This paper discusses the need for accountability for HIPAA regulations in the insurance industry. HIPAA, the Health Insurance Portability and Accountability Act of 1996, was established to protect the privacy and security of health information as it is shared by entities that are involved in the healthcare or insurance process. With the advent of electronic transmission standards in healthcare information, it became necessary to establish a basis for the appropriate handling of information, whether in paper or electronic form. The U.S. Department of Health and Human Services was tasked with developing these regulations and the Office for Civil Rights (OCR) is responsible for their enforcement. Those working with such sensitive information have an obligation to ensure its proper use and protect the privacy of patients. With penalties ranging from changes in policies to criminal prosecution, it is incumbent upon firms to educate their employees as to the laws and ensure that all levels of the organization are committed to its purpose.

Keywords: health information, electronic transmission, accountability, insurance

Accountability for HIPAA Compliance in the Insurance Industry


Individuals working in the insurance industry must work to ensure that the established federal regulations under the Health Insurance Portability and Accountability Act (HIPAA) are fully met. Accountability for the execution of these standards is not only a legal issue but an ethical one for firms that have access to personal health information. It is a strong sign of care and respect for the privacy of patients who rely on all entities involved in the sharing of this information to be trustworthy and fair. Managers must work to ensure that all employees are committed to this protection of privacy and are able to answer for any discrepancies which may occur in the process of the necessary sharing of health information.

Accountability for the Law

Accountability is the obligation of a person or firm to answer for their activities, accept responsibility for them, and disclose the results in a transparent manner (Estridge, 2019). Accountability is not a trait to be forced on to others, but one to be nurtured; inspiring employees to emulate the active traits that a manager should possess. A firm must work to provide a strong example to its employees that fosters the willingness to own one’s successes and mistakes and to work towards improving compliance with HIPAA regulations in a timely manner. In order to foster this trait, a manager must be committed to the same in his or her own work and life.

History and Purpose of HIPAA

The Health Insurance Portability and Accountability Act was enacted on August 21, 1996, by the United States Department of Health and Human Services (HHS) to provide a basis upon which the use of medical information is regulated, and individual privacy is respected. The Privacy Rule, published in December 2000 and finalized in its final form in August 2002, safeguards all “individually identifiable health information”. Its use is limited to the individual to whom it pertains, as well as the entities involved in treatment and payment of benefits involved. Identifiable health information includes anything relating to a person’s physical or mental health and the treatment of such, which would cause the individual to be identified, such as by name, address, date of birth, or Social Security Number (U.S. Department of Health & Human Services, 2019).

Protecting health information. As the electronic storage and transmission of information became more prevalent, the need to protect personal medical information came to the forefront. Medical information is often shared between health care providers, health insurance plans, billing services, claims providers, and other entities involved in the health care coverage process, who are all included in the law’s language as business associates (U.S. Department of Health & Human Services, 2019). Regardless of the reason for a firm’s access to personal health information, HIPAA compels all entities involved to limit the disclosure of protected health information to those who have a legitimate reason for its use.

Summary of the law. The Standards for Privacy of Individually Identifiable Health Information, also called the Privacy Rule, set out to put into place national standards for making certain that a person’s health information is protected while it passed through the various stages of the health care process. The Office for Civil Rights (OCR), which is part of the HHS, implements and enforces the Privacy Rule as it applies to compliance and any penalties associated with a breach in disclosure (U.S. Department of Health & Human Services, 2019). The deadline for compliance with the Privacy Rule took effect on April 14, 2003 (HIPAA Journal, 2018).

The Rule was intended to be flexible with the occurrence of the incidental use of information, such as during a physician’s discussion with a patient’s family members in a waiting room regarding the individual’s health condition, as long as reasonable action is taken to protect the patient’s identity from being disclosed in a public place (U.S. Department of Health & Human Services, 2019). This allows the physician to inform the patient’s family in a manner that will keep their privacy intact without the fear of infraction of the Privacy Rule.

