed in data breach lawsuits, fraud monitoring charges, and customer notification charges. The existence of insurance against breaching of patient data implies that compliance with HIPAA is vital to all practicing healthcare providers to protect patient wellbeing and prevent associated lawsuits.

Position Defense/ Adequacies

The HIPAA Privacy Rule sets national requirements for the protection of patients’ medical data and other confidential health details. It extends to health insurers, clearinghouses, and medical professionals that perform such health care services electronically. The Rule includes appropriate protections to preserve the confidentiality of sensitive health records, and limitations and restrictions on the usage and disclosures of any details without patient consent. The Rule often allows patients access to their personal history, including the ability to inspect and get a copy of their documents, and seek amendments.

The Security Policy sets national requirements to secure individuals’ digital personal health records that a covered agency creates, receives, uses, or stores (Office for Civil Rights, 2017). To maintain the safety, confidentiality, and protection of customers’ sensitive records, the Security Rule includes adequate managerial, physical, and technological protections. A breach is commonly described as an unlawful usage or exposure of protected health details under the Privacy Policy that jeopardizes the confidentiality or privacy of the details. For deliberate breach of HIPAA Laws, the minimum punishment is $50,000.

Individuals that violate HIPAA face a potential criminal sentence of $250,000 and victims are also be entitled to reimbursement (Office for Civil Rights, 2017). A prison sentence, in addition to a monetary punishment, is probable for a breach of HIPAA Rules.

Proposed Changes based on Current Technology

The identified inadequacy of the law is adoption, particularly among covered entities, which excludes potential violators. In most cases, the perpetrators of HIPAA rules may not include the compliance entities, but external individuals with malicious aims. Thus, the Congress, healthcare systems, and other legal implementation centers must also identify the essential roles of offenders and possibilities of their unawareness of consequences accompanying the breaching of HIPAA. Hence, Congress must budget for an extensive implementation system that ascertains sharing of the message to potential HIPAA law breakers. Thus, the implementation system must include public awareness campaigns of the policy and associated consequences.

Applications on the law

HIPAA applies to all covered entities as elaborated in part II; healthcare providers, healthcare plans, medical clearing houses, and businesses. HIPAA Privacy legislation covers three major functions: administrative, physical, and technical protection standards. Administrative guidelines guarantee that medical data is accurate and that authorized people have access to it. It entails procedures such as appointing an administrator to manage data management and HIPAA enforcement, as well as determining which staff can access patient details. Preventing physical theft and destruction of computers containing patient details is one of the physical protection standards. Physical protection may be achieved by restricting network access. Finally, technological compliance standards involve safeguarding networks and computers from data breaches. Compliance to HIPAA policies involves adhering to the elaborated administrative, technical, and physical protection standards.

Case 1

A listed case is where a private insurance company denied a patient a copy of medical documents. The action breached private access to personal information, which breached the Privacy Rule. In his case, a patient is an authorized party and has the right to access personal records (Office of Civil Rights, 2017). Hence, the private company breached the law and was liable to penalty.

Case 2

In case 2, a public hospital permitted disclosure of private health information to a law agency for judicial proceedings without authorization. The public healthcare organization breached the Privacy Rule for failing to protect its patient’s private information (Office of Civil Rights, 2017). As a corrective action, OCR mandated the hospital to assess its subpoena processing guidelines.


The HIPAA Policy and Security regulations have significantly altered the way medical facilities and healthcare professionals operate. Healthcare practice may be jeopardized if an inaccurate location, contact information, email, or text is entered on a page, or if confidential knowledge is exposed to unauthorized parties. HIPAA awareness and practice, and designing and sustaining programs that eliminate human errors, are critical. Both health professionals must be HIPAA-trained and recognize the possible pitfalls and actions that may contribute to a breach.


CDC. (2018). Health insurance portability and accountability act of 1996. Web.

DHS. (2019). Health insurance portability & accountability act. Web.

Edemekong PF, Annamaraju P, Haydel MJ. (2021). Health insurance portability and accountability Act. NCBI. Web.

Health insurance portability and Accountability act of 1996. (2016). Web.

Insureon. (n.d.). How to comply with the hipaa security rule. (n.d.). ASPE. Web.

Office of Civil Rights. (2017). HIPAA for professionals. Web.

U.S. Department of Health & Human Services. (n.d). Health insurance and accountability Act of 1996 implementation of administrative simplification requirements by HHS. ASPE. Web.

Cite this paper

Select style


LawBirdie. (2023, March 23). Changes to Health Insurance Portability and Accountability Act. Retrieved from


LawBirdie. (2023, March 23). Changes to Health Insurance Portability and Accountability Act.

Work Cited

"Changes to Health Insurance Portability and Accountability Act." LawBirdie, 23 Mar. 2023,


LawBirdie. (2023) 'Changes to Health Insurance Portability and Accountability Act'. 23 March.


LawBirdie. 2023. "Changes to Health Insurance Portability and Accountability Act." March 23, 2023.

1. LawBirdie. "Changes to Health Insurance Portability and Accountability Act." March 23, 2023.


LawBirdie. "Changes to Health Insurance Portability and Accountability Act." March 23, 2023.