
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 to protect sensitive patient information. It establishes strict privacy standards for healthcare providers, plans, and their business associates, with severe civil and financial penalties for violations. While HIPAA does not provide a private cause of action, allowing individuals to sue for violations, it empowers the Department of Health and Human Services (HHS) to enforce compliance through civil monetary penalties and criminal liability. This raises the question: is HIPAA a case law, and if not, what legal recourse do individuals have when their health information is compromised?
| Characteristics | Values |
|---|---|
| Name | Health Insurance Portability and Accountability Act (HIPAA) |
| Type of Law | Federal law |
| Year | 1996 |
| Enacted by | 104th United States Congress |
| Signed into law by | President Bill Clinton |
| Date enacted | August 21, 1996 |
| Purpose | To alter the transfer of healthcare information, stipulate guidelines to protect personally identifiable information, and address limitations on healthcare insurance coverage |
| Protected Information | Medical records, billing information, and any other health information |
| Patient Rights | Right to access health records and request corrections |
| Violation Consequences | Civil monetary penalties, settlements, and potential imprisonment |
| Regulating Body | Department of Health and Human Services (HHS) |
| Enforcement Body | Office for Civil Rights (OCR) |
| Waiver | Possible during disasters, e.g., Hurricane Harvey in 2017 |
Explore related products
What You'll Learn

HIPAA violation cases and penalties
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to simplify health care administration, prevent fraud, and protect patients' private medical information. The US Department of Health and Human Services (HHS) issued rules to help organizations meet the requirements of this framework. These include the Security Rule, the Privacy Rule, and the Breach Notification Rule.
The Department of Health and Human Services Office for Civil Rights (OCR) investigates HIPAA complaints and conducts periodic audits of HIPAA-covered entities and their business affiliates. When data breaches occur, OCR investigates cases involving 500 or more records. State attorneys general may also look into complaints about potential violations.
There are two types of HIPAA violations: civil and criminal. Civil penalties are usually issued in cases where the offender was unaware they were committing a HIPAA violation. Criminal penalties are usually issued in cases where individuals knowingly obtains or uses PHI without permission. Criminal HIPAA violations and penalties fall under three tiers:
- Tier 1: Deliberately obtaining and disclosing PHI without authorization — up to one year in jail and a $50,000 fine.
- Tier 2: Offenses committed under false pretenses — penalties can be increased to a $100,000 fine, with up to 5 years in prison.
- Tier 3: Offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm — fines of $250,000 and imprisonment up to 10 years.
The OCR has investigated and resolved over 31,191 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA-covered entities and their business associates. In some cases, OCR has imposed civil monetary penalties (CMPs) on the covered entity. CMPs for HIPAA violations are determined based on a tiered civil penalty structure. The secretary of HHS has discretion in determining the penalty amount based on the nature and extent of the violation and the harm resulting from it.
Some examples of HIPAA violation cases include:
- University of Texas MD Anderson Cancer Center was ordered to pay a civil monetary penalty of $4,348,000 due to impermissible disclosure of PHI of 34,883 patients due to a lack of encryption.
- Memorial Hermann Health System agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights for $2.4 million.
- A solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. After being notified by OCR about a proposed fine of $105,000, the dentist requested a hearing with an Administrative Law Judge, but settled out of court and agreed to a fine of $30,000.
Case Law Retroactivity: When Does It Apply?
You may want to see also
Explore related products
$21.97 $21.97

The Privacy Rule and protected health information
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established the Privacy Rule, which sets national standards for the protection of certain health information. The Privacy Rule addresses the use and disclosure of individuals' health information, referred to as "protected health information" (PHI), by organisations subject to the rule, known as "covered entities".
Covered entities under the Privacy Rule include healthcare providers, healthcare clearinghouses, and health plans that conduct certain health care transactions electronically. This includes any healthcare provider, regardless of the size of the practice, who electronically transmits health information in connection with certain transactions. Healthcare clearinghouses are entities that process non-standard information received from another entity into a standard format or vice versa.
The Privacy Rule permits the use and disclosure of PHI without an individual's authorisation or permission in certain circumstances, including for public health activities, such as preventing or controlling disease, injury, or disability, and reporting child abuse and neglect. Covered entities may also disclose PHI to entities subject to FDA regulation for purposes such as adverse event reporting, tracking products, and product recalls. In the case of work-related illnesses or injuries, covered entities may disclose PHI to employers when requested to comply with occupational safety regulations.
The Privacy Rule also establishes individuals' privacy rights to understand and control how their health information is used. Individuals have the right to examine and obtain a copy of their health records and to direct a covered entity to transmit an electronic copy of their protected health information to a third party.
HIPAA violations may result in civil monetary penalties, with the secretary of the Department of Health and Human Services (HHS) determining the amount based on the nature and extent of the violation and the resulting harm. Criminal violations of HIPAA are handled by the Department of Justice (DOJ), and individuals who ""knowingly" obtain or disclose individually identifiable health information may face fines of up to $50,000 and imprisonment of up to one year.
Case Law vs Moral Law: A Complex Relationship
You may want to see also
Explore related products
$24.99 $24.99

