HIPAA is a federal law enacted by the United States Congress and signed by the President in 1996, and it is implemented through federal regulations issued by the U.S. Department of Health and Human Services that establish nationwide requirements for protecting and managing protected health information.
HIPAA is the Health Insurance Portability and Accountability Act of 1996. The statute includes provisions on health insurance portability and related reforms and directs the U.S. Department of Health and Human Services to adopt standards for electronic health care transactions and to establish related privacy and security standards. The operational compliance obligations followed by regulated organizations are set out in federal regulations, including the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, which are published in the Code of Federal Regulations.
The HIPAA Privacy Rule regulates the use and disclosure of protected health information and establishes patient rights, including access and amendment rights under defined conditions. The HIPAA Security Rule applies to electronic protected health information and requires administrative, physical, and technical safeguards that support confidentiality, integrity, and availability. The HIPAA Breach Notification Rule requires notifications following certain breaches of unsecured protected health information, with timelines and content requirements that vary by the type of notification and the size of the incident.
HIPAA applies to HIPAA Covered Entities and Business Associates. HIPAA Covered Entities include health plans, health care clearinghouses, and health care providers that conduct specified electronic transactions. Business Associates are persons or entities that create, receive, maintain, or transmit protected health information on behalf of a HIPAA Covered Entity to perform regulated functions or services, and Business Associate subcontractors can also fall within scope when they handle protected health information for those functions.
HIPAA operates as a national baseline. The HIPAA Privacy Rule establishes a federal floor of privacy protections, and state laws that provide greater privacy protections or greater individual rights regarding individually identifiable health information can remain enforceable alongside HIPAA. When both apply, regulated entities apply HIPAA and the stricter state requirement for the subject matter at issue, using policies, workforce training, and procedures that reflect the applicable jurisdictional rules.
Federal enforcement is also part of the HIPAA framework. Within the U.S. Department of Health and Human Services, the Office for Civil Rights enforces the HIPAA Privacy Rule and HIPAA Security Rule through investigations and compliance actions, and criminal conduct involving wrongful handling of individually identifiable health information can be referred for prosecution. Separate HIPAA Administrative Simplification standards for transactions and code sets are enforced through a different federal process.
HIPAA’s status as a federal law does not depend on state adoption or participation, and compliance duties continue unless and until federal law or federal regulations are amended through the applicable legislative or rulemaking process.