When Regulations are not Followed

Insurance firms must take care to be aware of their responsibility for following the Privacy Rule and be proactive in addressing situations where a violation has occurred. These violations can take the form of providing more personal health information (PHI) than the minimum amount necessary, or the failure to report a breach in a timely manner. The OCR is able to resolve most instances by reviewing the firm’s plan to address the violations and the policies to be put into place to prevent future violations of the same nature (HIPAA Journal, 2015). Firms must show good faith towards rectifying the breach and show the OCR that they are actively working to improve processes to protect information.


When the violation is more severe in nature or recurring, the OCR has the power to levy fines on the firm involved. These fines are structured into a four-tier system, dependent upon the severity and expectation of avoiding the infraction.

Fines. Tier One consists of those infractions of which the firm was unaware or could not be avoided, even under a reasonable amount of care to do so. These fines range from $100 to up to $25,000 per violation, capped per year that the issue persisted (Butler, 2019).

Tier Two includes those violations of which the entity should have been aware, but even so, could not avoid. In 2017, the Lifespan health system stated in a news release that an employee vehicle was broken into and their work laptop was stolen. The laptop was not password protected and the information of over 20,000 patients was not encrypted. While the firm’s reporting response was timely, there was nothing to be done about the potential misuse of the information. It was later confirmed that while no financial, medical records, or Social Security Numbers were exposed, patient’s names, partial addresses, and demographic information was visible. The investigation by Lifespan did not uncover evidence of the information being accessed, with no patient reports of information misuse. Lifespan did take steps to change the employee’s login credentials and notified the impacted patients (HIPAA Journal, 2017). While it seems that the situation turned out fairly well for all involved, the employee had a responsibility to not leave an unprotected laptop in a parked vehicle, knowing that it contained sensitive information.

Tier Three includes violations that occur as a direct result of the negligence of the HIPAA Rules, where an attempt was already made to correct the situation in a timely manner. Fines range from $10,000 to up to $50,000 per violation, capped at $250,000 per year that the issue persisted (Butler, 2019). If there is a reasonable expectation that a firm knows about the rule, the violation could fall into this category. For instance, a firm may have the policy that when disposing of medical records, physical documents should be placed into a locked receptacle and shredded (Dobran, 2018). Failure to do so shows that there was a process in place to conform to rules in the situation, but the individual involved did not follow the procedure that was meant to deter it. If the issue is recurring, the firm could be facing fines.

Tier Four, the most serious infractions, constitutes the “willful neglect” of HIPAA rules, with no attempt made to rectify the violation (HIPAA Journal, 2015). These violations might include instances such as a breakdown in the encryption of a firm’s computer software, such as in the case of WellPoint, Inc., a managed care company whose database was exposed after an upgrade in late 2009 and early 2010. A consumer contacted WellPoint in February 2010, but the firm did not try to reach out to until March and maintains that they could not reach her at that time. The firm was fined $1.7 million when the breach was discovered when a lawsuit was filed against the company by the consumer. The breach was not reported to OCR until June of the same year, leading to the hefty fine (Goedert, 2013). The firm failed to plan for contingencies in the installation of the software upgrades and left information viewable over the internet. To add insult to injury, their response time to both the consumer and the OCR was appalling.

Criminal penalties. There are also instances where an individual can be subject to criminal penalties for failure to follow HIPAA regulations. In 2018, it was discovered that a behavioral analyst at an autism treatment center, Transformations Autism Treatment Center, stole personal health information via remote access after he was terminated from his position. After researching how to gain entry, Jeffrey Luke downloaded the files of over 300 patients to his personal computer from a Google Drive, even after his access had been revoked. He had also previously stolen patient data from a former employer. Upon pleading guilty, he was sentenced to thirty months in federal prison, three years of supervised release, and ordered to pay $14,941.36 in restitution (U.S. Department of Justice, 2018).

