HIPAA: Impacts and Actions by States 

Table of Contents

12/30/2014; material added May 2018

The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, continues to have a broad impact on state health policy, as well as on virtually all health providers, insurers and health consumers. Listed below are brief updates and resources of potential interest to state legislatures.

  • HIPAA and Protecting Health Information in the 21st Century -
    n March 2018, the Trump administration announced a new initiative, MyHealthEData, to give patients greater access to their electronic health record and insurance claims information.1 The Centers for Medicare & Medicaid Services will connect Medicare beneficiaries with their claims data and increase pressure on health plans and health care organizations to use systems that allow patients to access and send their health information where they like. MyHealthEData is part of a broader movement to make greater use of patient data to improve care and health.  -Article by JAMA, May 24, 2018

  • HIPAA at 20: A Bipartisan Achievement  - Excerpt from release by: U.S. Department of Health and Human Services (HHS) and Department of Labor and Department of Treasury - August 19, 2016. |
           "On August 21, 1996, our nation committed to transforming health care coverage with the enactment of historic, bipartisan legislation called the Health Insurance Portability and Accountability Act of 1996, or HIPAA for short.

    Many are familiar with HIPAA as a medical privacy and security law.  But it is that and so much more.  A key component of HIPAA’s initial purpose was to allow people to transfer and continue health insurance after they change or lose a job.  This was first made possible in 1985 by passage of health insurance continuation provisions in the Consolidated Omnibus Budget Reconciliation Act (COBRA). HIPAA then built upon these gains, and most recently, the Affordable Care Act (ACA) amended and expanded many of the original HIPAA consumer protections. [Read the full statement]
  • The Affordable Care Act required HHS, in consultation with the Health Information Technology (HIT) Policy Committee and the HIT Standards Committee, to develop interoperable and secure standards and protocols that facilitate electronic enrollment of individuals in federal and state health and human services programs. To view the recommendations made by the Committees click here. A number of the recommendations address HIPAA related issues.
  • JULY 2018 INPUT from JAMA
  • HHS rule protects patient privacy, redefines health information distribution (2013-2016).

HHS seeks to modify stringent privacy rules on substance-abuse treatment records - Feb. 4, 2016.  HHS proposes to revise a stringent federal rule governing the privacy of medical records of drug, alcohol abuse and many behavioral health patients.  Read More

Privacy Rules Apply to ACA.  On January 17, 2013 U.S. Health and Human Services’ Office for Civil Rights released its final regulations expanding privacy rights for patients and others.  These new rules  trigger major changes in medical record privacy measures required of health providers by two federal laws, the Health Insurance Portability and Accountability Act (HIPAA, enacted in 1996) and the Health Information Technology for Economic and Clinical Health Act. (HITECH, enacted in 2009),
    Although not written specifically for the ACA, these rules apply to virtually all people insured or treated, including those newly covered through exchanges, private employer coverage, and Medicaid expansions . “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez.  The rules expand privacy measures to apply to additional groups that have access to patient information “regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
    The final regulations, published January 25, 2013, spell out the new HIPAA compliance obligations of business associates and — for the first time — directly regulate thousands of “subcontractors.”  Among many things, the rule also prohibits health plans from using genetic information for underwriting (as called for under the Genetic Information Nondiscrimination Act, GINA, enacted in 2008) and adds new privacy restrictions on health-related businesses engaged in marketing and fundraising.  One of the highlights of the rulemaking is the creation of a clearer process to determine when patients must be notified of a "breach" in their medical record privacy.
The HHS issued a summary release which included this information:

The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius.  “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The changes in the final rulemaking provide the public with increased protection and control of personal health information.  The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims.  The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured hea lth information must be reported to HHS.
Individual rights are expanded in important ways.  Patients can ask for a copy of their electronic medical record in an electronic form.   When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.  The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

 “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes.  The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

  • The final omnibus rule of 2013 may be viewed in the Federal Register by policymakers and the public, at OCR-PRIVACY-LIST
  • Infographic: HIPAA Privacy and Security Rules Cheat Sheet - This infographic [PDF download] looks at how data breaches occur, how to prevent a breach and the risks surrounding mobile devices. The infographic also provides a HIPAA checklist based on the Department of Health and Human Services' recently released guide to the Privacy and Security of Electronic Health Information. a commercial product aimed at providers, available at no charge from Healthcare Intelligence Network - August 2015

Federal Guidance: Court Rulings Extend HIPAA Provisions to All Married Couples

Excerpt reprinted from Report on Patient PrivacyOctober 2014

Since the U.S. Supreme Court ruled in June 2013 that the portion of the federal law defining “marriage” as a legal union between a man and a woman was unconstitutional, federal agencies have been reviewing their regulations to see which may need to be altered to grant certain rights to married gay couples.  In September 2014, the HHS Office for Civil Rights (OCR) issued guidance clarifying that, as a result of Windsor v. United States, the definition of “marriage,” “family” and “dependent” in the privacy rule was expanded to include same-sex couples who are legally married.

