What is HIPAA?

The Health Insurance Portability & Accountability Act of 1996 (HIPAA), Public Law was passed by Congress:

  • To improve portability and continuity of health insurance coverage in the group and individual markets
  • To combat waste, fraud, and abuse in health insurance and health care delivery
  • To reduce costs and the administrative burdens of health care by improving efficiency and effectiveness of the health care system by standardizing the interchange of electronic data for specified administrative and financial transactions
  • To ensure protecting the privacy of Americans’ personal health records by protecting the security and confidentiality of health care information
HIPAA Background

Administrative Simplification is a method of making business practice (the billing, claims, computer systems and communication) uniform in order that providers and payers do not have to change the way in which they interact with each other through each other's proprietary systems.  The changes affect such activities as:

  • Enrolling an individual in a health plan
  • Paying health insurance premiums
  • Checking eligibility
  • Obtaining authorization to refer a patient to a specialist
  • Processing claims
  • Notifying a provider about the payment of a claim

Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the American Recoveries and Reinvestment Act of 2009.  HITECH makes several significant modifications to HIPAA.  These changes include:

  • Creating incentives for developing a meaningful use of electronic health records
  • Changing the liability and responsibilities of Business Associates
  • Redefining what a breach is
  • Creating stricter notification standards
  • Tightening enforcement
  • Raising the penalties for a violation
  • Creating new code and transaction sets
Electronic Health Records and “meaningful use”: 
HITECH has created monetary incentives for the meaningful use of Electronic Health Records.  This nationwide initiative is meant to move all health care industries into an electronic system providing better quality of care, while controlling costs.   
On May 19, 2009, Governor O’Malley signed House Bill 706: Electronic Health Records- Regulation and Reimbursement, which emphasized the importance of implementing electronic health records.  Maryland is currently working to ensure that all health care facilities have a timely, and successful, transition into using electronic health records. 
To date, the Department of Health and Mental Hygiene has received over $9,000,000 from the Federal Government to stimulate the health information exchange initiative.
Business Associates:

The Department of Health and Mental Hygiene works hard to ensure that the privacy of every individual is maintained, whether by our entity or by one of our business associates.  Business associates are an important part of the health care industry, providing services to companies in an effort to best serve their clients. 

Prior to HITECH, business associates were only responsible for protecting individual health information if the Covered Entity they were serving required them to do so in a contract. 
HITECH, which went into effect on February 17, 2010, created new liability for business associates.  Now, anyone who is determined to be a business associate to DHMH is required to take the same steps to ensure patient’s privacy that covered entities must take.  They must:
  • Create policies and procedures to safeguard protected health information;
  • They must appoint a security officer; and
  • They must follow the administrative guidelines of HIPAA.

HITECH has changed the definition for what defines a privacy breach under HIPAA.  A breach is: “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” DHMH is committed to ensuring the privacy of every individual.  We have implemented policies and procedures to protect every persons health information.    If you think that a DHMH facility has violated your privacy, please call or write the Privacy Officer:

Lauren Boyce, Esq.
Privacy Officer
MDH- Office of the Inspector General
201 W. Preston St., Floor 5
Baltimore, MD 21201 (410) 767-5411 

HITECH has also changed the notification requirements for covered entities and business associates.  A covered entity has no more than 60 days* to notify an individual that his/her protected health information has been breached.  There are rules in place identifying when an individual is to be notified, and the method that needs to be used.  *  There are certain exceptions for the 60 day rule which are listed in the Interim Final Rule.  For additional information please see the Interim Final Rule for Breach Notification: http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf 


In an effort to better protect patient privacy, HITECH has increased the enforcement of HIPAA.  HITECH created mandatory audit requirements for HHS, and it gives the State Attorney General the right to enforce privacy as well.    In passing HITECH, the federal government is emphasizing that they consider protecting individuals privacy is paramount, and all reasonable steps should be taken to ensure that it is happening.

For additional information on the increased enforcement of HIPAA, please see the Interim Final Rule for Enforcement:  http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf

Along with increasing the enforcement requirements, HITECH has raised the penalties for privacy violations.  Below is a chart of the different levels of a privacy violation, and the potential fine a covered entity could face for that violation.

Kind of Breach
Reasonable Cause (not willful neglect)*
$100 a violation
Max: $25,000
$1000 a violation
Max: $100,000
Willful Neglect- corrected
$100 a violation
Max: $25,000
$10,000 a violation
Max:  $250,000
Willful Neglect-
Not corrected
$100 a violation
Max: $25,000
$50,000 a violation
Max: $1,500,000
Under HIPAA, the highest penalty that a covered entity faced was 25,000 dollars.  HITECH increases the maximum penalty to 1.5 million dollars.
New transaction and code sets:

There have been new modifications to the transaction and code sets.  These code sets will be implemented within the next few years, and will further ease the communication and billing of health facilities.  Specifically: HIPAA 5010 is modifying HIPAA 4010 transactions.  ICD-10 is modifying ICD-9 diagnosis’