HIPAA Privacy Notices

The Privacy Ruling was published in the Federal Register on December 28, 2000. The U.S. Department of Health and Human Services' Office for Civil Rights is responsible for enforcing this rule. The potential implications for failure to comply with HIPAA’s privacy, security and breach notification requirements range from the cost of investigation and taking corrective action as part of an informal resolution to significant civil and criminal penalties imposed by the Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR).  Civil penalties range from $110 to $55,010 for each single violation (with a cap of $1,650,300 for violations of an identical provision within a calendar year).  Criminal penalties include possible imprisonment of up to one year and fines of up to $50,000 for knowing violations of the HIPAA privacy, security, or breach notification rules, with significantly higher potential penalties if the offense is made under false pretenses or for commercial advantage, personal gain, or malicious harm.

The privacy regulation has three major purposes:

  • To protect and enhance the rights of consumers by providing them access to their health information and controlling the appropriate use of that information;
  • To improve the quality of health care in the United States by restoring trust in the health care system among consumers, health care professionals and the many organizations and individuals committed to the delivery of health care; and
  • To improve the efficiency and effectiveness of health care delivery by creating a national framework for health, privacy and protection.

Medicaid and Privacy - Updated 01/25/17

PeachCare for Kids® and Privacy - Updated 01/25/17

State Health Benefit Plan and Privacy - Updated 2/8/18

Privacy Resources

The following resources provide information about the Privacy Rule, as well as about other provisions of HIPAA.

Relevant Web Sites

Other Resources