USA – Scope of HIPAA

November 24, 2014Articles Data Guidance: Global Guidance in One
The recent media swarm concerning Ebola patients raises questions as to if and when HIPAA, short for the Health Insurance Portability and Accountability Act of 1996, protects patients’ health information. This concern is heightened by the newly adopted HIPAA regulations, which entail more detailed obligations for compliance.

Even a minor HIPAA indiscretion can result in considerable legal, financial and reputational repercussions. Therefore, understanding HIPAA requirements is crucial for businesses and individuals handling health information.

Does HIPAA Apply?

HIPAA does not protect all information, not even all health information. Because there are specific regulations specifying what types of health information qualify for HIPAA protection, understanding the components of these regulations is integral to discern if HIPAA applies in the first place.

For example, protected health information (PHI) is defined as ‘individually identifiable health information’ that is transmitted or maintained in electronic media or in any other form or media, but, however, does exclude certain information.

What Are the Permitted Uses and Disclosures of PHI?

Covered entities, business associates and subcontractors may only use or disclose PHI as permitted by the HIPAA regulations. The rights to use and disclose PHI are established in the contract that permitted access to the PHI in the first place. Additionally, a covered entity is required by HIPAA regulations to have a notice of privacy practices (NPP) and is only permitted to disclose PHI in a manner consistent with its NPP.

What Are the Consequences of Non-Compliance?

An acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA regulations protecting the privacy of PHI is considered a breach of HIPAA. This breach will trigger a variety of notification and reporting requirements that may lead to government actions and penalties. However, such repercussions can be avoided if the covered entity, business associate or subcontractor proves that there is a low probability the PHI was compromised.


While HIPAA encompasses a vast scope of regulations and definitions, this article addresses a few common misconceptions. For a deeper understanding of the challenges and complex issues concerning businesses affected by HIPAA, professional assistance should be sought, even if matters seem relatively simple at first glance.