Not only had his theft damaged the reputation of the employer, but he also ended up with a criminal record and would likely not find employment in the health care industry at any time in the future. His blatant disregard for the law and lack of respect for patients only showcases the need for such regulations. Mr. Luke clearly felt no accountability for the law or towards the patients whose information he stole. While a person can be taught to be accountable, that person has to be willing to buy into the concept and uphold the values that it entails. Every person has free will and the “allure of common vices” (Horn, 2017) can be a strong hurdle to climb. Perhaps because of his untimely exit from the company, it appears that Luke was not concerned about future follow-up from his superiors, or the need to answer to them for his actions (Horn, 2017). Ultimately, he answered to the Court for those actions without any fear of the consequences prior to his sentencing.

Preemption of Federal Law

While HIPAA is the law of the land in the federal capacity, there are instances where state law can take precedence over the federal law. This preemption is most evident in some states, most notably in the field of psychiatry. HIPAA grants patients access to their medical records, with the exception of psychotherapy notes that are made by a patient’s psychologist. In Vermont, the state law provides for patients to view these notes if they so request, and the psychologist is compelled to provide them to the patient (American Psychological Association, 2019). As the state law grants more rights to the patient, the state law would supersede the HIPAA requirements. In Utah, the law requires a psychiatry patient to sign a consent form for the disclosure of previous records, while the federal law does not contain this provision (American Psychological Association, 2019). Since the state law provides better protection, psychiatrists and psychologists must obtain this written consent in order to be privy to the patient’s past mental health records.

Preemption of State Law

The reverse can also be true – when the Privacy Rule takes precedence over established state laws. In Delaware, the law states that physicians have forty-five days to fulfill a request from the patient for his or her medical records, with the assumption that no prepayment was made for the copies. A similar law in Florida states that hospitals must provide a patient’s medical records “within a timely manner” (Health Information & the Law Project, 2012). The Privacy Rule declares that the physician or hospital must provide these records in no later than thirty calendar days from the time of the request (U.S. Department of Health & Human Services, 2019). HIPAA clearly provides more rights to the individual in this instance; therefore, the state law would be preempted by the Privacy Rule.

The main rule of thumb is that the law that provides more rights and better privacy to the individual will be the governing rule in the given situation. There are currently twelve states that have medical access laws that are more stringent than those required by HIPAA (Health Information & the Law Project, 2012). This presents a large responsibility on the part of the provider and his staff to be well-versed in how the differences in state rules affect the HIPAA regulations and what forms are needed to remain compliant with state laws. In order to assist mental health professionals in remaining compliant, the American Psychological Association (APA) Practice Organization and the APA Insurance Trust have developed resources to assist practitioners with compliance, including state-specific forms (American Psychological Association, 2019).

Employer Additional Rules

It is not only the responsibility of those working in the medical field to be vigilant regarding personal medical information privacy. Insurance carriers specializing in both the property and casualty fields also have an accountability for their compliance with HIPAA. Accountability is most noticeable in these areas when dealing with medical claims arising from an automobile accident or a natural disaster, such as a hurricane. Claim information can contain a description of the circumstances surrounding the claim, as well as personal medical information pertaining to the sustained injuries. This information should be encrypted and only available to those who have need of it for the processing and payment of claims.

Claims and Privacy

Medical bills may be forwarded to an insurance carrier to be paid, bringing that carrier and its employees into the scope of PHI privacy. The Administrative Simplification provisions of HIPAA are an opportunity for property and casualty insurers to get on-board with compliance in the billing and payment of claims arising from medical occurrences (Greene, 2014). Non-legislative organizations, such as the Workgroup for Electronic Data Interchange (WEDI), the International Association of Industrial Accident Boards and Commissions (IAIABC), and the Accredited Committee of the American National Standards Institute, ASCX12, are all working to develop eBilling standards that provide for HIPAA compliance (Greene, 2014). Insurance agents, brokers and carriers must all work to ensure that private health information is handled in a secure manner and transmitted and stored in a way that supports the Privacy Rule.

