The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that added privacy and security protections concerning individuals' health information, imposed portability requirements regarding health coverage, and sought to streamline health care-related electronic transactions. In implementing HIPAA, the Department of Health and Human Services (HHS) issued the:

The Privacy Rule and Security Rule are part of HIPAA's "administrative simplification" requirements. The HIPAA Privacy Rule, which applies to group health plans and other HIPAA covered entities (CEs), includes safeguards for the privacy of PHI and imposes restrictions on the use and disclosure of PHI without an individual's authorization (see Group Health Plans and Health Insurance Toolkit). The Privacy Rule also provides individuals rights to certain information concerning their health information. The HIPAA Security Rule established standards to protect individuals' electronic PHI that is created, received, used, or maintained by a CE. The Security Rule required the adoption of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.

In 2010, the Affordable Care Act (ACA) made significant changes affecting HIPAA, including rules addressing preexisting condition exclusions, lifetime and annual limits, coverage rescissions, and electronic transactions (see Practice Note, Affordable Care Act (ACA) Overview and Affordable Care Act (ACA) Toolkit). In January 2013, HHS issued comprehensive regulations that finalized changes to HIPAA's privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Failing to comply with HIPAA's privacy, security, and breach notification requirements can result in significant consequences that include civil and criminal penalties (which were increased under the HITECH Act) (see Legal Update, HHS Increases Civil Money Penalties for HIPAA Noncompliance, Effective October 6, 2023). Moreover, HHS has taken an aggressive enforcement approach in recent years regarding HIPAA compliance—as illustrated by a record-setting HHS/HIPAA settlement agreement (see Legal Update, Anthem's $16 Million HIPAA Settlement Is Largest in History) and ongoing enforcement actions (see Legal Update, Published Photos of COVID Patients Lead to $80,000 HIPAA Settlement (Nov. 2023)).

This Toolkit includes continuously updated resources designed to help plan sponsors of group health plans comply with HIPAA's administrative simplification requirements. Practical Law's Employee Benefits and Executive Compensation Service regularly covers important developments in the HIPAA compliance space with timely legal updates. For example, these developments include: