The Health Insurance Portability and Accountability Act (HIPAA) of the US was enacted on August 21, 1996, to help more Americans gain health insurance coverage and make it easier for them to get health insurance from a new employer where they switch jobs. HIPAA strives to make healthcare delivery more efficient by providing for hassle-free transfer (portability) of healthcare data between healthcare organizations and insurers. The legislation aims to combat health care frauds and abuse such as filing false claims and obtaining undeserved benefits from federal and state healthcare programs. Most importantly, HIPAA aims to secure patients' protected health information (PHI) and the illegal use of such information by scamsters to file fraudulent claims with the federal/state health coverage programs and health insurers. With this in mind, HIPAA lays down national standards ("HIPAA Privacy Rule"), the first of its kind, to secure individuals' PHI.
The HIPAA Privacy Rule requires "covered entities," namely, health plans, health care providers, and their business associates to have in place appropriate safeguards, including technical ones, to ensure the confidentiality, integrity, and security of a patient's PHI. In the unfortunate event of disclosure, impermissible use, or exposure (such as in a cyberattack) of PHI, the covered entities must notify the patient to that effect within 60 calendar days from the date of discovery of the breach. Where the breach involves unsecured PHI of more than 500 individuals, a covered entity must notify a prominent media outlet serving the jurisdiction in which the breach has occurred, apart from notifying the Department of Health and Human Services (HHS).