Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act, or HIPAA, applies to your business if you handle any U.S. health data. To help you understand if you must comply with the Act, here's an overview of HIPAA, how it works, and how to comply with the Act's provisions.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

Introduction to HIPAA

First enacted in 1996, HIPAA helps to regulate how businesses can share and process healthcare information. More broadly, the Act aims to reform healthcare.

The purposes of the Act are as follows:

  • Improve the privacy and security of patient health information
  • Provide clear, enforceable standards for protecting health data
  • Improve health insurance portability which makes it easier for people to switch providers
  • Reduce the risks of healthcare and health insurance abuse and fraud e.g. fraudulent claims

In other words, the Act:

  • Gives people more control over their private healthcare information
  • Sets enforceable standards for businesses to follow if they process or collect health data
  • Helps businesses understand how they can better protect health data and ensure patient confidentiality

HIPAA contains five titles:

  • Title I: This title protects someone's health insurance coverage if they change or lose their jobs
  • Title II: Also known as the "Privacy Rule," Title II is concerned with protecting privacy in electronic healthcare transactions
  • Title III: Title III covers tax issues
  • Title IV: This title covers some definitions for health insurance reform purposes
  • Title V: Finally, Title V concerns life insurance

For our purposes, Title II is most important. However, you should be aware that each title could potentially apply to your business.

Title II Privacy Rule

HIPAA Title II establishes standardized national rules for protecting certain categories of health information. Title II covers "protected health information," or PHI.

PHI means "individually identifiable health information," which is any health data you can use to identify a person.

Examples include:

  • Diagnosed mental or physical health conditions
  • Health care treatment details e.g. treatment plans
  • Health plans e.g. insurance and payment details
  • Name, date of birth, address or similar personal information

The Privacy Rule doesn't cover de-identified health data, which is data you can't reasonably use to identify a certain person. For example, this could include anonymized healthcare statistics or results from a study.

When in doubt, though, assume HIPAA applies and treat the data as identifiable health information.

Who Must Comply With HIPAA

Who Must Comply With HIPAA

Under Section 1172, the following businesses must comply with HIPAA:

  • Health plan providers
  • Health care providers
  • Health care clearinghouses (Companies process nonstandard health data into a standard format e.g. an electronic format)

You should also comply with HIPAA if you provide services to the above businesses, and you need access to health information to provide those services e.g. lawyers and companies who destroy medical records.

HIPAA Requirements

HIPAA Requirements

Now we're clear on who must comply with HIPAA, here's a summary of what's required of businesses obliged to comply with Title II.

Understand Patient Rights

Under HIPAA, individuals have the right to:

  • Know how their health information is shared, and for what purposes
  • Correct any errors in their health data
  • Ask for (and receive) a copy of health records
  • Give permission before a business can use health data for marketing or commercial reasons
  • Complain if a business fails to protect their data

As a business owner, you must understand these rights so you can help people exercise them.

Inform Users of Their Rights

As a business handling health data, you must inform users of what rights they have regarding their personal information. You can do this through a Privacy Policy which we'll discuss below.

Protect Health Information

You must ensure there are sufficient security measures in place to protect any health data you collect, process, share, or destroy.

You should also:

  • Limit who can view or access health data
  • Perform regular risk assessments
  • Provide security and HIPAA training to any employees with health data access

How to Comply With HIPAA

How to Comply With HIPAA

Luckily, HIPAA compliance is more straightforward than it may seem at first glance. To comply with the HIPAA requirements outlined above, you must do two things:

  • Provide a HIPAA-compliant Privacy Policy on your website
  • Design and implement a HIPAA compliance program

Let's consider each of these requirements individually.

HIPAA Privacy Policy

A Privacy Policy describes how your company processes personal data; in this case, healthcare information. Every HIPAA-compliant Privacy Policy should include the following clauses.

Introductory Clause

Explain what the document is i.e. a Policy disclosing how you process, use, and share health data, and what rights people have over this information.

Here's an example from Fit to Smile. It's short but it explains exactly what the document is and why patients should read it. It's also in bold lettering so it stands out, which is good practice when you're drafting an introductory clause like this:

Fit to Smile Dental Privacy Notice: Introduction statement

Individual Rights

As mentioned, HIPAA empowers people to safeguard their personal data and control who can access their healthcare information. In your Privacy Policy, you must clearly set out these rights and how people can exercise them.

There's no set format for how to structure such a clause in your Privacy Policy. However, it's helpful to look at some examples.

South End Eye sets out patient rights using bullet points, which makes the clause very readable and easier to understand:

South End Eye Privacy Policy: Your Health Information Rights clause

And Fit to Smile sets out longer, more detailed explanations in clearly separated paragraphs for readability:

Fit to Smile Dental Privacy Notice: Your Rights with Respect to Your Health Information clause excerpt

Ensure you draft your Privacy Policy in a clear, accessible, and user-friendly way so the average reader can quickly understand how these rights affect them.

Use of Patient Data

Explain how you use the health data you collect.

The Boston Medical Center's Privacy Policy includes a link to its Patient Privacy Practice, which clearly describes why the Center needs the data and how it's used:

Boston Medical Center Health System: Our Uses and Disclosures of information section

Although there's no need to include a separate document like this, you should aim to include similar definitions in your HIPAA Privacy Policy.

Patient Data Disclosure

You should describe who you share patient data with, and when patients can restrict data sharing.

