← Course Home
Module 1 of 5
HIPAA Privacy Basics

HIPAA Foundations

The history, structure, and core components of the Health Insurance Portability and Accountability Act — what it is, why it exists, and who it covers.

Use arrow keys or buttons to navigate

Module Overview

What You'll Learn

Lessons 1–2

  • HIPAA origins & legislative history
  • Portability vs. accountability goals
  • Major rules: Privacy, Security, Breach
  • HITECH (2009) & Omnibus (2013)

Lessons 3–4

  • Covered entities: the three categories
  • Business associates & BAA requirements
  • Key terminology: PHI, TPO, NPP, OCR
  • HHS Office for Civil Rights enforcement
Legislative History

Why HIPAA Was Enacted

The Problem (1990s)

Workers who changed jobs could lose health insurance due to pre-existing condition exclusions. No federal standard governed how health data was handled or shared.

The Solution

The Kennedy-Kassebaum Act (Senators Edward Kennedy & Nancy Kassebaum) was signed by President Clinton on August 21, 1996 as Public Law 104-191.

42 U.S.C. § 1320d et seq. | Pub. L. 104-191

Core Purpose

Two Goals, One Law

Portability

Protect workers' ability to maintain health insurance coverage when changing or losing jobs. Limit exclusions for pre-existing conditions.

Accountability

Establish national standards to protect individuals' medical records and personal health information from unauthorized use or disclosure.

Congress gave HHS authority to develop detailed regulations — the Rules that follow.

Key Milestones

HIPAA's Regulatory Timeline

1996
HIPAA enacted. Kennedy-Kassebaum Act signed. HHS directed to develop privacy regulations within 3 years.
2003
Privacy Rule compliance deadline. Governs use and disclosure of Protected Health Information (PHI).
2005
Security Rule compliance deadline. Establishes safeguards for electronic PHI (ePHI).
2009
HITECH Act (Health Information Technology for Economic and Clinical Health). Strengthened HIPAA, introduced Breach Notification Rule, increased penalties.
2013
Omnibus Rule. Extended HIPAA obligations directly to Business Associates. Enhanced penalties. Strengthened patient rights.
Core Framework

The Three HIPAA Rules

Privacy Rule

45 CFR Parts 160 & 164 Subparts A & E. Governs all forms of PHI — paper, oral, electronic. Sets patient rights and limits on use/disclosure.

Security Rule

45 CFR Parts 160 & 164 Subparts A & C. Covers electronic PHI only. Requires administrative, physical, and technical safeguards.

Breach Notification Rule

45 CFR §§ 164.400–414. Added by HITECH 2009. Requires notification to individuals, HHS, and media when unsecured PHI is breached.

Who Must Comply

Covered Entities: Three Categories

Health Plans

Insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, CHIP. Pays for health care.

Health Care Clearinghouses

Entities that process nonstandard health data into standard formats (or vice versa). Billing services, repricing companies.

Health Care Providers

Doctors, hospitals, clinics, nursing homes, pharmacies, labs — any provider that transmits health information electronically in connection with a covered transaction.

45 CFR § 160.102 | 45 CFR § 160.103 (definitions)

Extended Accountability

Business Associates & BAAs

Who Is a Business Associate?

Any person or entity that performs functions or activities for a covered entity involving the use or disclosure of PHI. Examples: cloud vendors, billing companies, law firms, IT support, transcription services.

Business Associate Agreement (BAA)

A required written contract that establishes permitted uses of PHI, requires appropriate safeguards, and obligates the BA to report breaches. No BAA = HIPAA violation.

The 2013 Omnibus Rule made BAs directly liable under HIPAA — not just contractually liable through covered entities.

45 CFR § 164.308(b) | 45 CFR § 164.504(e)

Vocabulary

Essential HIPAA Terms

PHI — Protected Health Information

Any individually identifiable health information held or transmitted by a covered entity or BA in any form (oral, written, electronic).

TPO — Treatment, Payment & Operations

The three primary permitted purposes for using PHI without individual authorization. Most routine healthcare activity falls here.

NPP — Notice of Privacy Practices

A document covered entities must provide to patients explaining how PHI is used and their rights. Must be posted and distributed at first service.

OCR — Office for Civil Rights

The HHS division responsible for enforcing HIPAA. Investigates complaints, conducts audits, and issues civil monetary penalties.

Strengthening HIPAA

HITECH (2009) & Omnibus (2013)

HITECH Act Highlights

  • Enacted as part of the American Recovery and Reinvestment Act
  • Created the Breach Notification Rule
  • Dramatically increased civil penalties (4-tier structure)
  • Required HHS to conduct periodic audits
  • Authorized state attorneys general to bring HIPAA suits

Omnibus Rule Highlights

  • Made business associates directly liable under HIPAA
  • Strengthened restrictions on marketing uses of PHI
  • Expanded patient rights (access, restrictions)
  • Updated genetic information protections (GINA)
  • Tightened research authorization requirements

Pub. L. 111-5 (HITECH) | 78 Fed. Reg. 5566 (Jan. 25, 2013) (Omnibus)

Enforcement

HHS Office for Civil Rights

$3.4B+

collected in HIPAA penalties & settlements since 2003

How OCR Enforces

  • Investigates written complaints
  • Conducts compliance reviews
  • Performs periodic audits
  • Issues corrective action plans
  • Imposes civil monetary penalties

OCR Priorities

  • Ransomware & hacking incidents
  • Impermissible disclosures
  • Lack of encryption safeguards
  • Missing or deficient BAAs
  • Failure to provide patient access

HHS OCR: hhs.gov/hipaa | 45 CFR Part 160 Subpart D (Enforcement)

Module 1 Complete

What You've Covered

Lesson 1 HIPAA Origins & Legislative History Lesson 2 Privacy Rule, Security Rule & HITECH Lesson 3 Covered Entities & Business Associates Lesson 4 Key Terms & OCR Enforcement