Accountability is a Continuing Process

The process of ensuring that all staff members are taking HIPAA rules seriously in the administration of insurance can seem like a daunting task. It involves soliciting a commitment from all involved to support the law and protect the personal information of those individuals that they ultimately serve. There are several ways that a firm’s management can ensure that a commitment is made by those handling such information. Inevitably, there will be mistakes made, but open discussion and training can be useful in making corrections.

Choosing the Right Staff

One aspect of maintaining accountability involves making the right staffing choices by selecting candidates who have demonstrated such a commitment in past work experiences. Whether or not an employee has prior experience in the insurance industry, there must be a solid foundation for ethical practices in the workplace and life in general. Conducting relaxed but informational interviews can help in establishing a foundation of trust. Employers should be realistic during these interviews as to the scope of work to be done and the need to be accountable for privacy regulations in the conducting of business. Hiring decisions should be made with some thought to the character of the individual, with feedback from a senior member of the team being helpful in determining the candidate’s fit with the values of the organization.

Leading by Example

Accountability must start at the top of the organization and be fostered all the way down to the most junior employees. A manager who does not believe in holding himself accountable will not be able to inspire others to follow the accountability path (Estridge, 2019). An open-door policy towards employees can greatly assist in their confidence to approach managers when a potential violation is found and to correct the matter.

Education of Staff

Foremost is the need for education of employees as to the culture of the organization and its commitment to the established laws. The firm should offer training to those handling PHI, just as it would for any other tasks performed. The Office for Civil Rights provides a video training module on the components of HIPAA and the patient’s privacy rights (U.S. Department of Health & Human Services, 2019). The Office of the National Coordinator for Health Information Technology has made available information on maintaining the security of electronic health information (The Office of the National Coordinator for Health Information Technology (ONC), 2019).

Continuing education. Online courses are available for HIPAA compliance and certification, which can be utilized by employers to educate their staff. Continuing Education classes can be offered as part of the firm’s budget to help those who are licensed or certified maintain their licensure and keep updated on the latest industry developments and changes to federal regulations. For those dealing with state-specific laws, a firm’s intranet can be a valuable repository for information, as well as a quick and easy reference point. Firms using Share Point can upload documents and forms that may be used in the process of meeting state regulations, obtaining necessary authorizations, and making required disclosures (Microsoft, 2019).

Mentoring. Firms may find it invaluable to use the mentoring process in assisting new employees with coming up to speed on HIPAA regulations. Mentoring involves an employee with more experience helping a worker with less experience to learn the duties to be performed in the course of their job (Griffin, Phillips, & Gully, 2017). Experienced employees have a great wealth of knowledge to offer newer workers and can offer tips on how to keep all the rules in line, where to look to find important information, and how to break job duties down into smaller tasks. As a manager is more often limited in the time they can spend with a subordinate, a mentor can be just as valuable to someone just learning the job. Their daily, hands-on experience with the quirks of the position can help new recruits to adjust more quickly to the rigors of handling personal health information.

Conversely, younger staff members can also be mentors to their older counterparts. Younger workers are more tech-savvy and can be of help to their coworkers in instances where electronic submissions of health information are needed. They may more readily notice problems with submission security and be able to suggest fixes than those who are not as well-versed or comfortable with working on computers. While personal computers have been available for quite some time, there are still those people that are uncomfortable with them and prefer to rely on the old standard of paper files. This may not always be practical in the work setting, making for a frustrating situation for those “old school” employees. Younger workers can assist in helping their coworkers to more fully embrace the computer age and perhaps encourage them to ditch the paper and use encrypted, electronic means to ensure prompt disclosure and release of information.

Committing to the Process

As more millennials enter the workforce, there is a greater need to show understanding and the willingness to “talk it out” when an issue on noncompliance arises. Gone are the days when employees will work with a fire and brimstone supervisor and “tow the line” out of fear of losing their livelihood. Today’s young workers would much rather move on to another firm than work on a team where they feel browbeaten, unappreciated, and unable to relate to their superiors (Estridge, 2019). Getting these workers to buy into accountability means setting a good example and being open to hearing out their concerns. It involves being open to new ways of conducting business, provided that the business still abides by the law. Dialogue should be a two-way conversation, as opposed to a demand to “get it done.”

