HIPAA: Health Insurance Portability and Accountability Act
HIPAA is a federal law that every person working in healthcare must understand and follow. Passed in 1996 and expanded by the Privacy Rule (2003) and Security Rule (2005), HIPAA sets national standards for protecting patient health information. As a medical assistant, HIPAA governs nearly everything you do with patient data — from pulling a chart to answering a phone call to logging into an EHR.
What Is Protected Health Information (PHI)?
PHI is any individually identifiable health information that is created, received, or maintained by a covered entity. It includes information about a patient's past, present, or future physical or mental health condition, the provision of health care, or payment for health care — when that information can identify the patient.
HIPAA identifies 18 categories of information that must be protected:
- Name
- Geographic data smaller than a state (address, city, zip code)
- Dates (except year) related to an individual — birth date, admission date, discharge date, date of death
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers (including license plate numbers)
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs and comparable images
- Any other unique identifying number, characteristic, or code
The Minimum Necessary Standard
When using or disclosing PHI, you must make reasonable efforts to share only the minimum amount of information necessary to accomplish the purpose. You do not send an entire medical record when a specialist only needs the operative report. You do not pull up a patient's full history when you only need to confirm a phone number. This principle applies to every disclosure, access, and request — with limited exceptions such as disclosures to the treating provider or as required by law.
Notice of Privacy Practices (NPP)
Covered entities must provide patients with a Notice of Privacy Practices that explains how their PHI may be used and disclosed, and what their rights are under HIPAA. Patients must receive the NPP on their first visit and sign an acknowledgment that they received it. The practice must make a good-faith effort to get the signature, but is not required to withhold treatment if a patient refuses to sign.
Patient Rights Under HIPAA
Patients have specific rights regarding their health information:
- Right of access: Patients can inspect and receive copies of their records. The practice has 30 days to respond (one 30-day extension allowed). A reasonable fee for copying is permitted.
- Right to amend: Patients can request corrections to their records. The practice may deny the request if the record is accurate and complete, but must document the denial.
- Right to an accounting of disclosures: Patients can request a list of disclosures of their PHI made in the past 6 years, excluding disclosures for treatment, payment, and operations.
- Right to request restrictions: Patients can ask the practice to limit how their PHI is used or disclosed. The practice is not required to agree — except when a patient pays out of pocket in full and requests that a service not be disclosed to their health plan.
- Right to confidential communications: Patients can request that the practice communicate with them by specific means or at a specific location.
The Breach Notification Rule
If unsecured PHI is accessed, used, or disclosed in a way that violates HIPAA, it is a breach. Covered entities must:
- Notify affected individuals within 60 days of discovering the breach
- Notify the Secretary of Health and Human Services
- If the breach affects 500 or more individuals in a state, notify prominent media outlets in that state
Small breaches (fewer than 500 individuals) can be reported to HHS annually. Large breaches trigger immediate public notification requirements.
Common HIPAA Violations in MA Practice
The violations that lead to real-world disciplinary actions and fines are usually not dramatic hacking events — they are everyday careless behaviors:
- Leaving patient charts or EHR screens visible to other patients in the waiting room or hallway
- Discussing patient information in hallways, elevators, or waiting areas where others can hear
- Leaving workstations logged in and unattended
- Texting patient information on a personal phone
- Faxing records to the wrong number
- Accessing a patient record out of personal curiosity (family member, coworker, celebrity)
- Posting about patients on social media, even without using their name, if they could be identified
HIPAA Penalty Tiers
Civil penalties are organized into four tiers based on level of culpability:
- Tier 1 (Did Not Know): The covered entity did not know and could not have known about the violation. Minimum $100 per violation, up to $50,000 per violation, annual cap $25,000.
- Tier 2 (Reasonable Cause): The violation was due to reasonable cause and not willful neglect. Minimum $1,000 per violation, up to $50,000, annual cap $100,000.
- Tier 3 (Willful Neglect, Corrected): Willful neglect where the violation was corrected within 30 days. Minimum $10,000 per violation, up to $50,000, annual cap $250,000.
- Tier 4 (Willful Neglect, Not Corrected): Willful neglect that was not corrected. Minimum $50,000 per violation, annual cap $1.5 million.
Criminal penalties (fines up to $250,000 and up to 10 years imprisonment) apply when PHI is obtained under false pretenses or with intent to sell, transfer, or use it for personal gain.
Memorize the 18 PHI identifiers and know that PHI is any health information that could identify a patient. Know the minimum necessary standard. Know the four patient rights (access, amend, accounting, restrictions). Know the four civil penalty tiers. A common question asks what to do when a family member calls for information — you need the patient's written authorization unless the patient is present and consents verbally.
Practice Questions
Question 1: A patient's adult daughter calls the office asking about her mother's test results. The patient has not provided written authorization for disclosures to her daughter. What should the MA do?
Answer: Do not release the information. Without a signed authorization from the patient designating the daughter as someone who can receive her health information, disclosing results to the daughter violates HIPAA. Ask the caller to have the patient contact the office directly, or explain that the patient can come in to sign an authorization form.
Question 2: An MA sends a fax containing a patient's lab results to the wrong number. What type of HIPAA event is this, and what must happen next?
Answer: This is a breach of unsecured PHI. The practice must conduct a risk assessment to determine the probability that the PHI was compromised. If the breach is confirmed, the affected patient must be notified within 60 days, and the incident must be reported to HHS. The practice should also implement corrective steps to prevent recurrence.
Question 3: Which HIPAA patient right allows a patient to get a list of who received their PHI over the past 6 years?
Answer: Right to an accounting of disclosures. This right lets patients request a log of PHI disclosures, excluding those made for treatment, payment, and healthcare operations. The 6-year lookback is the standard period. The practice has 60 days to provide the accounting (one 30-day extension allowed).