Dentistry of Colorado, for example, specifies that it might use patient data in health marketing, but it won't do so without express permission:

Dentistry of Colorado Privacy Policy: Special Uses and Marketing Health-Related Services clauses

South End Eye clearly sets out different uses for patient health data. The explanations clearly identify who else might receive health data, and why:

South End Eye Privacy Policy: Disclosure of Your Health Care Information clause

Patients have the right to know who you share data with and why, so make sure you cover as many disclosure situations as possible in your Policy.

Special Situations

In certain situations, you can release health data without a patient's permission e.g. to comply with a legal obligation. Since patients may not be aware of this exception, you should refer to them clearly in your Privacy Policy.

Dentistry of Colorado has a detailed clause explaining when it might share data in the public benefit or if required by law:

Dentistry of Colorado Privacy Policy: Public Benefit clause

Contact Details

It's important that patients or users know how to contact you with any queries or questions regarding your Privacy Policy.

Dentistry of Colorado includes contact details at the end of its Privacy Policy:

Dentistry of Colorado Privacy Policy: Contact clause

Fit to Smile places its contact details at the start of its Privacy Policy:

Fit to Smile Dental Privacy Notice: Contact clause

It doesn't matter where you place the details, so long as they're included.

Patient and User Complaints

If someone believes a company violated their HIPAA rights, they're entitled to make a complaint. So, your Privacy Policy should include a clause explaining how patients can complain.

Here's an example of a comprehensive clause from Dentistry of Colorado:

Dentistry of Colorado Privacy Policy: Questions and Complaints clause

South End Eye has a more succinct clause but it's still obvious that people have the right to complain, and there are clear guidelines for doing so:

South End Eye Privacy Policy: Complaints clause

HIPAA Compliance Program

To design and implement a HIPAA compliance program or plan, you must consider the following points.

Disclosure Mitigation

Under the "minimum necessary" principle, you should only disclose the minimum amount of data necessary to achieve the intended purpose.

  • Develop a policy to limit the sharing and use of health data.
  • Limit staff access to health data. Employees should only be able to access what's necessary to perform their duties.
  • If patients give consent to using their data for marketing purposes, keep clear records of all written consent forms.

Data Security

You must ensure all health data is secure. The challenges you face vary depending on the nature of your business e.g. a health app provider faces different challenges than, say, a family physician with a local office.

However, always consider the following:

  • Appoint a member of staff to oversee HIPAA compliance
  • Introduce sufficient cybersecurity safeguards e.g. firewalls, private networks, software
  • Protect offices and data storage locations with e.g. CCTV and secure locks
  • Develop a strategy for spotting, remedying, and reporting HIPAA violations

Employee Training

Train all personnel with access to health data and ensure they understand HIPAA. Enforce good security practices such as:

  • Encrypting data
  • Changing passwords frequently
  • Using multi-factor authentication e.g. fingerprint ID on mobile devices which contain business data
  • How to spot phishing scams or malicious links
  • Using secure networks to access data

Risk Assessments

Decide how you'll perform risk assessments and how often you'll audit your infrastructure. How you do this will vary depending on, for example, how much data you process and how sensitive the data is.

Make sure you record all risk assessments and address any problems you identify.

You may require external help from a managed services provider to ensure your systems and processes are HIPAA-compliant.

Remember: To achieve HIPAA compliance, you must prioritize patient rights and take all reasonable steps to secure their health data. So, however you design your compliance program, don't forget these overarching goals.

Penalties for Failing to Comply With HIPAA

Penalties for Failing to Comply With HIPAA

If you fail to comply with HIPAA, the OCR can compel you to:

  • Pay a fine
  • Implement a "Corrective Action Plan"

It's not strictly one or the other. You could, for example, be asked to pay a fine and also implement a strategy for ensuring the breach doesn't happen again.

If you're ordered to pay a fine, the amount depends on the severity of the offense and your degree of culpability.

For example:

  • Accidental violation: Minimum penalty of $120 per violation
  • Negligent act corrected within 30 days: Minimum $12,045 fine per violation
  • Negligent act and failure to correct: $60,226 minimum penalty per violation

Within those parameters, the amounts payable can vary significantly.

To be clear, HIPAA violations can also constitute a criminal offense. Criminal charges may apply if you're a "covered entity" such as:

  • Provider supplying health plans
  • Any health care provider who submit or transmit claims in electronic formats
  • A Medicare prescription drug card sponsor i.e., you provide drug coverage to those who submit successful Medicare claims

However, even if you're not subject to criminal penalties, be aware that civil HIPAA violations can still be costly.


HIPAA ensures that all businesses that handle healthcare information understand their responsibilities. The Act also empowers individuals to take control of their healthcare data and decide how it's shared.

You must normally comply with the Act if you handle electronic healthcare information of any kind. Failing to comply with HIPAA attracts, in some cases, steep financial penalties, so you must understand how the Act applies to your business.

To comply with HIPAA, you must do the following:

  • Understand how the Title II Privacy Rule affects you
  • Set out a HIPAA compliance program for your business
  • Provide a HIPAA-compliant Privacy Policy for users and/or patients on your website
  • Safeguard any health data in your care e.g. by using appropriate cybersecurity measures

Under HIPAA, people have the right to:

  • Access their healthcare data
  • Amend any data which is factually incorrect
  • Ask for copies of their healthcare data
  • Know who their data is shared with
  • Reject the sale of their healthcare information for any commercial purpose

As a business owner processing healthcare data, you should ensure your users and/or patients understand these rights. If you're concerned about HIPAA compliance, always seek legal counsel before capturing, processing, or sharing any healthcare information.