HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, a federal United States law enacted on August 21, 1996 that established statutory requirements for health insurance portability and for Administrative Simplification standards that support electronic healthcare transactions and the protection of health information through later federal regulations.
The term is commonly used as shorthand for the compliance framework created by regulations issued under HIPAA’s Administrative Simplification authority. These regulations include the HIPAA Privacy Rule, which governs permitted uses and disclosures of protected health information and establishes individual rights related to protected health information, and the HIPAA Security Rule, which sets requirements for administrative, physical, and technical safeguards to protect electronic protected health information. The HIPAA Breach Notification Rule establishes duties to notify affected individuals and government agencies when unsecured protected health information is compromised and a reportable breach is identified.
HIPAA compliance obligations apply to HIPAA Covered Entities and extend to Business Associates through the business associate requirements when a vendor creates, receives, maintains, or transmits protected health information on behalf of a covered entity. This structure means that compliance responsibilities are shared across healthcare providers, health plans, healthcare clearinghouses, and the vendors that support regulated operations such as electronic health record hosting, billing services, secure communications, and managed IT support with access to protected health information.
HIPAA defines protected health information as individually identifiable health information that relates to an individual’s health condition, healthcare services, or payment for healthcare and that is held or transmitted by a covered entity or business associate in any form or media. The HIPAA Privacy Rule applies to protected health information in paper and electronic forms. The HIPAA Security Rule applies specifically to electronic protected health information and requires risk analysis and risk management actions supported by access controls, audit controls, integrity protections, person or entity authentication, and transmission security measures selected and implemented through documented processes.
The acronym is also associated with enforcement activity conducted by the U.S. Department of Health and Human Services Office for Civil Rights, which investigates complaints and reported breaches and can impose corrective action requirements and civil monetary penalties. For regulated organizations, HIPAA is implemented through written policies and procedures, workforce training, access provisioning and monitoring, vendor contracting and oversight, incident response processes, and documentation that supports audits and investigations.