[9] Title I requires the coverage of and also limits restrictions that a group health plan can place on benefits for preexisting conditions.

[11] "Creditable coverage" is defined quite broadly and includes nearly all group and individual health plans, Medicare, and Medicaid.

By regulation, the HHS extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates".

[26] A covered entity may disclose PHI to certain parties to facilitate treatment, payment, or health care operations without a patient's express written authorization.

[33] They must appoint a Privacy Official and a contact person[34] responsible for receiving complaints and train all members of their workforce in procedures regarding PHI.

[35] An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).

A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved.

An HHS Office for Civil Rights investigation showed that from 2005 to 2008, unauthorized employees repeatedly and without legitimate cause looked at the electronic protected health information of numerous UCLAHS patients.

[39] It is a misconception that the Privacy Rule creates a right for any individual to refuse to disclose any health information (such as chronic conditions or immunization records) if requested by an employer or business.

The most significant changes related to the expansion of requirements to include business associates, where only covered entities had originally been held to uphold these sections of the law.

When delivered to the individual in electronic form, the individual may authorize delivery using either encrypted or unencrypted email, delivery using media (USB drive, CD, etc., which may involve a charge), direct messaging (a secure email technology in common use in the healthcare industry), or possibly other methods.

For example, a patient can request in writing that her ob-gyn provider digitally transmit records of her latest prenatal visit to a pregnancy self-care app that she has on her mobile phone.

[51] Janlori Goldman, director of the advocacy group Health Privacy Project, said that some hospitals are being "overcautious" and misapplying the law, the Times reports.

As a result, if a patient is unconscious or otherwise unable to choose to be included in the directory, relatives and friends might not be able to find them, Goldman said.

The HIPAA/EDI (electronic data interchange) provision was scheduled to take effect from October 16, 2003, with a one-year extension for certain "small plans".

However, due to widespread confusion and difficulty in implementing the rule, Centers for Medicare & Medicaid Services (CMS) granted a one-year extension to all parties.

Examples of payers include an insurance company, healthcare professional (HMO), preferred provider organization (PPO), government agency (Medicaid, Medicare etc.)

An institution may obtain multiple NPIs for different "sub-parts" such as a free-standing cancer center or rehab facility.

Rachel Seeger, a spokeswoman for HHS, stated, "HONI did not conduct an accurate and thorough risk analysis to the confidentiality of ePHI [electronic Protected Health Information] as part of its security management process from 2005 through Jan. 17, 2012."

[63]As of March 2013, the United States Department of Health and Human Services (HHS) has investigated over 19,306 cases that have been resolved by requiring changes in privacy practice or by corrective action.

Beginning in 1997, a medical savings account ("MSA") became available to employees covered under an employer-sponsored high deductible plan, these being small employer and self-employed individuals.

Finally, it amends provisions of law relating to people who give up United States citizenship or permanent residence, expanding the expatriation tax to be assessed against those deemed to be giving up their U.S. status for tax reasons, and making ex-citizens' names part of the public record through the creation of the Quarterly Publication of Individuals Who Have Chosen to Expatriate.

[64] The enactment of the Privacy and Security Rules has caused major changes in the way physicians and medical centers operate.

The complex legalities and potentially stiff penalties associated with HIPAA, as well as the increase in paperwork and the cost of its implementation, were causes for concern among physicians and medical centers.

An August 2006 article in the journal Annals of Internal Medicine detailed some such concerns over the implementation and effects of HIPAA.

"[65] The complexity of HIPAA, combined with potentially stiff penalties for violators, can lead physicians and medical centers to withhold information from those who may have a right to it.

[69] Furthermore, HIPAA grants patients the right to access their own health information, request amendments to their records, and obtain an accounting of disclosures.

This training covers how to handle protected health information (PHI), patient rights, and the minimum necessary standard.

[80] Examples of significant breaches of protected information and other HIPAA violations include: According to Koczkodaj et al., 2018,[83] the total number of individuals affected since October 2009 is 173,398,820.

[86] Soon after this, the bill was signed into law by President Clinton and was named the Health Insurance Portability and Accountability Act of 1996 (HIPAA).