      Given the 2013 ruling these terms now “apply to all individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage,” according to the OCR guidance, which was published on Sept. 17, 2014.  [Read full article]


HHS Electronic Health Record (EHR) Regulations

In 2010, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced final rules to help improve Americans’ health, increase safety and reduce health care costs through expanded use of electronic health records (EHR). “Health care is finally making the technology advances that other sectors of our economy began to undertake years ago,” Dr. Blumenthal said.  “These changes will be challenging for clinicians and hospitals, but the time has come to act.  Adoption and meaningful use of EHRs will help providers deliver better and more effective care, and the benefits for patients and providers alike will grow rapidly over time.”

  • Modifications to Meaningful Use for 2015 through 2017: Realigning the EHR Incentive Programs to support health information exchange and quality improvement.  On April 10, 2015, the Centers for Medicare & Medicaid Services issued a new proposed rule for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs to align Stage 1 and Stage 2 objectives and measures with the long-term proposals for Stage 3, to build progress toward program milestones, to reduce complexity, and to simplify providers’ reporting. These modifications would allow providers to focus more closely on the advanced use of certified EHR technology to support health information exchange and quality improvement.
         Better Care, Smarter Spending and Healthier People.  The proposed rule is just one part of a larger effort across HHS to deliver better care, spend health dollars more wisely, and have healthier people and communities by working in three core areas: improving the way providers are paid, improving the way care is delivered, and improving the way information is shared to support transparency for consumers, health care providers, and researchers and to strengthen decision-making.

NOTE: NCSL provides links to other Web sites from time to time for information purposes only. Providing these links does not necessarily indicate NCSL's support or endorsement of the site.

Health Information Technology (Includes archive materials)

  • An NCSL report describes and provides links to specific state legislation on HIT and public reporting: www.ncsl.org/programs/health/Transparency.htm. - Updated 2015.
  • HIPAA functions expanded by HITECH Act- Among other HIPAA changes made in the new law (all of which should be of concern to health care providers, health care payors, health care clearinghouses- "covered entities" or CEs- and their "business associates"- vendors who touch electronic protected health information or ePHI), there is a provision that permits state attorneys general to file HIPAA enforcement actions on behalf of the people of their state, in order to protect their interests, and to seek injunctive relief and/or money damages.  See Sec. 13410(e) of ARRA (p. 160 of HR 1 PDF).  A web blog posting titled "HIPAA enforcement by state attorneys general: The shape of things to come" provides details on a CT case. 1/15/2010.

  • Profiles of Progress 4: State Health IT Initiatives - published by NASCIO, July 2010.

  • Office of the National Coordinator for Health Information Technology, US Department of Health and Human Services 

  • "50 Little Labs: States are functioning as proving grounds for healthcare information technology initiatives" - Healthcare Infomatics, 10/08.

  • FTC Sets Rule Requiring Public Notification of PHR Breaches. In mid-August 2009,  the Federal Trade Commission issued a final rule requiring personal health record providers to alert consumers about data security breaches. The rule also requires organizations to notify the media if the security breach involves more than 500 people. FTC's regulations will apply to Google Health, Microsoft HealthVault and others. Government Health IT, Health Data Management. 8/20/09. 

  • "Profiles in Progress: State Health IT Initiatives," by the National Association of State CIOs, a compendium highlighting health IT initiatives in all 50 states and D.C.  Released 11/15/06 [54 pages, PDF]
  • HEALTH INFORMATION TECHNOLOGY:  Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy- Report by the Government Accountability Office identifies challenges that the Department of Health and Human Services faces in trying to protect electronic patient data. However, HHS says that it already has adopted a privacy approach. 6/19/07. [23 pages, PDF] 

  • CMS Gears Up for South Carolina Test of Personal Health Records- The Centers for Medicare and Medicaid Services project will offer personal health records to 100,000 participants in South Carolina's Medicare fee-for-service program and will include a campaign to encourage use of the PHRs. The results of the South Carolina project will be compared with the results of earlier PHR initiatives. Government Health IT, 1/21/08.