Perspectives. Accountability can come from two different perspectives. It can come from the urgency of being liable to answer for one’s work, or from the willingness to claim complete ownership for the results of one’s work. Managers who lead from the perspective of one’s liability for one’s work will more likely lead their employees through fear. Workers will do things for fear of repercussions and will inevitably make senseless mistakes. They may even begin to resent this approach and actively seek ways to undermine the firm, as in the above-mentioned case of PHI theft. Those who lead from the perspective of a worker owning his work are more likely to create an environment where others feel safe enough to share ideas and to bring problems to the table in a timely manner (Spell, 2015). The attitude of the team leader has the power to set the tone for the whole group, and managers should be as aware as possible of how their attitude towards work and accountability is expressed to their staff.

Start with leaders. Managers must start with themselves when working towards greater organizational accountability for HIPAA regulations. While it is not always comfortable to hold oneself and others accountable for their work, it is necessary for the well-being of the firm. There are several skills that managers can work on developing in themselves to help with greater accountability.

Ways to Inspire Accountability

Managers can assist in the progress of accountability by offering feedback to employees in a timely manner. Whether the feedback is positive or negative in nature, employees will be motivated to either continue performing at an exceptional level or to make improvements based on the information that they are given by their supervisor. Everyone likes to hear when they are doing a great job, and many still want to hear how they can improve when things are not going as well as expected.

Feedback. The important point is to offer sincere feedback that comes from a place of genuinely wanting to help employees to succeed (Rusche, 2017). Even in situations where feedback may be negative, it is best to broach the subject as soon as possible, so as not to allow too much time to pass. If too much time goes by, the employee may not remember the circumstances around the specific issue and will be less likely to take constructive criticism in the manner in which it is intended. Managers should make a point to offer positive feedback whenever possible, to show employees that their efforts are seen just as much as their errors might be seen.

Meetings. A good way to encourage timely feedback and support team accountability is to make it a part of daily work life. Scheduling team meetings on a consistent basis can allow employees to gather their input and have the opportunity to present their ideas in a group setting. They may be able to better speak on what is not working and how to keep the firm in compliance with HIPAA rules. One-on-one meetings with team members can be ideal when issues arise that are more specific to an employee’s performance (Rusche, 2017). They offer a great chance to give both constructive criticism and to applaud a job well done when a group setting is not appropriate. On an organizational level, periodic town hall meetings can be used to reiterate any updates to state or federal regulations that may occur and keep them fresh in the minds of the team.

Clarify roles. Each team member should have a clearly defined concept of their role within the firm. When employees know what tasks they are responsible for achieving, they are more likely to take ownership of those tasks and be accountable for their output (Browning, 2012). Job descriptions can be the first step in giving employees a clear idea of their role, but it is well-known that workers can and will be asked to perform work that sometimes falls outside of this defined role. When adding new duties, it is important to voice expectations, so that employees understand the accountability for these additional tasks. Managers should take time to answer any questions that will assist in clarifying the role or the reasoning behind its adoption, especially should it involve tightening compliance with HIPAA regulations or making changes due to a previous violation.

Not about punishment. Every human being will make mistakes at some point in their professional life. A good manager will express to employees that mistakes are a normal part of any learning process, and as such, punishing someone for their mistake is not the ultimate goal of a firm that values its workers. If a manager can have the attitude that mistakes should be addressed and resolved without demeaning another person, that manager will have won part of the battle to instill employees to accept accountability for their work. Workers are more likely to respond positively in an environment where they are solicited for their insight on how to address a problem, rather than being berated for causing the issue (Texas A&M University-Corpus Christi, 2016).

Not about blame. It sometimes occurs that an employee will attempt to shift responsibility for a mistake from themselves by putting blame on another worker. A good manager should be able to differentiate between the responsibilities of each employee and thwart any attempts to move blame by fostering open communication with all staff. Consistent communication with employees can be helpful in reducing instances of team members feeling the need to shift responsibility to a coworker to avoid answering for their own failures.

