Key Takeaways
- HIPAA (Health Insurance Portability and Accountability Act of 1996) protects patient health information (PHI)
- The Privacy Rule governs how PHI can be used and disclosed; patients have the right to access and request corrections to their records
- The Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI)
- The Minimum Necessary standard requires using only the least amount of PHI needed to accomplish the task
- PHI can be disclosed without patient authorization for treatment, payment, and healthcare operations (TPO)
- HIPAA violations can result in civil penalties ($100-$50,000 per violation) and criminal penalties (up to $250,000 and 10 years imprisonment)
- Medical records must be maintained for a minimum period defined by state law (typically 7-10 years for adults, longer for minors)
- EHR systems must include audit trails, access controls, encryption, and backup procedures to protect patient data
- Patients have the right to an accounting of disclosures, receive a Notice of Privacy Practices, and request restrictions on use of their PHI
Last updated: February 2026
HIPAA, Medical Records & Health Information
HIPAA compliance is one of the most heavily tested administrative topics on the RMA exam. Medical assistants handle protected health information (PHI) daily and must understand the rules governing its use, disclosure, and protection.
HIPAA Overview
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and includes several key rules:
HIPAA Rules Summary
| Rule | Focus | Key Provisions |
|---|---|---|
| Privacy Rule | Use and disclosure of PHI | Patient rights, minimum necessary, permitted uses, authorization requirements |
| Security Rule | Protection of electronic PHI (ePHI) | Administrative, physical, and technical safeguards |
| Breach Notification Rule | Notification after PHI breach | Requires notification to patients, HHS, and media (if 500+ affected) |
| Enforcement Rule | Penalties for violations | Civil and criminal penalty structure |
| Omnibus Rule (2013) | Extended HIPAA requirements | Extends rules to business associates; strengthens breach notification |
Protected Health Information (PHI)
PHI includes any individually identifiable health information, including:
- Patient's name, address, phone number, email
- Date of birth, Social Security number
- Medical record numbers, account numbers
- Health plan beneficiary numbers
- Photographs, fingerprints, biometrics
- Any unique identifying number or code
- Medical diagnoses, treatment plans, test results
- Billing and payment information
The Privacy Rule: Key Principles
Permitted Disclosures Without Patient Authorization (TPO):
- Treatment: Sharing PHI between providers for patient care (e.g., sending records to a specialist)
- Payment: Submitting claims to insurance, billing, collections
- Healthcare Operations: Quality assessment, compliance, auditing, training
Disclosures Requiring Patient Authorization:
- Release of records to employers, life insurance companies, or attorneys
- Marketing communications
- Sale of PHI
- Psychotherapy notes (require separate authorization)
Exceptions (No Authorization Needed):
- Required by law (court orders, subpoenas)
- Public health activities (reportable diseases, vital statistics)
- Abuse, neglect, or domestic violence reporting
- Law enforcement purposes
- Coroners, funeral directors, organ donation
- Workers' compensation claims
- Serious threat to health or safety
Patient Rights Under HIPAA
| Right | Description |
|---|---|
| Access to records | View and obtain copies of their medical records |
| Amendment request | Request corrections to inaccurate or incomplete records |
| Accounting of disclosures | Receive a list of who their PHI was shared with |
| Restriction requests | Ask to limit how their PHI is used or disclosed |
| Confidential communications | Request communications through specific channels |
| Notice of Privacy Practices | Receive the practice's NPP at first encounter |
| Complaint filing | File complaints with HHS Office for Civil Rights |
The Security Rule: Safeguarding ePHI
The Security Rule requires three types of safeguards to protect electronic PHI:
Administrative Safeguards
- Security officer: Designate a person responsible for security policies
- Risk analysis: Regularly assess potential risks to ePHI
- Workforce training: Train all employees on security policies
- Access management: Define who can access ePHI and what they can do with it
- Contingency planning: Procedures for data backup, disaster recovery, and emergency operations
- Business associate agreements: Written contracts with third parties handling ePHI
Physical Safeguards
- Facility access controls: Locks, badges, security cameras, alarm systems
- Workstation security: Position screens away from public view, use privacy screens
- Device controls: Policies for mobile devices, removable media, and hardware disposal
- Visitor management: Sign-in logs, escort procedures for non-employees
Technical Safeguards
- Access controls: Unique user IDs, passwords, automatic logoff, encryption
- Audit controls: Track who accessed ePHI, when, and what they did (audit trails)
- Integrity controls: Mechanisms to prevent unauthorized alteration of ePHI
- Transmission security: Encryption for ePHI sent electronically (email, fax, network)
HIPAA Violations and Penalties
Civil Penalties
| Tier | Level of Knowledge | Per Violation | Annual Maximum |
|---|---|---|---|
| Tier 1 | Did not know | $100 - $50,000 | $25,000 |
| Tier 2 | Reasonable cause (not willful neglect) | $1,000 - $50,000 | $100,000 |
| Tier 3 | Willful neglect, corrected within 30 days | $10,000 - $50,000 | $250,000 |
| Tier 4 | Willful neglect, not corrected | $50,000 | $1,500,000 |
Criminal Penalties
| Level | Conduct | Penalty |
|---|---|---|
| Level 1 | Knowingly obtaining/disclosing PHI | Up to $50,000 fine and 1 year imprisonment |
| Level 2 | Obtained under false pretenses | Up to $100,000 fine and 5 years imprisonment |
| Level 3 | Intent to sell, transfer, or use for personal gain | Up to $250,000 fine and 10 years imprisonment |
Medical Records Management
Record Retention
- State laws vary: Typically 7-10 years for adult records after last encounter
- Minor patients: Records retained until the patient reaches age of majority plus the state retention period
- Medicare/Medicaid: Minimum 6-10 years depending on the program
- OSHA records: Employee exposure records maintained for 30 years
- Always follow the longest applicable requirement
Electronic Health Records (EHR)
| Feature | Purpose |
|---|---|
| Audit trail | Tracks all access and modifications to patient records |
| Access controls | Role-based permissions (who can view/edit what) |
| Encryption | Protects data at rest and in transit |
| Backup | Regular automated backups with offsite storage |
| Interoperability | Ability to share records between systems (HL7, FHIR) |
| Templates | Standardized documentation for consistency |
| Decision support | Drug interaction alerts, clinical reminders |
| E-prescribing | Electronic prescription transmission to pharmacies |
Test Your Knowledge
Under HIPAA, which of the following can a medical assistant share without the patient's written authorization?
A
B
C
D
Test Your Knowledge
The HIPAA Security Rule requires which three types of safeguards to protect ePHI?
A
B
C
D
Test Your Knowledge
A medical assistant accidentally leaves a patient chart open on a computer screen visible to other patients in the waiting area. This is an example of:
A
B
C
D
Test Your Knowledge
The Minimum Necessary standard under HIPAA means:
A
B
C
D
Test Your KnowledgeFill in the Blank
HIPAA was enacted in the year ___.
Type your answer below
Test Your KnowledgeMulti-Select
Which of the following are patient rights under HIPAA? (Select all that apply)
Select all that apply
Access to their medical records
Request corrections to their records
Receive a Notice of Privacy Practices
Request that all records be deleted permanently
Receive an accounting of disclosures
File a complaint with HHS