← Back

Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to help employees with pre-existing conditions keep their conditions covered when they changed employers (portability) and required companies to further safeguard patient privacy and security of medical records (accountability).

Under the portability portion of the act, HIPAA limits new employer plans from excluding pre-existing conditions. It protects employees and their dependent family members from discrimination based on previous health insurance claims and genetic information. It also gives employees additional opportunities to enroll in their employer’s health care plan, such as in the event of a spouse losing additional coverage or a child’s birth.

To fall under the HIPAA guidelines for pre-existing conditions, employees cannot go over 63 days without health care coverage between jobs. For example, if an employee had continuous coverage with last employer, but their new employer requires a 90-day period before they can enroll in their health care plan, the employee could have no coverage of any pre-existing conditions.
To eliminate this possibility, employees can choose to pay for their former employer’s insurance through the Consolidated Omnibus Budget Reconciliation Act (COBRA). COBRA requires employers to offer coverage to their former employees for a year after termination. The employee can also purchase a short-term, individual health care plan.

Before HIPAA, employer insurance plans could deny covering conditions before enrolling in the plan. In addition, insurance providers can only exclude a pre-existing condition that occurred over the previous six months. Before, a condition that an employee had not suffered for years could be considered a pre-existing condition and not be covered.

The other part of HIPAA, related to accountability, created federal privacy standards for patients’ medical records and other health-related information provided to insurance companies, physicians, hospitals and other health care providers. It also gives patients the right to review their medical records. This portion of the act went into effect in 2003.
Now, all medical records and any health information that could identify an individual must be protected. All health care plans and health care providers are required to provide a notice to patients about how they may use their medical information, and the patient is required to sign it. Personal information cannot be released to a life insurance company or any other business without the patient’s authorization.

Patients can request that insurance companies, hospitals and health care workers take steps to make sure any communication with a patient is confidential. A patients can ask, for example, that a doctor’s office only call their cell phone and the doctor’s office must comply. Health care providers routinely ask patients to complete paperwork identifying which friends or family members that the patient wishes to know about their medical condition. Since the act, it is common in pharmacies or doctor’s offices to have barriers in place so that no one is standing directly behind a patient conferring with a pharmacist or a receptionist.

Under HIPAA, consumers can file complaints if they feel their privacy has been breached by the practices of a health care plan or provider. These complaints are made to the Department of Health and Human Services’ Office for Civil Rights (OCR). OCR is required to investigate complaints and enforce privacy regulations.
Providers and institutions that are found to be misusing personal health information can face both criminal and civil penalties. OCR can fine up to $100 per violation, up to $25,000 a year. Anyone who knowingly obtains protected health care information under false pretenses can receive penalties up to $100,000 and a five-year prison sentence. If a person obtains medical records to use information for commercial reasons, person gain or to maliciously harm, they can receive up to a $250.000 fine and 10 years in prison.

Health care providers had several years to implement HIPAA privacy practices. It required many businesses to upgrade or modify their computer databases. Employees were required to be trained to learn how to comply with the new law. All health care providers, hospitals and insurance providers are required to comply with HIPAA regulations, unless their state has stricter laws.

Before filing a patient privacy complaint, patients might consider answering these four questions to see if they have a valid complaint that OCR will investigate.

Cancer survivors in particular have concerns about their pre-existing condition coverage if they change employers. The American Cancer Society has information for patients regarding their rights under HIPAA.
Certain entities, like many employers and schools, are not required to follow HIPAA guidelines.
OCR keeps track of news that involves HIPAA patient information privacy.
Further information about keeping patient data secure is available from OCR.
The public can see a list of HIPAA previous enforcement results.