In cases where there may have been errors caused by more than one member, each member should be held accountable for his or her part in the error and should assist in working towards a resolution that is beneficial to the entire team and to alleviate any penalties from the government that the error might cause. Working to “bulletproof” one’s staff instead of shielding them from the inevitability of mistakes being made will help them to develop a tougher shell and a better attitude about dealing with setbacks and mistakes (Wakeman, 2015).


Those working in the insurance industry have a hefty commitment to uphold the laws set forth in the Health Insurance Portability and Accountability Act. Inherent personal integrity can go a long way towards gaining accountability, but managers can also inspire their employees to work towards this goal by setting a good example. Managers have a duty to employees to provide training, encouragement, and feedback in the endeavor for compliance with the law. Not only will this foster care for employees, but it will also assist in employees buying into the protection of the personal health information of the patients that they ultimately serve. This, in turn, can put the organization itself in good standing with the Privacy Rules that were established to protect the rights of the individual.


  • American Psychological Association. (2019). What takes precedence: HIPAA or state law? Retrieved from
  • Browning, H. (2012, February 28). 7 Ways to Build Accountable Organizations. Retrieved from
  • Butler, M. (2019, April 30). HHS Lowers Maximum Fines Set for HIPAA Violations. Retrieved from
  • Dobran, B. (2018, July 19). What are HIPAA Violations? What Are The Fines or Penalties? Retrieved from
  • Estridge, K. (2019). Inspire Accountability: The Breakthrough Workplace Transformation for 21st Century Leaders In The Age of Millenials. Charleston: Advantage.
  • Goedert, J. (2013, July 12). HHS Fines WellPoint $1.7 Million for a Major Breach of PHI . Retrieved from
  • Greene, T. (2014, February 4). Property and Casualty Alignment with HIPAA. Retrieved from
  • Griffin, R. W., Phillips, J. M., & Gully, S. M. (2017). Organizational Behavior: Managing People and Organizations (12 ed.). Boston: Cengage Learning.
  • Health Information & the Law Project. (2012). Individual Access to Medical Records: 50 State Comparison. Retrieved from
  • HIPAA Journal . (2015, June 24). What are the Penalties for HIPAA Violations? Retrieved from
  • HIPAA Journal. (2017, April 25). Lifespan Laptop Theft Exposes ePHI of 20,000 Patients. Retrieved from
  • HIPAA Journal. (2018, March 16). When Did HIPAA Take Effect? Retrieved from
  • Horn, A. (2017). Throw Your Stuff Off The Plane: Achieving Accountability in Business and Life. Toronto: Dundurn.
  • Microsoft. (2019). What is SharePoint? Retrieved from
  • Rusche, B. (2017, December 30). How to make accountability a core part of your workplace culture. Retrieved from
  • Spell, E. (2015, May). ACCOUNTABILITY IN THE WORKPLACE. AgriMarketing, 53(4), p. 16. Retrieved from
  • Texas A&M University-Corpus Christi. (2016, June 3). Accountability in the Workplace. Retrieved from
  • The Office of the National Coordinator for Health Information Technology (ONC). (2019). Health IT Privacy and Security Resources for Providers. Retrieved from
  • U.S. Department of Health & Human Services. (2019). Incidental Uses and Disclosures. Retrieved from
  • U.S. Department of Health & Human Services. (2019). Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. Retrieved from
  • U.S. Department of Health & Human Services. (2019). Summary of the HIPAA Privacy Rule. Retrieved from
  • U.S. Department of Health & Human Services. (2019).Training Materials. Retrieved from
  • U.S. Department of Justice. (2018, March 2). Ex-Employee Sentenced for Stealing Personal Information from the Cloud. Retrieved from
  • Wakeman, C. (2015, October 26). Personal Accountability And The Pursuit Of Workplace Happiness. Retrieved from

Appendix A

Health Information & the Law Project (2012)’s

Individual Access to Medical Records: 50 State Comparison