HIPAA is a United States federal law enacted in 1996 that, through its Administrative Simplification provisions and implementing regulations, sets national requirements for HIPAA Covered Entities and Business Associates to standardize certain electronic healthcare transactions and to protect the privacy and security of protected health information through the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, while also establishing individual rights and enforcement mechanisms.
HIPAA is a statute passed by Congress, and many day-to-day compliance obligations arise from federal regulations issued by the U.S. Department of Health and Human Services. The law includes provisions addressing health insurance portability and continuity of coverage, healthcare fraud and abuse, and Administrative Simplification. In compliance practice, HIPAA most often refers to the Administrative Simplification framework that governs how regulated entities use, disclose, safeguard, and report issues involving protected health information.
HIPAA applies to HIPAA Covered Entities, which include health plans, healthcare clearinghouses, and healthcare providers that conduct certain covered transactions electronically. HIPAA also applies to Business Associates, which are persons or organizations that create, receive, maintain, or transmit protected health information on behalf of a HIPAA Covered Entity for functions such as billing, claims processing, data analytics, legal services, cloud hosting, and other services that involve protected health information. Business Associates are directly regulated for applicable requirements and are also bound by contract through business associate agreements that define permitted uses and disclosures and require safeguards and breach reporting.
Protected health information is individually identifiable health information that relates to an individual’s health condition, the provision of healthcare, or payment for healthcare, when the information is held or transmitted by a HIPAA Covered Entity or Business Associate in any form or medium. HIPAA focuses on information about human individuals. The same data elements may or may not be protected health information depending on context, identifiability, and whether the holder is a regulated entity acting within a regulated function.
The HIPAA Privacy Rule establishes standards for how protected health information may be used and disclosed and provides individual rights. It permits uses and disclosures for treatment, payment, and healthcare operations without patient authorization, subject to conditions and, in many circumstances, limitations under the HIPAA Minimum Necessary Rule. It also permits certain public interest disclosures, such as those required by law and certain public health activities, when regulatory conditions are met. The HIPAA Privacy Rule also requires covered entities to provide a notice of privacy practices and to implement policies and procedures that support compliant handling of protected health information.
Individual rights under the HIPAA Privacy Rule include the right to access protected health information in the designated record set, the right to request amendments in specified circumstances, and the right to obtain an accounting of certain disclosures. Individuals may request restrictions in limited situations and may request confidential communications by alternative means or at alternative locations. These rights drive operational requirements for identity verification, response time tracking, documentation, and workforce training so that staff actions are consistent with policy and regulatory expectations.
The HIPAA Security Rule applies to electronic protected health information and requires covered entities and business associates to implement administrative, physical, and technical safeguards. Compliance programs use a risk analysis and risk management process to identify reasonably anticipated threats and vulnerabilities and to apply reasonable and appropriate measures to protect the confidentiality, integrity, and availability of electronic protected health information. Security controls often address access management, audit controls, transmission security, device and media handling, workforce security, and incident response practices aligned with documented procedures.
The HIPAA Breach Notification Rule establishes requirements for notifications following breaches of unsecured protected health information. When an impermissible use or disclosure occurs, regulated entities evaluate whether the incident meets the breach definition and whether notification is required to affected individuals, to the Secretary of Health and Human Services, and, in certain circumstances, to the media. The rule also drives documentation expectations for incident assessment, mitigation steps, and notification actions or determinations.
Enforcement is administered by the U.S. Department of Health and Human Services Office for Civil Rights for most HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule matters. OCR investigations and compliance reviews can lead to corrective action requirements, resolution agreements, and civil money penalties depending on the facts, including the nature of the violation, the extent of harm, and the entity’s compliance posture. A defensible compliance program maintains written policies and procedures, workforce training records, risk analysis documentation, access logs where applicable, and incident response records that support consistent operations and timely remediation.