Is HIPAA a Federal Law?


The Health Insurance Portability and Accountability Act was passed by Congress in 1996. It is a Federal Law, meaning that it applies to all States. The fact that it is a Federal Law ensures that a minimum standard of privacy and security is applied to all patient data across the country, and there is not a mosaic of protections that leave some patients vulnerable to data theft or abuse.  

One of the primary motivations for creating an act like HIPAA was not actually related to patient privacy. Rather, one of the original aims was to simplify the complicated insurance landscape that existed in the United States. Before HIPAA, it was very difficult for employees to transfer benefits between employer-provided health plans, creating a “job lock” where employees were unable to move jobs without losing these benefits. 

Additionally, before HIPAA, it was very difficult for individuals with certain pre-existing conditions to get health cover. HIPAA removed many of these barriers, though not after previous proposed pieces of legislation failed to pass Congress. This was largely because they did not account for the costs associated with these reforms. 

However, since these reforms took place, HIPAA has become most closely associated with patient privacy. There are several “Rules” of HIPAA, such as the HIPAA Security Rule or HIPAA Privacy Rule, which stipulates how patient protected health information (PHI) must be safeguarded.

HIPAA enforcement is overseen by the Office for Civil Rights within the Department for Health and Human Services, a Federal Body. However, State Attorney Generals can also enforce HIPAA. In some cases, where HIPAA violations were the result of criminal activity, the Department of Justice is involved.

However, HIPAA is not the only legislation that relates to healthcare data in the United States. As was eluded to earlier, there are many State-level laws that will govern how health data can be collected, used, and handled within the State. These laws are often more stringent than HIPAA, and take precedence over the Act. The Texas Medical Records Privacy Act is one such piece of legislation. A State Law may take precedence over HIPAA if one of the following conditions is met: 

  • The State law provides greater privacy protections or privacy rights,
  • The State law relates to the reporting of public health issues, or
  • The State Law stipulates certain health plan reporting.