The Health Insurance Portability and Accountability Act of 1996 (HIPAA) consists of five Titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act), also known as the Kennedy-Kassebaum bill, was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009. Under the HITECH Act, the United States Department of Health and Human Services (HHS) is tasked with promoting the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Part of the Library of Congress, the Congressional Research Service (CRS) researches and prepares reports for Congress on a variety of topics. Typically, these reports are not made widely available to the public, but there are some exceptions. EveryCRSReport.com is a bipartisan coalition dedicated to making these reports to everyone online for free.
CRS has prepared multiple reports on the HIPAA including:
The Health Insurance Portability and Accountability Act (HIPAA) of 1996: Overview and Guidance on Frequently Asked Questions provides answers to common questions about HIPAA as well as an overview of the major provisions.
Introduced in the House as H.R. 3103 by Bill Archer (R-TX) on March 18, 1996
House Committee consideration by Ways and Means
Passed the House on March 28, 1996 (267–151)
Conference held on July 26, 1996 and Report filed on July 31, 1996.
Signed into law by President Bill Clinton on August 21, 1996
Became Public Law No: 104-191.
For a summary of the major Rules published by HHS, including an unofficial text presenting all the HIPAA regulatory standards in one text, see here.
For more information on the HIPAA Privacy Rule which establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections, see here.
Byrne v. Avery Center for Obstetrics and Gynecology, P.C, 102 A.3d 32 (Conn. 2014).
Connecticut Supreme Court. "[T]here is no private right of action, express or implied, under HIPAA." In addition, "HIPAA, and particularly its implementation through the Privacy Rule regulations, does not preempt causes of action, when they exist as a matter of state common or statutory law, arising from health care providers’ breaches of patient confidentiality in a variety of contexts; indeed, several have determined that HIPAA may inform the relevant standard of care in such actions…"
South Carolina Medical Association v. Thompson, 327 F.3d 346 (4th Cir. 2003).
Cert. denied by the Supreme Court. The district court dismissed the action and this appeal followed. Appellants argue that 1) HIPAA violates the non-delegation doctrine by authorizing HHS to promulgate the regulations at issue in the absence of an intelligible principle from Congress; 2) the Privacy Rule exceeds the scope of authority granted to HHS under HIPAA; and 3) HIPAA's non-preemption of "more stringent" state privacy laws is unconstitutionally vague, in violation of the Due Process Clause of the Fifth Amendment. The court concluded that HIPAA did not violate the non-delegation doctrine, that HHS's interpretation of the scope of the grant of authority given by Congress is not inconsistent with the language of the statute and is reasonably related to the larger purposes of HIPAA, and that because the regulations are sufficiently definite to give fair warning as to what will be considered a "more stringent" state privacy law, the judgment of the district court was affirmed.