HIPAA Compliance

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA is one of the most significant aspects of Federal legislation affecting the health care industry since the creation of the Medicare and Medicaid programs in 1965. Under Title II of HIPAA, Congress passed the Administrative Simplification provisions of HIPAA, to protect the privacy and security of protected health information (PHI), and to promote efficiency in the health care industry through the use of standardized electronic transactions. Protected health information, PHI, is any “individually identifiable” information contained in an electronic or paper medical record and includes a patient’s mental or physical health condition as well as a patient’s billing and demographic information. PHI is also protected when it is communicated by word of mouth. The main impetus behind these rules is to protect the confidentiality, integrity, and availability of PHI in any form: written, verbal, or electronic.

With the exception of certain types of information, we may use and disclose PHI for treatment, payment and business operations if we have provided patients with a Notice of Privacy Practices and the patient has acknowledged receipt of this information. A specific authorization form is not required every time PHI is used or disclosed.

We may disclose PHI without authorization to further certain public policy objectives, including: where disclosure is required by law; for a judicial or administrative proceedings; for public health activities; for health oversight activities; to report incidents of abuse, neglect or domestic violence; for law enforcement purposes; to avert a serious threat to health or safety; for national security and intelligence activities and protective services; for certain military and veterans activities and benefits; for the health, safety and security of prison inmates or other detainees; to facilitate organ, eye or tissue donation; and to coroners, medical examiners, and funeral directors.

As a general rule, we must take reasonable steps to limit the PHI that we use and disclose, or that we request from others, to the minimum amount that is necessary to accomplish the purpose of the use, disclosure, or request. This rule, however, does not apply when disclosing or requesting PHI for treatment purposes, or when using or disclosing PHI in a manner that is required by law.

There is a broad range of both criminal and civil penalties for violations of HIPAA, depending on the circumstances, cause, the number of patients affected, and other factors. Corporations and/or individuals may be responsible for paying fines depending on the circumstances.



$100 per violation not to exceed
$25,000 per calendar year

Person did not know about the violation

$1,000 per violation not to exceed
$100,000 per calendar year

Violations due to reasonable cause and not willful neglect

$10,000 per violation not to exceed
$250,000 per calendar year

Violations due to willful neglect that are corrected

$50,000 per violation not exceed
$1.5 million per calendar year

Violations due to willful neglect that are NOT corrected


For more information about HIPAA, please visit The Office of Civil Rights website.