13.2 HIPAA Privacy & Security Basics

Key Takeaways

  • HIPAA governs agents directly through the Privacy Rule, Security Rule, and Breach Notification Rule (added by the HITECH Act); Medicare agents typically act as business associates handling PHI on a plan sponsor's behalf.
  • Protected Health Information (PHI) combines health information with any of 18 recognized identifiers (name, SSN, dates, account numbers, and more); the Minimum Necessary Standard limits access to only what a task requires.
  • The Security Rule requires administrative, physical, and technical safeguards specifically for electronic PHI (ePHI), such as encryption, unique logins, and locked storage.
  • A breach requires individual notice within 60 days, HHS notice (immediate for 500+ affected individuals), and media notice when 500+ residents of one state are affected.
  • HIPAA civil penalties use four culpability tiers ranging from roughly $145 to $2,190,294 per violation, each sharing an annual cap of about $2,190,294 per identical violation type.
Last updated: July 2026

HIPAA Privacy & Security Basics

Why This Topic Matters

Unlike the Stark Law and Anti-Kickback Statute, which mostly describe provider and plan conduct, HIPAA is a law that directly governs you as the agent. Every enrollment application, Scope of Appointment (SOA) form, and health-history question you ask a beneficiary during a sales appointment involves Protected Health Information (PHI). AHIP's Module 5 tests HIPAA specifically because agents mishandle PHI more often than they violate Stark or the Anti-Kickback Statute — leaving an application on a car seat, emailing a Social Security number over unencrypted personal email, or discussing a client's diagnosis within earshot of other beneficiaries are all real HIPAA incidents in the Medicare sales channel.

Core Terms and Rules

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is implemented through three federal rules relevant here:

  • Privacy Rule (2003) — governs how PHI may be used and disclosed.
  • Security Rule (2005) — governs safeguards for electronic PHI (ePHI) specifically.
  • Breach Notification Rule (2009, added by the HITECH Act) — requires notification when unsecured PHI is breached.

Covered entities under HIPAA include health plans (Medicare Advantage and Part D plan sponsors are covered entities), health care providers, and health care clearinghouses. Agents and brokers who collect, use, or transmit PHI on behalf of a plan sponsor generally act as — or must be contractually bound like — business associates: parties who perform functions involving PHI on a covered entity's behalf and must sign a Business Associate Agreement (BAA) or equivalent contractual privacy terms.

Protected Health Information (PHI) is individually identifiable health information — data relating to a person's past, present, or future physical or mental health, health care, or payment for health care, that also identifies the individual (or could reasonably be used to identify them). HIPAA recognizes 18 identifiers that, combined with health information, create PHI. Common ones tested include:

Identifier CategoryExamples
Direct identifiersName, Social Security number, medical record number
Contact informationAddress, phone number, email address
DatesBirth date, admission/discharge date
Account/plan numbersHealth plan beneficiary number, account number
Digital identifiersIP address, device identifiers, full-face photographs

A core operating principle is the Minimum Necessary Standard: a business associate (including an agent) should access, use, or disclose only the minimum amount of PHI needed to accomplish the specific task — an agent processing an enrollment does not need, and should not seek, a beneficiary's entire medical history.

Security Rule Safeguards

The Security Rule organizes required protections for ePHI into three categories — a favorite exam-table format:

Safeguard TypeFocusExample
AdministrativePolicies, training, risk analysisAnnual FWA/compliance training, workforce sanction policies
PhysicalFacility and device securityLocking file cabinets, securing laptops, controlling office access
TechnicalElectronic system controlsEncryption, unique user login IDs, audit logs, secure transmission

Breach Notification Requirements

A breach is an unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. When a breach occurs:

  • Affected individuals must be notified without unreasonable delay, and no later than 60 days after discovery.
  • The Department of Health and Human Services (HHS) must be notified — immediately if the breach affects 500 or more individuals, or on an annual log basis for breaches under 500.
  • If a breach affects 500 or more residents of a single state or jurisdiction, prominent media notice is also required.

Civil Penalty Tiers

HHS enforces HIPAA through the Office for Civil Rights (OCR) using a four-tier penalty structure based on the covered entity's or business associate's level of culpability (amounts adjusted annually for inflation; figures below reflect 2026 adjustment levels):

TierCulpabilityPer-Violation Range
1Did not know and, by reasonable diligence, would not have known~$145 – $73,011
2Reasonable cause, not willful neglect~$1,461 – $73,011
3Willful neglect, corrected within 30 days~$14,602 – $73,011
4Willful neglect, not corrected~$73,011 – $2,190,294

Each tier shares the same annual cap of roughly $2,190,294 per identical violation type per year — the tiers differ in the per-violation floor, not the ceiling.

Practical Rules for Agents

  • Never send PHI (Social Security numbers, Medicare Beneficiary Identifiers, health conditions) over unencrypted personal email or text message.
  • Never leave paper enrollment applications or SOA forms visible in a vehicle or unattended in public.
  • Shred or securely destroy PHI-containing documents no longer needed; do not simply discard them in regular trash.
  • Discuss a beneficiary's health information only in private settings — not within earshot of other clients or family members who are not authorized.
  • Report any suspected loss, theft, or improper disclosure of PHI to your carrier's compliance department immediately — do not wait to assess severity yourself; breach-notification clocks start at discovery, not at your own investigation's conclusion.

Exam Scenario

An agent emails a completed enrollment application containing a beneficiary's Medicare Beneficiary Identifier and health condition responses to her personal Gmail account so she can print it at home, using no encryption. This is a HIPAA violation exposing PHI through an unsecured channel — even without malicious intent, this falls under the Security Rule's requirement for secure transmission of ePHI, and depending on the facts, could be assessed at Tier 1 or Tier 2 culpability rather than a higher tier, since there was no willful neglect — but it is still a reportable incident requiring notification to the carrier's compliance team.

Key Takeaways

  • HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule (added by HITECH) govern how agents may use, protect, and report incidents involving PHI.
  • Agents typically function as business associates and must follow the Minimum Necessary Standard — access only the PHI needed for the task at hand.
  • The Security Rule requires administrative, physical, and technical safeguards for electronic PHI.
  • A breach requires notice to affected individuals within 60 days, HHS notice (immediate if ≥500 affected), and media notice if ≥500 in one state.
  • HIPAA penalties use four culpability tiers, from roughly $145 up to $2,190,294 per violation, sharing a common annual cap per violation type.
Test Your Knowledge

Under the HIPAA Minimum Necessary Standard, what should an agent do when processing a Medicare Advantage enrollment application?

A
B
C
D
Test Your Knowledge

A carrier's data breach exposes unsecured PHI for 800 beneficiaries in a single state. Beyond notifying the affected individuals within 60 days, what additional notification is required?

A
B
C
D