  • HIPAA-covered entities such as providers completing electronic transactions, healthcare clearinghouses and large health plans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions, effective May 23, 2007. All such organizations need to ensure they are prepared for the (NPI) May 2007 deadline.

  • 2006 Minnesota e-Health Initiative Progress Report to the Minnesota Legislature  [23 pages, PDF] and Minnesota e-Health Reports and Recommendations.

  • eHealth Initiative - an association with information on commercial and governmental projects. Updated regularly.

  • Report: Three-quarters of states are developing HIEs. Published on April 22, 2008 (c) Govt. Health IT: Three-quarters of states have begun developing some kind of health information exchange, according to a report released today by the State-Level HIE Consensus Project.  The project’s director, Lynn Dierker of the American Health Information Management Association, told a Health and Human Services Department advisory panel that the need for health care reform generally falls behind the creation of state-level HIE organizations, along with the need to keep patients' data private and secure.  Some HIEs have advanced to the point where they are nearly ready to begin exchanging data, Dierker told the American Health Information Community. "We feel like we are labs" for the exchange of patients' health data, she said. 
    The HIEs are public/private partnerships and seldom part of state governments, she said. They usually include stakeholders from many interest groups, and they serve the public interest, operate cost-effectively and protect the privacy of patients whose records move through the network.  Although governance responsibilities are the most common role of state-level HIEs, Dierker said, the organizations are often responsible for the technical operations, too. A new national organization called the State-Level HIE Leadership Forum is emerging to share insights and lessons learned, she said. It will hold its first meeting in May in Dallas. 
         Also, state-level HIEs want to participate in AHIC’s successor organization, which is being created as a public/private partnership outside HHS, Dierker said. Synergy is needed between national and state-level health information technology programs and other health reform initiatives such as quality-of-care measurement and pay-for-performance incentives.  Among other activities in the coming year, the project will decide whether it is desirable to accredit HIEs that meet certain criteria and how to sustain organizations after a start-up period. In addition, the relationship of state-level HIEs to the planned Nationwide Health Information Network remains undefined, the report states. Those who pay for health care should be more involved in HIE development, the report states. “At a national level, the roles for Medicaid and Medicare in helping to build and sustain HIE capacity must be clarified and strengthened,” it states. “The active engagement of health plans in strategies to support state-level HIE remains an important priority.”  The Office of the National Coordinator for Health IT supports the State-Level HIE Consensus Project.

  • Serious patient errors at California hospitals disclosed in state filings.  About 100 Californians a month are being harmed in adverse events considered preventable. A lawmaker proposes banning reimbursements to hospitals for some types of injuries.  Maine, Massachusetts, Pennsylvania and New York have restricted payments for avoidable medical errors. Hospital associations in Minnesota, Washington and Vermont have pledged never to bill patients for the costs of botched care, according to the National Conference of State Legislatures. LA Times, 6/30/08.

  • Physician Use of Electronic Prescribing and Barriers to Adoption 

    • Despite the benefits of electronic prescribing, adoption is still modest. Current surveys estimate that between 5% and 18% of physicians and other clinicians are using electronic prescribing.
    • Key barriers to clinician adoption include startup cost, lack of specific reimbursement, and fear of reduced efficiency in the practice.
    • The implementation of the prescribing system must fit into the business flow and enhance knowledge, rather than be viewed as “extra work.” Electronic prescriptions need to be seen, in many ways, as an extension of a written prescription, for adoption to occur. The benefits to all parties – pharmacist, clinician and patient – should be the ultimate goal in the adoption of electronic prescribing.
    Source: Electronic Prescribing: Toward Maximum Value and Rapid Adoption Recommendations for Optimal Design and Implementation to Improve Care, Increase Efficiency and Reduce Costs in Ambulatory Care, a Report of the Electronic Prescribing Initiative eHealth Initiative. 

Medical Record Privacy

About 13 years ago, as of April 14, 2003 "health plans, hospitals, doctors and other health care providers around the country must comply with new federal privacy regulations," according to Secretary Tommy Thompson of the Department of Health and Human Services (HHS). Billions of dollars are being spent to bring public and private sector records into compliance. The following is the department's description,which stated in April, 2003: "These new federal health privacy regulations set a national floor of privacy protections that will reassure patients that their medical records are kept confidential. The rules will help to ensure appropriate privacy safeguards are in place as we harness information technologies to improve the quality of care provided to patients. Consumers will benefit from these new limits on the way their personal medical records may be used or disclosed by those entrusted with this sensitive information."

