Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portabiilty and Accountability ACT (HIPAA) is an act created by the U.S. Congress in 1996 that amends both the Employee Retirement Income Security Act (ERISA) and the Public Health Service Act (PHSA). HIPAA was enacted in an effort to protect individuals covered by health insurance and to set standards for the storage and privacy of personal medical data.

Health Insurance Portability and Accountability Act (HIPAA) ensures that individual health-care plans are accessible, portable and renewable, and it sets the standards and the methods for how medical data is shared across the U.S. health system in order to prevent fraud. It preempts state law unless the state's regulations are more stringent. 

This act has been modified since 1996 to include processes for safely storing and sharing patient medical information electronically. The act also has an administrative simplification provision, which is aimed at increasing efficiency and reducing administrative costs by establishing national standards.

Health insurers, health maintenance organizations (HMOs), healthcare billing services and other entities that handle sensitive personal medical information must comply with the standards set by the HIPAA. Noncompliance may result in civil or criminal penalties.

In an age of fitness-tracking apps and GPS-tracked, shareable data on everything from an individual’s daily step count to their average heart-rate, medications, allergies, and even menstrual cycles, there are new challenges for upholding standards in storing and protecting personal medical data.

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) broadened HIPAA privacy and security protections. The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009 as well as to promote the use of health-information technology. A portion of the HITECH Act addresses the privacy and security concerns.

In 2018, Bloomberg Law reported on the privacy risks that come from digital health-care data and the likelihood of updated federal laws in the near future. Currently, though insurance companies and health-care providers are subject to laws that require compliance with HIPAA’s security and privacy protections, companies like FitBit and Apple aren’t held to similar standards. In a video interview, Nan Halstead, a health privacy and security attorney with Reed Smith LLP, said that future laws are unlikely to expand on HIPAA but rather use its framework as a model to create new laws governing the digital sector. Bloomberg’s reportage further elucidates that while no federal laws have yet been passed to manage consumer health data, states can pass laws that fill the gap in the meantime, and companies tracking consumer data are subject to supervision by regulating bodies like the U.S. Food and Drug Administration and the Federal Trade Commission.