Health Insurance Portability and Accountability Act


The Health Insurance Portability and Accountability Act (HIPAA), is a nondiscrimination rule within health care or human service organizations. This rule prohibits group health plans and other organizations from discriminating against people because of factors relating to their health. The factors include but are not limited to: physical or mental conditions, medical history, past claims, prior health care received, and information pertaining to a person's genetics.

The primary goal of the HIPAA regulation in 1996 was to protect a person's right regarding the release of personal information to unauthorized individuals. When this law went into effect, there were compliance deadlines that were set for all businesses that would be affected by the HIPAA law. The deadline was October of 2002. Some entities were allowed to file for a one-year extension of the deadline. Many organizations failed to do so and are now in violation of the requirements. Most organizations and businesses were given between 12 and 18 months to modify their operations and implement the changes as advised by experts.

Many organizations didn't even start implementing the HIPAA rule until after the 2005 Security Standards compliance date. Congress wanted to have harsh implications for those individuals and organizations that did not take the adopting of the data transmission standards and safeguarding medical information seriously. One penalty for noncompliance with HIPAA standards for simple compliance breaches was $100 a person per violation; which could be maxed out at $25,000 per year per person. For any individual or organization that knowingly “misused” or “breached” the HIPAA standards, the penalties increased to $50,000 per person and prison time of up to one year. Any one who “misused” under false pretenses or with the intent to financially benefit could be fined a maximum of $250,000 and 10 years imprisonment.

For the health care organizations and any entity that must follow the HIPAA regulations, there are numerous resources out there for them to go to so they know what they need to do, how to implement the changes and what security measures must be taken to ensure compliance with the standards. There is a 200 page HIPAA regulation handbook that the entities could read to see what needs to be done, but congress has come up with a 12-step implementation plan that is easier to follow.

First thing the human service entity needs to do is to learn more about HIPAA. This could include looking on the internet or speaking with someone who is an expert on the standards. Next, the company should bring HIPAA to the management's attention as soon as possible. This is to make sure that the company can decide if they need to follow the HIPAA rules and try to address them before compliance dates are in effect. The management should appoint someone to be the HIPAA director. This is essential in making sure the entity is successful in satisfying all of HIPAA's requirements. A HIPAA task force should be organized to identify the areas of the company that are at the greatest exposure and to help create training plans for the employees. The next course of action would be to develop a schedule with dates for being compliant and implementing the new procedures.

The entity needs to identify the HIPAA business related associates next to make sure that these businesses are in compliance with the HIPAA regulations also. More knowledgeable businesses can be selective with which associated businesses need to be HIPAA compliant, but many entities, prepare all their business associates just to be safe. The next step of auditing the entities policies is crucial in determining areas of exposure. Next the task force will identify and implement system changes to ensure that all health information is maintained and transmitted in required formats. To meet the security standards, the entity must develop, implement, and maintain appropriate security measures, which could include encryption. The HIPAA director should track the HIPAA enforcement requirements as they are being finalized and modified.

They should also monitor data, transaction, systems, and security changes to stay HIPAA compliant. Last of all, the employees and the task force need to document. Much of what HIPAA requires boils down to identifying and documenting the health data that a company maintains and the methods they use to maintain, store, and protect it.

This law has already been implemented by many health care or human service organizations in the United States. I don't really think there has been a big impact on the day-to-day operations of these entities. The only think I really see, is that there is more paperwork to fill out and privacy statements that have to be signed at any facility you visit if they have to abide by the HIPAA requirements.

In my opinion, I do think that it was a great law that Congress passed. I think people feel more secure in knowing that their personal information will not get released into the wrong hands. I have heard people complain about it at times. There have been complaints on having to sign a new HIPAA form once a year, which is kind of a bother. I would argue against the law though in certain situations. My father has had some great illnesses over the last few years. My sisters and I were the ones that had to get him to and from the hospital for tests and surgery. We would call the doctors office to find out test results or we would call about prescriptions, and no one would talk to us about anything. I see this as a downfall. My father was sitting right next to us when we made the call, but he was too weak to talk and was confused by all the paperwork stuff to begin with and didn't know how to explain what we were asking. I guess, what would happen if a relative were hurt in a bad car accident and was in a coma. That person wouldn't be able to talk to the doctors and nurses. The family wouldn't be able to obtain much information because of this HIPAA law unless they had a previously written agreement with the person in the coma.

I certainly wouldn't want to be faced with the above situation. On one hand, the law says you cannot release the information, but your moral values are telling you that you should. I would need to be aware of what the issue is, and then try to decide who will be affected by my decision. I would consider all the facts and see if there were any alternatives to giving out this personal information. Then I guess I would make my decision and take action. I'm sure I would use the decision making advice from my supervisor before making my informed decision.

The HIPAA rule will apply to all health related entities. Employers need to keep these rules and regulations in mind when designing their health care or human service entities.


  • Simkon, M. (2003, October). The cpa journal. What businesses should know about HIPAA. Oct.2003. Iss. 10. p. 44. Downloaded from the ProQuest database on October 3, 2008.
  • Simon, T. (2007). Benefits law journal. How the final HIPAA nondiscrimination regulations affect wellness programs. Vol. 20. Iss. 2. p. 40-45. Downloaded from the ProQuest database on October 3, 2008.