The new protections give patients greater access to their own medical records and more control over how their personal information is used by their health plans and health care providers. Consumers will get a notice explaining how their health plans, doctors, pharmacies and other health care providers use, disclose and protect their personal information. In addition, consumers will have the ability to see and copy their health records and to request corrections of any errors included in their records. Consumers may file complaints about privacy issues with their health plans or providers or with our Office for Civil Rights."

Privacy Online Resources:

  • HIPAA Basics: Medical Privacy in the Electronic Age- Privacy Rights Clearinghouse, revised February 2013.
  • FAQ on medical privacy
  • State Laws on Access to Medical Records- Georgetown University Center on Medical Record Rights and Privacy.  Includes 50 state-specific reports. [link accessed 4/2013]  
  • Texas Aggressive New Patient Privacy Law Could Hit Covered Entities Nationwide.   A new Texas law governing the privacy and security of protected health information, perhaps the broadest and among the toughest of such laws in the nation, went into effect on Sept. 1. The Texas Medical Privacy Act, signed into law June 17, 2011, by Gov. Rick Perry (R), not only increases requirements beyond those in HIPAA for organizations that are already covered entities (CEs), but greatly expands the number and type of Texas-based CEs required to comply with the privacy standards in HIPAA and adds a bunch of its own requirements. It contains separate mandates for breach notification of electronic PHI and penalties for violations. Read Full Story  [excerpt from Report on Patient Privacy , 9/1/2012]

Archived Resources:

Electronic Transactions Requirements

Federal regulations required compliance with new HIPAA national standards for electronic health care transactions, code sets and national identifiers for providers, health plans, and employers, as of an October 2003 deadline.  The federal Administrative Simplification Compliance Act (ASCA) required all claims sent to the Medicare Program be submitted electronically starting October 2003.  (This is separate from medical privacy requirements, below.)

HIPAA Administrative Simplification

Overview of HIPAA Administrative Simplification Provisions-  National Association of Social Worker's explanation of HIPAA Administrative Simplification, 12/02.

Medicaid HIPAA Administrative Simplification- CMS Web page contains material on the fields of information technology and data utilization as these relate to the effective and efficient administration of the Medicaid program.

HIPAA Wellness and Nondiscrimination


Wellness programs must be carefully reviewed to assure that they fit within a variety of legal boundaries. Most important for 2008 and beyond are the nondiscrimination rules under HIPAA. The Department of Labor (DOL) has issued helpful guidance in Field Assistance Bulletin 2008-02 (FAB 2008-02), including a useful checklist. This guidance can be reviewed by any policymaker or plan sponsor implementing a wellness program or considering one. ["CheckUp" by Sibson, 3/10/08)

Health promotion or disease prevention programs offered by a group health plan must comply with the Department of Labor's final wellness program regulations, published as 29 CFR 2590.702.  29 CFR 2590.702. The final regulations include guidance on the implementation of wellness programs. 

HIPAA’s nondiscrimination provisions generally prohibit a group health plan or group health insurance issuer from denying an individual eligibility for benefits based on a health factor and from charging an individual a higher premium than a similarly situated individual based on a health factor. Health factors include: health status, medical condition (including both physical and mental illnesses), claims experience, receipt of health care, medical history, genetic information, evidence of insurability (including conditions arising out of acts of domestic violence), and disability. An exception provides that plans may vary benefits (including cost-sharing mechanisms) and premiums or contributions based on whether an individual has met the standards of a wellness program that complies with paragraph (f) of the regulations. The regulations apply to group health plans and group health insurance issuers on the first day of the plan year beginning on or after July 1, 2007.

HIPAA Security Rules for 2005

In a separate process, HHS  issued a Final Security Rule requiring health plans, certain health care providers and health information clearinghouses to establish "adequate administrative, physical, and technical safeguards to prevent unauthorized access to electronic patient health information."  Most covered entities had until April 2005 to comply with the new security standards.

Additional Resources

NCSL is not responsible for the opinions and research data reported on third-party websites.

Health Privacy- Center for Democracy and Technology's Web page, which focuses on health privacy issues. The Center for Democracy and Technology works to keep the Internet open, innovative and free. 

HIPAA.org- Web page covering a number of HIPAA-related topics. 

Privacy and Security Solutions for Interoperable Health Information Exchange: Report on State Medical Record Access Laws. August 2009.


