Attorney Articles | Introduction to HIPAA Law

Articles by Legal Department Staff

The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.

Introduction to HIPAA Law

by Zachary Pelchat, JD
Former Staff Attorney

The California Therapist
(March/April 2002)
Updated August 2010 by David Jensen, JD, CAMFT Staff Attorney

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that will be effective April 14, 2003. HIPAA was originally passed in 1996, but has been delayed as many complicated implementation issues were addressed. While many feel that HIPAA is still not mature enough to implement, the Bush administration and Congress have decided that it will be introduced in three stages. The first phase, implementing federal privacy regulation, begins April 14, 2003. The second and third stages concern insurance and clearing house implementation of electronic medical claims (EMC) processing and will be effective on October 16, 2002 and October 16, 2003.

HIPAA is published as a final rule by the Department of Health and Human Services. It is found in 45 Code of Federal Regulations Parts 160 and 164. It spans an amazing 367 pages in 10 and 8 point type, three columns per page. The sheer volume of the rule leads to confusion and uncertainty. The language used in addressing conflicts with state law is unclear. The government is still publishing clarifications and interpretations. During implementation, it is assumed that unforeseen problems will arise. The caveat here is patience and calm. As issues are resolved, CAMFT will continuously update therapists through The California Therapist, email alerts, special mailings, and continuing education courses.

HIPAA is meant to improve the portability and accountability of health insurance for individuals and groups. It intends to standardize and simplify electronic forms and help prevent fraud, waste, and abuse. Finally, it is designed to maintain the privacy of personal health information (PHI).

HIPAA applies to "covered entities." A covered entity is a health plan, a health care clearinghouse, or "a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter."i

A transaction is defined as "the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; enrollment and disenrollment in a health plan; eligibility for a health plan; health plan premium payments; referral certification and authorization; first report of injury; health claims attachments; or other transactions that the Secretary may prescribe by regulation."ii

The answer to whether or not HIPAA will apply to you is in whether or not you "transmit any health information in electronic form in connection with a transaction covered by this subchapter" (i.e., financial and administrative activities.) If you fax or email claim forms, HIPAA will apply to you. If you don't bill insurance, HIPAA will not apply to you. Likewise, if you only send paper claims in through the mail, HIPAA will not apply to you.

It may seem that this is a strange distinction to make, but the reason for it is to maintain the privacy of health records. Electronic transmission is easier, but creates a greater potential for breaches of confidentiality. Thus, the increased protections for electronic transmissions.

If you will be covered by HIPAA, it is advisable to begin preparing for compliance now. In an effort to assist you, you can access the website of the California Healthcare Foundation ( ) It addresses many of these issues in detail. Subsequent articles in The California Therapist will use this information as a starting point for further discussion and updates. The initial information is too extensive to be covered in a single magazine article, but we will provide regular updates and ongoing clarifications.

Federal preemption
One important issue is the question about federal preemption. Generally, federal law preempts state law. However, HIPAA specifically addresses preemption and says that state law will control in certain circumstances, but those circumstances are not well defined. For example, state law will control if the state has a more "stringent" standard, however many of these regulations are not different because they are more or less stringent, they are just different. Reasonable minds could well disagree over whether a particular state or federal regulation is more or less stringent.iii Resolving this question of preemption will have an important impact on the current mandatory and permissive exceptions to confidentiality and privilege with which California health providers are now familiar.

The most important step a provider can take right now is to be aware that HIPAA is going to be effective April 14, 2003 and to educate him or herself about the privacy provisions. The mailing by the California Healthcare Foundation is the best place to start. For those interested in the greatest level of detail, the actual text of HIPAA is also available to the public free of charge at The Association will alert members to other resources as they become available.

This article appeared in the March/April 2002 issue of The California Therapist, the publication of the California Association of Marriage and Family Therapists, headquartered in San Diego, California. This article is intended to provide guidelines for addressing difficult legal dilemmas. It is not intended to address every situation that could potentially arise, nor is it intended to be a substitute for independent legal advice or consultation. When using such information as a guide, be aware that laws, regulations and technical standards change over time, and thus one should verify and update any references or information contained herein.