Covered Entities

• HIPAA applies to health plans, health care clearinghouses and health care providers who submit health information electronically. Certain entities are excluded from HIPAA, such as certain state agencies like the child protective services, life insurers, employers, schools and school districts.
  
  

State Law Preemption

• In most instances, HIPAA supersedes state health privacy laws. There is an exception, however, in states with more stringent health privacy laws.
  
  

Complaints

• Consumers who feel their individual privacy rights have been violated may file a complaint with the HHS Office for Civil Rights which is charged with HIPAA enforcement. A complaint must be in written format, either electronic or paper, such as fax, email or postal mail. A consumer complaint must include information about the covered entity and the specific facts about the alleged HIPAA violation. The complaint must be filed within 180 days of when the alleged incident occurred.
  
  

HIPAA Enforcement

• The HHS Office for Civil Rights begins the enforcement process by investigating the complaint. The complaint must allege activity that is not permitted under the privacy rule. The complaint must also involve an entity that is a covered entity and subject to the privacy rule.
  
  

Penalties for HIPAA Violations

• HIPAA provides civil and criminal penalties for non-compliance and wrongful disclosure. Penalties for non-compliance can be as high as $100 for each offense with a maximum of $25,000 per year. A covered entity who knowingly discloses personal health information is subject to a minimum fine of $50,000 and imprisonment of no more than one year or both.