HIPAA at 20: A Bipartisan Achievement


"On August 21, 1996, our nation committed to transforming health care coverage with the enactment of historic, bipartisan legislation called the Health Insurance Portability and Accountability Act of 1996, or HIPAA for short.

Many are familiar with HIPAA as a medical privacy and security law.  But it is that and so much more.  A key component of HIPAA’s initial purpose was to allow people to transfer and continue health insurance after they change or lose a job.  This was first made possible in 1985 by passage of health insurance continuation provisions in the Consolidated Omnibus Budget Reconciliation Act (COBRA). HIPAA then built upon these gains, and most recently, the Affordable Care Act (ACA) amended and expanded many of the original HIPAA consumer protections.

Prior to the passage of HIPAA, many people were afraid to change jobs out of fear that a preexisting medical condition would prevent them from receiving health insurance coverage. HIPAA addressed this concern through its portability provisions, which lessened the possibility that an individual would lose health care coverage for a preexisting condition when changing to a new employer’s group health plan or when seeking coverage in the individual market.  HIPAA also required group health plans to provide special enrollment periods for employees and their dependents who experience a qualifying event such as loss of other group coverage, birth of a child, or marriage.

HIPAA prohibited group health plans from discriminating based on health status against an employee or a dependent in terms of eligibility or cost of coverage. The ACA expanded this provision to certain individual health insurance policies.  HIPAA also mandated that all individual and group health insurance coverage, including small employers with 2-50 employees, be guaranteed renewable at the option of the individual or employer. The ACA continued this protection for both large and small employers, and most significantly,  to individuals and families purchasing individual market health insurance policies. 

Twenty years ago, a considerable portion of every health care dollar was spent on administrative overhead in processes that involved numerous paper forms and telephone calls, non-standard electronic commerce, and many delays in communicating information among different locations. This situation created difficulties and costs for health care providers, health plans, and consumers.

Under HIPAA, standards were developed to improve the way health care data is exchanged electronically.  HIPAA simplified and encouraged the electronic transfer of information by requiring the HHS to adopt standards for certain electronic transactions, and now 93.8% of all health care claims transactions today are conducted in standard form.  The HIPAA standards have helped pave the way for the interoperability of health data to enhance the patient and provider experience. 

HIPAA also enhanced privacy and security protections for consumer health data by establishing requirements for most health care providers, health plans and other entities that process health insurance claims, and their business associates to safeguard information.  HIPAA’s Privacy Rule gives individuals important rights to their health information, and sets rules for how the information can be accessed, used and disclosed.  For example, the HIPAA Privacy Rule gives individuals the right to a copy of their health information in the form and format that they request – including an electronic copy. 

The HIPAA Security Rule requires health care organizations to safeguard the electronic health information they hold.  Among the rule’s requirements, organizations covered by HIPAA must engage in comprehensive risk analyses and risk management to ensure that health information is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce risks in all physical locations and on all portable devices to a reasonable and appropriate level. Finally, HIPAA was modified in important ways, including the requirements that breaches of unsecured health information are reported to affected individuals, the Department of Health and Human Services, and in some cases the media. This requirement helps individuals know if something has gone wrong with the protection of their information and helps keep organizations accountable for privacy and security.

We have come a long way in 20 years, but work is not yet done. Every day, we are seeing breakthroughs in mobile health, including many more consumer-facing health apps with the patient at the center of the conversation.  We are seeing improvements in health care delivery, with many solutions tied to improvements in health care-related systems. Health care innovation is increasingly not about individual solutions capturing data at the point of care, but rather how information can be applied and shared across systems for the good of the population as a whole. HIPAA has been a blue print for health care reform, paving the way for the future by making health care delivery more efficient and expanding coverage to more Americans. Together, we celebrate 20 years of this historic legislation."

APPENDIX 2 -- Medical Records - General Information

Infographic: What Really Happens to Your Medical Records?  Gaps in medical records equal potential gaps in care, they can cause an increase in avoidable readmissions and healthcare costs. Fifty percent of medical data gets lost while being sent from primary care physicians (PCPs) to specialists, according to a new infographic from JAMA and Hello Doctor. This infographic includes statistics about false information on hospital discharge letters, missed medical data and opinions from specialists to PCPs, effects on quality of care and more. Posted 1/6/2014 (c).


Medicai Records - infographic JAMA 0214

 https://www.scrypt.com/blog/cheat-sheet-to-the-hhs-privacy-and-security-rules /