The HIPAA law we are familiar with today evolved from proposals to reform the way in which the health insurance industry worked. Following on from Acts such as the Employee Retirement Income Security Act (ERISA) in 1974 and the Consolidated Omnibus Reconciliation Act of 1985 (COBRA), the proposals were intended to increase the transferability of health insurance between employers and prevent employees with pre-existing conditions being disqualified from health insurance benefits.

As the Senate´s proposed Health Insurance Reform Bill progressed through Congress, extra titles were added to promote the use of medical savings accounts and simplify the administration of health insurance. Legislation was also absorbed into the Bill to combat waste, fraud and abuse in health insurance and healthcare delivery, and it was the “Administrative Simplification Provisions” within this legislation that many people consider to be the cornerstone of HIPAA law.

How the Administrative Simplification Provisions Evolved into HIPAA Law

The Administrative Simplification Provisions required the Department of Health & Human Services (HHS) to develop standards governing the permissible uses and disclosures of individually identifiable health information. The publication of the “Standards” (also known as the HIPAA Privacy Rule) was delayed until 2000 while HHS waited to see if Congress enacted separate privacy legislation and while provisional standards were made available for public comment.

The HIPAA Privacy Rule was the first of a trio of Rules that evolved from the Administrative Simplification Provisions. In 2003, HHS published the HIPAA Security Rule and – three years later – the HIPAA Enforcement Rule, which set the procedures for investigating reported breaches of Protected Health Information (PHI) and the penalties for violating HIPAA law. The penalties for violating HIPAA law have since been updated and are adjusted annually to account for inflation.

Who Do the Rules Apply To?

At the time the Privacy, Security, and Enforcement Rules were published, HIPAA law applied to health plans, healthcare clearing houses, and most healthcare providers that transmitted information in electronic form in connection with a transaction covered by the “Transactions and Code Sets Standard”. Exceptions existed for some healthcare providers, while others (for example, educational facilities that provide medical services to the public) are considered “partial entities”.

HIPAA law was also supposed to apply to Business Associates at the time via Business Associate Agreements between Covered Entities and Business Associates. However, HHS had no jurisdiction over Business Associates, and they were not held accountable for violations of HIPAA until the Final Omnibus Rule (see below). It is also important to note that HIPAA law is a “federal floor” for privacy and security standards and can be preempted by state laws with more stringent requirements.

HIPAA Law Evolves Further with HITECH and the Breach Notification Rule

The evolution of HIPAA law did not stop with the HIPAA Enforcement Rule. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed – an Act intended to make the healthcare system more efficient by encouraging the adoption and meaningful use of health information technology. The Act extended the requirements of HIPAA to include PHI used to carry out treatment when a healthcare provider uses an electronic health record.

The HHS also used HITECH to introduce the HIPAA Breach Notification Rule – a Rule stipulating unauthorized disclosures of PHI must be notified to the HHS´ Office for Civil Rights. Although the HHS reporting requirements vary depending on the number of records involved in a data breach, the Rule stipulates breach notification letters have to be sent to the affected individuals, and that unauthorized disclosures involving more than 500 records must be reported to local media

The Reach of HIPAA Law Extended by the Final Omnibus Rule

In 2013, the reach of HIPAA law was extended by the Final Omnibus Rule to make Business Associates accountable for violations of the Privacy, Security, and Breach Notification Rules. Following the publication of the Final Omnibus Rule, Business Associates and subcontractors to whom PHI is disclosed have the same responsibility to protect the confidentiality, integrity, and security of PHI as the Covered Entities from which it originated or for whom it is created.

A further significant change concerned how “significant harm” is defined. Prior to the Final Omnibus Rule, it was the responsibility of the HHS to prove significant harm had occurred due to the unauthorized disclosure of PHI before it could commence enforcement action. Under a revised definition of the term, Covered Entities have to prove no significant harm has occurred to individuals whose PHI has been exposed if they fail to notify HHS´ Office for Civil Rights of a data breach.

The Penalties for Violating HIPAA

Although civil money penalties for violating HIPAA were included in the 2006 Enforcement Rule, they were extremely modest and failed to act as an incentive for Covered Entities to be compliant with the Privacy and Security Rules. Consequently, a new penalty structure was introduced via the HITECH Act with increases to how much the HHS´ Office for Civil Rights could impose as a civil money penalty introduced in the Final Omnibus Rule. Since 2013, the following four-tier structure applies:

Tier 1: A violation that a Covered Entity or Business Associate was unaware of and could not have realistically avoided had a reasonable amount of care had been taken to abide by HIPAA law.

Tier 2: A violation that a Covered Entity or Business Associate should have been aware of but could not have avoided even with a reasonable amount of care to abide by HIPAA law.

Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA law in cases where a Covered Entity or Business Associate has been an attempt made to correct the violation.

