The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) require the Department of Health and Human Services (HHS) to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers. They also require that HHS adopt regulations to protect the privacy and security of healthcare information. These standards are intended to improve the efficiency and effectiveness of the nation's healthcare system by encouraging the widespread use of electronic data interchange in health care.
In January 2013, the HHS released final regulations that, according to the HHS, represented “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” The regulations reflected changes brought about by the Health Information Technology for Economic and Clinical Health (HITECH) Act (enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA)) and the Genetic Information Nondiscrimination Act of 2008 (GINA).
Group health plans with fewer than 50 participants that are administered solely by the employer are exempt from the HIPAA privacy, electronic transaction, and security standards (45 CFR 160.103).