Criminal liability under HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 contains provisions for civil and criminal penalties in the event of non-compliance. The U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA's Privacy and Security Rules. If a complaint describes a potential criminal violation of HIPAA, the OCR may refer the matter to the Department of Justice (DOJ) for investigation and potential prosecution.
Individuals such as directors, employees, or officers of a covered entity (CE) may be directly criminally liable under HIPAA's corporate criminal liability provisions. If an individual of a CE is not directly liable, they can still be charged with conspiracy or aiding and abetting. The DOJ interprets the "knowingly" element of criminal liability as requiring knowledge of the actions constituting an offense, rather than specific knowledge of violating HIPAA. Lack of awareness of HIPAA requirements is generally not considered a valid defense.
OCR may also impose civil monetary penalties (CMPs) for HIPAA violations, with amounts ranging from $141 to $2,134,831 per violation. The secretary of HHS has discretion in determining the CMP amount based on the nature and extent of the violation and resulting harm. Corrective action plans may also be required to address compliance deficiencies. While there is no private right of action under HIPAA, individuals whose electronic PHI has been compromised may take legal action against the breached entity if they can prove harm due to negligence.
Writing Case Law Exams: A Step-by-Step Guide
You may want to see also
Explore related products
$24.87
$27.36 $64.99

HIPAA and state laws
The Health Insurance Portability and Accountability Act (HIPAA) was enacted on August 21, 1996, to establish a national standard for the privacy and security of medical information. This was necessary as, prior to HIPAA, each state had its own requirements for how patient medical information should be kept private and secure.
HIPAA is a federal law that sets a floor for privacy protections and rights for individuals' identifiable health information. It applies to covered entities and their business associates, who must comply with all its applicable requirements. State laws may provide additional protections for individuals' health information, but they cannot contradict or conflict with HIPAA. If a state law does conflict with HIPAA, the federal law controls.
The Department of Health and Human Services (HHS) may, upon request, issue a determination that a contrary state law will not be preempted by federal requirements if certain criteria are met. A state law is "'contrary' to HIPAA if it is impossible to comply with both or if the state law is an obstacle to accomplishing the full purposes and objectives of HIPAA.
HIPAA violation cases are investigated by the Office for Civil Rights (OCR) and may result in civil monetary penalties or settlements. There is no private cause of action in HIPAA, so individuals whose information has been compromised cannot sue a HIPAA-regulated entity for a HIPAA violation. However, they may be able to take legal action under state law if they have suffered harm due to negligence.
Writing a Law Review: Crafting Case Comments
You may want to see also
Explore related products
$9.99
$7.99

HIPAA compliance and training
HIPAA, or the Health Insurance Portability and Accountability Act, sets out rules for handling and protecting private health information (PHI). HIPAA compliance and training are crucial for any organisation or individual who works in or with the healthcare industry or has access to protected health information. The primary goal of HIPAA compliance is to protect patient privacy and the security of their health information.
HIPAA compliance training educates employees on recognising and handling PHI, including proper use and disclosure, securing PHI, and reporting breaches. Training also covers the HIPAA Privacy Rule, which safeguards medical records and PHI, and the HIPAA Security Rule, which adds protections for electronic health information and mandates breach notifications.
HIPAA training is offered online and in-person, with courses ranging from 1 to 4 hours. These courses ensure employees understand the required guidelines and stay compliant. While there is no official government certification for HIPAA, completing these courses provides certificates of completion and helps organisations follow important guidelines.
HIPAA training is mandatory for anyone working in or supporting healthcare. Employers in states like Florida and Texas often require workers to receive regular HIPAA training, especially when dealing with sensitive information. Annual training is a requirement, and organisations must also conduct yearly risk assessments and self-audits as part of their compliance obligations.
HIPAA compliance training is an essential step in ensuring employees understand and adhere to HIPAA regulations. By providing this training, organisations can prevent breaches and fines while maintaining patient privacy and information security.
Writing a Case Summary: A Step-by-Step Guide for Law Students
You may want to see also
Frequently asked questions
HIPAA stands for the Health Insurance Portability and Accountability Act, which was enacted in 1996. It aims to protect the privacy of individuals' health information while allowing authorized access to healthcare providers, clearinghouses, and health insurance plans.
HIPAA covers a range of topics, including medical records, billing information, and other health information. It also provides guidelines for pre-tax medical spending accounts, changes to health insurance laws, and group healthcare plans.
Violating HIPAA can result in civil monetary penalties, settlements, and even criminal charges. The penalties depend on the nature and extent of the violation and the harm caused. Criminal violations can result in fines of up to $50,000 and imprisonment of up to one year.
While there is no private cause of action in HIPAA, individuals whose ePHI has been compromised may be able to take legal action against the breached entity if they can prove harm due to negligence.










