Tier 4: A violation of HIPAA law attributable to willful neglect, where no attempt has been made to correct the violation by a Covered Entity or Business Associate.

It is important for Covered Entities and Business Associates to be aware that HHS´ Office for Civil Rights not only investigates and penalizes data breaches. Penalties for violating HIPAA can be imposed for any violation of the Privacy, Security, or Breach Notification Rules; and – as mentioned previously – the penalties are adjusted annually to account for inflation. The civil money penalties that apply in 2022 are as follow:

Penalty Tier Level of Culpability Min. Penalty per Violation Max. Penalty per Violation Annual Penalty Limit
Tier 1 Lack of Knowledge $127 $63,973 $1,919,173
Tier 2 Reasonable Cause $1,280 $63,973 $1,919,173
Tier 3 Willful Neglect $12,794 $63,973 $1,919,173
Tier 4 Willful Neglect not Corrected within 30 days $63,973 $1,919,173 $1,919,173

In addition to the penalties for violating HIPAA law imposed by HHS´ Office for Civil Rights, Covered Entities and Business Associates can face criminal charges from the Department of Justice, and further civil action from State Attorney Generals. Even when no civil money penalties are imposed, the indirect costs of alternative penalties (i.e., technical assistance and corrective action plans) can still be significant due to changes in policies and retraining members of the workforce.

The Difficulty in Complying with HIPAA

The difficulty in complying with HIPAA law is partly caused by the Privacy and Security Rules being written in such a way to cover the many different uses of PHI. Even despite the guidance provided by HHS, there are often questions asked about how the Rules should be interpreted. This is not made easier by the technology-neutral language of the Security Rule and the “required” and “addressable” implementation specifications of the administrative, technical, and physical safeguards.

Additionally, it has to be considered that the primary functions of Business Associates may not be healthcare-related. Business Associates could be any service provider from a lawyer to a software vendor that does not usually deal with the use, storage, or disclosure of PHI – yet is required to comply in full of HIPAA law. It is recommended that Covered Entities and Business Associates unsure about their compliance obligations seek professional help from a HIPAA compliance service.

Training Members of the Workforce to Comply with HIPAA

One of the best ways to overcome the difficulty in complying with HIPAA is through training. Importantly, security and awareness training has to be provided to all members of the workforce regardless of their roles or interaction with PHI, while it is also important to note that “members of the workforce” not only includes paid employees, but also any volunteer, student, or other worker who is under the control of the Covered Entity or Business Associate.

It is not necessary to train every member of the workforce on every aspect of HIPAA compliance. The Privacy Rule stipulates training should be provided on the policies and procedures as they apply to individuals´ roles. Nonetheless, it is recommended every member of the workforce has a basic understanding of HIPAA principles such as permissible disclosures and the minimum necessary standard to prevent inadvertent disclosures of PHI that could be considered a violation of HIPAA law.


Have any of the Rules that make up HIPAA law changed since they were first published?

Nearly all the Rules have been amended since they were first published. Sometimes the changes are minor – such as when new exceptions to Privacy Rule compliance are announced – while others can be more substantial. The best example of a substantial Rule change is probably when new civil money penalties were introduced to the HIPAA Enforcement Rule in 2013.

Are any of the Rules likely to change again in the future?

The Rules are constantly changing to address changing technologies, changing working practices, and changing times. In 2021 for example, a “Safe Harbor Law” gave HHS discretion when applying penalties if the negligent party has implemented a recognized security framework and operated it for twelve months prior to a data breach or other security-related HIPAA violation.

What is a “federal floor” for privacy and security standards?

Because HIPAA is a federal law, it applies nationwide unless a state has regulations more stringent than those applied nationwide – in which case the state law pre-empts HIPAA. In most states, laws exist that pre-empt HIPAA´s federal floor, but these might only apply to specific privacy or security standards. For example, many states have more stringent genetics regulations than HIPAA.

Why does HHS´ Office for Civil Rights investigate violations that are not data breaches?

HHS´ Office for Civil Rights is responsible for upholding all aspects of HIPAA law, not just violations of HIPAA that result in a data breach. Therefore, if – for example – a patient is denied their rights to access their medical records or transfer them to another provider, the HHS´ Office for Civil Rights will investigate the patient´s complaint and take appropriate action when necessary.

What is the difference between required and addressable implementation specifications?

When an implementation specification is required, it is mandatory and there is no option but to implement it. When an implementation specification is addressable, it must be implemented unless an existing or alternate solution is at least as effective, or there is a justifiable reason the implementation specification is not reasonable or appropriate.

Why provide security and awareness training to workforce members with no access to PHI?

Cybercriminals look for any way to infiltrate healthcare networks, and even though a workforce member may have no access to PHI, they may have credentials that will enable a cybercriminal to move laterally through the network to access PHI. Therefore, every workforce member needs to be trained on security threats and made aware of the tricks used by cybercriminals.