What is HIPAA?

The information provided on this website does not, and is not intended to, act as legal, financial or credit advice. See Lexington Law’s editorial disclosure for more information.

If you’re reading this article, you’re probably wondering what HIPAA is and how it can help you. In 1996, the federal government passed the Health Insurance Portability and Accountability Act (HIPAA). This law looked to protect sensitive customer information from being shared without a person’s knowledge or consent. National standards were established for electronic healthcare transactions. 

Companies that work with protected health information (PHI) must have security processes to ensure they’re HIPAA compliant. This applies to anyone who provides treatment, processes payments or has other operations in healthcare, as well as their business associates who must access patient information. This helps to protect American citizens in addition to reducing the incidents of healthcare fraud. 

Additionally, HIPAA allows American workers and their families to continue to receive health insurance coverage after losing or changing jobs.

What does HIPAA cover?

HIPAA is quite extensive and covers many areas. Some of the more important rules are the HIPAA Privacy Rule and the HIPAA Security Rule. 

The HIPAA Privacy Rule

The HIPAA Privacy Rule was initially proposed in 1999 and approved in late 2000. This rule requires that medical records and personal health information in health plans, with healthcare clearinghouses and with healthcare providers are protected with safeguards. This applies to electronic, written and oral health information. 

 The HIPAA Privacy Rule also sets limits on how this private information can be used and disclosed without patient approval. A patient must give approval before their health information is shared with a third party. 

Lastly, the rule also gives patients the right to obtain a copy of their health records to examine them and make requests for necessary corrections. You can also receive a report on when your health information was shared, with whom and for what reason.

The HIPAA Security Rule

The HIPAA Security Rule was proposed in 1998 and approved in early 2003. This rule protects people’s personal health information that is maintained, received, created or used by a covered entity. The rule focuses on protecting the information that’s stored or shared in electronic form. Similar to the HIPAA Privacy Rule, the Security Rule requires applicable entities to maintain reasonable security measures to protect this data. 

The Security Rule is like an add-on to the Privacy Rule, requiring all applicable entities to have security measures in place that will protect private information as it’s shared or stored electronically. Within the Security Rule are clear guidelines that companies must follow to safeguard health information and remain compliant (for electronic information only)—for example, requiring authentication to log onto a private network that contains PHI. 

Who has to comply with HIPAA?

All “covered entities” have to comply with the HIPAA. These entities include:

  • Healthcare providers: Companies of all sizes that electronically submit health information for claims, referral authorization requests, benefit eligibility checks and more
  • Health plans: Dental, vision, health, HMOs, Medicare, Medicaid, prescription drugs insurers, long-time insurers, employer-sponsored health plans, government-sponsored health plans, church-sponsored health plans and multi-employer health plans
  • Healthcare clearinghouses: Usually, when processing services to a healthcare provider or a healthcare plan
  • Business associates: A person or organization that needs to use individual health information within their job function, such as for billing, data analysis, processing and more

There are 12 instances in which PHI can be given out without permission. These exceptions are:

  • An organization may be legally mandated to do so by statute, regulation or court orders.
  • Entities may disclose PHI to public health authorities to stop the spread of disease, for information around FDA-approved products or for employers or employees when evaluating a work-related illness or injury.
  • Sometimes covered entities will share PHI information of abuse, neglect or domestic violence victims with the appropriate government authorities.
  • PHI may be disclosed to health oversight agencies that may be conducting authorized audits and investigations into the healthcare system or government benefit programs.
  • PHI may be shared in a judicial or administrative proceeding if the request for the data came through a court or administrative tribunal, such as a response to a subpoena. 
  • Law enforcement officials may request PHI for law enforcement purposes under these six specific circumstances. 
  • Covered entities may share PHI with funeral directors, coroners or medical examiners to help them perform their legal or hired duties. 
  • Organizations may disclose PHI to help with the donations of cadaveric organs, eyes or tissue donations. 
  • PHI can be shared for research purposes under certain conditions.
  • Covered entities may share PHI with appropriate sources if they believe it’s necessary to prevent or lessen a serious threat to others’ health or safety. Typically, the PHI is shared with law enforcement in these scenarios. 
  • Authorization to access or share PHI is not required for essential government functions, such as providing protective services for the President. 
  • Covered entities may share PHI for work-related injuries and illnesses if it complies with workers’ compensation laws. 

How does HIPAA relate to credit reporting?

It’s important to note that the HIPAA does not prevent credit reporting. Actions related to the payment of medical bills are one reason covered entities are allowed to disclose health-related information without the individual’s authorization. This also includes disclosure to credit reporting agencies. So, if you miss payments or make late payments on your medical bills, it can be reported to the credit reporting agencies. 

However, the PHI disclosures are limited to sharing the following information:

  • Name
  • Address
  • Date of birth
  • Social Security number
  • Payment history
  • Account number
  • The name and address of the healthcare provider who made the file

Covered entities will give credit reporting agencies enough information to identify your report and add the negative payment information to your file without knowing your medical history, treatments or background. 

The HIPAA needs to act in a way that doesn’t conflict with the Fair Credit Reporting Act (FRCA). This means consumers have the right for their credit reports to be private and include only accurate information. The FCRA also provides consumers with the right to dispute any false information on their credit report to have it removed.  

What if HIPAA is violated?

If you’ve found out that a collector has information that violates HIPAA, you can take action. Let’s say, in an attempt to validate your debt, the collector received information about your treatment or any additional information beyond what is allowed to be shared with credit reporting agencies.

In this case, you can send a letter stating that your rights under HIPAA have been violated as you never signed a HIPAA authorization form. There is a possibility they will have to pay fines for the violation (the money would be awarded to you), and the medical debt will be removed from your credit report. 

Review all medical debt on your credit reports

It’s important to understand HIPAA and your rights under this act. Like all other forms of debt, medical debt can have a significant impact on your credit. If you have late or missed medical debt payments, they show up as negative items on your report and can lower your credit score.

To avoid this situation, you should always review your medical debt on your credit reports. If the information is false, has errors or violates your HIPAA rights, you may have a case to dispute the information and have it removed from your file. 

Of course, this applies to everything that appears on your credit report. Be aware of what’s on your credit reports, and check every detail. Credit reporting agencies often make errors, and you’ll be the one affected by the consequences if you miss them. 

If you seek a credit repair company’s help, make sure you choose one that takes privacy and your data very seriously. There should be systems in place to protect your personal information. Lexington Law takes customer data protection very seriously—find out how we can protect you and help you with credit repair today. 


Reviewed by Kenton Arbon, an Associate Attorney at Lexington Law Firm. Written by Lexington Law.

Kenton Arbon is an Associate Attorney in the Arizona office. Mr. Arbon was born in Bakersfield, California, and grew up in the Northwest. He earned his B.A. in Business Administration, Human Resources Management, while working as an Oregon State Trooper. His interest in the law lead him to relocate to Arizona, attend law school, and graduate from Arizona State College of Law in 2017. Since graduating from law school, Mr. Arbon has worked in multiple compliance domains including anti-money laundering, Medicare Part D, contracts, and debt negotiation. Mr. Arbon is licensed to practice law in Arizona. He is located in the Phoenix office.

Note: Articles have only been reviewed by the indicated attorney, not written by them. The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, reviewers, contributors, contributing firms, or their respective agents or employers.