Table of Contents
Healthcare providers, insurers, and the companies that support them handle some of the most sensitive data there is, including medical histories, diagnoses, insurance details, and personal identifiers. In the United States, that information is protected under a federal law known as HIPAA.
If your organization qualifies as a covered entity or business associate under HIPAA, compliance is not optional. This guide explains what HIPAA means, why it exists, who it applies to, what it protects, and how to achieve compliance.
What does HIPAA mean?
HIPAA stands for the Health Insurance Portability and Accountability Act, a U.S. federal law enacted in 1996. It is most widely recognized for establishing national standards to protect sensitive health information.
HIPAA regulates how protected health information (PHI) is created, stored, accessed, transmitted, and disclosed. It sets requirements for administrative, physical, and technical safeguards for the confidentiality, integrity, and availability of health data.
The law also defines who may access this information, under what circumstances it can be shared, and the responsibilities of covered entities and business associates in safeguarding health-related data.
Why was HIPAA created?
HIPAA was established to address several core issues within the healthcare system. Its primary purposes include:
Improving health insurance portability
One of HIPAA’s primary purposes was to help individuals maintain health insurance coverage when changing or losing employment. The law introduced federal limits on preexisting condition exclusions and established standards that reduced coverage disruptions between employer-sponsored group health plans.
Combating healthcare fraud and abuse
HIPAA included provisions aimed at strengthening enforcement against fraud, abuse, and improper billing practices within the healthcare system. These measures expanded federal oversight and introduced penalties intended to reduce waste and abuse in health insurance and healthcare delivery.
Simplifying and standardizing healthcare administration
Through its Administrative Simplification provisions, HIPAA required the development of national standards for certain electronic healthcare transactions, code sets, and unique identifiers. These standards were designed to improve consistency, reduce administrative costs, and streamline the exchange of health-related financial and administrative data.
Establishing national privacy and security standards
As healthcare records increasingly shifted to electronic formats, the need for formal data protection standards became more urgent. HIPAA directed the development of national privacy and security rules, including the HIPAA Privacy Rule and Security Rule, which define how protected health information must be safeguarded.
Supporting broader healthcare and insurance reforms
HIPAA also included additional provisions addressing areas such as long-term care insurance and certain tax-related medical savings arrangements. While these elements are less central to modern compliance frameworks, they formed part of the law’s broader effort to reform aspects of the healthcare and insurance system.
What does HIPAA protect?
HIPAA governs protected health information, which refers to individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate. The law applies when the information relates to an individual’s health condition, the provision of care, or payment for healthcare, and can reasonably identify that person.
What qualifies as PHI?
PHI includes information linked to identifiers such as:
- Names
- Geographic details smaller than a state
- Dates related to an individual
- Contact information
- Medical record numbers
- Account numbers
- Biometric identifiers
- Other unique identifying characteristics
If the information can identify an individual on its own or when combined with other data, it falls within HIPAA’s scope. Information that has been properly de-identified according to regulatory standards is no longer considered PHI. HIPAA also does not apply to employment records maintained by an employer in its role as an employer.
What about ePHI?
When PHI is created, stored, accessed, or transmitted electronically, it is classified as electronic protected health information (ePHI). The HIPAA Security Rule establishes requirements for safeguarding ePHI through administrative, physical, and technical measures designed to preserve confidentiality, integrity, and availability.
Who must comply with HIPAA?
HIPAA applies only to specific types of entities that handle health information:
Covered entities
Covered entities are healthcare providers that furnish medical services and transmit health information electronically in connection with standardized transactions, health plans that provide or pay for medical care, and healthcare clearinghouses that convert nonstandard health information into standardized formats in connection with covered transactions.
Business associates
Business associates refer to individuals or organizations that perform services on behalf of a covered entity and require access to PHI, including billing companies, IT vendors, consultants, or cloud service providers. They are subject to HIPAA requirements and must implement safeguards under a written business associate agreement (BAA).
Business associate subcontractors
A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate is treated as a business associate under HIPAA. Compliance obligations extend downstream when PHI flows through service arrangements. These subcontractors must implement safeguards under written agreements governing how PHI is handled.
Key HIPAA rules and requirements
HIPAA is enforced through four primary rules that establish its compliance framework:
The Privacy Rule
The Privacy Rule governs how PHI may be used and disclosed and establishes patient rights. It covers:
- Permitted uses and disclosures without authorization
- Circumstances requiring written authorization
- Individuals’ rights to access, obtain copies of, and request amendments to their health information
The Security Rule
The Security Rule applies specifically to electronic protected health information (ePHI). It requires organizations to implement safeguards across three categories:
- Administrative safeguards (risk assessments, workforce training, policies)
- Physical safeguards (facility access controls, workstation protections)
- Technical safeguards (access controls, encryption, audit controls)
The Breach Notification Rule
The Breach Notification Rule defines what constitutes a breach of unsecured PHI and outlines notification obligations. It requires:
- Notification to affected individuals
- Notification to the Department of Health and Human Services
- Media notification in certain large-scale breach situations
The Enforcement Rule
The Enforcement Rule establishes how HIPAA compliance is investigated and enforced. It includes:
- Procedures for handling complaints and compliance reviews
- Authority for the Office for Civil Rights to investigate violations
- Civil monetary penalties for non-compliance
HIPAA vs HITECH vs HITRUST
Though often mentioned together, HIPAA, HITECH, and HITRUST serve different roles in healthcare compliance. The table below outlines their key differences:
| HIPAA | HITECH | HITRUST | |
| Legal status | U.S. federal law enacted in 1996 | U.S. federal law enacted in 2009 as part of the American Recovery and Reinvestment Act | Private security and compliance framework developed by the HITRUST Alliance |
| Primary function | Establishes national standards for the privacy and security of PHI | Amends and strengthens HIPAA, expands enforcement, and promotes adoption of electronic health records | Provides a certifiable framework integrating multiple regulatory and security standards |
| Applicability | Covered entities and business associates | Applies to the same regulated entities through amendments to HIPAA | Voluntary for organizations seeking certification |
| Enforcement | Enforced by the U.S. Department of Health and Human Services (Office for Civil Rights) | Enforced by HHS; increases penalties and oversight mechanisms under HIPAA | Not enforced by the government; certification assessed by authorized external assessors |
| Certification | No formal government certification | No formal government certification | Organizations may obtain HITRUST certification |
Consequences of HIPAA non-compliance
Failure to comply with HIPAA can result in:
- Civil monetary penalties: The U.S. Department of Health and Human Services, through the Office for Civil Rights, may impose civil monetary penalties for violations based on the level of culpability, ranging from unintentional violations to willful neglect.
- Criminal penalties: In certain cases involving intentional misuse or wrongful disclosure of protected health information, criminal penalties may apply. These cases are typically referred to the U.S. Department of Justice and may result in fines or imprisonment.
- Corrective action plans and compliance monitoring: Organizations found in violation may be required to enter into corrective action plans. These plans typically require policy revisions, workforce retraining, enhanced monitoring, and regular reporting to regulators.
- Reputational and operational impact: Beyond regulatory penalties, HIPAA violations can result in loss of trust, contractual disputes, and operational disruption. Public breach notifications may affect relationships with patients, partners, and stakeholders.
HIPAA compliance checklist
HIPAA compliance requires ongoing administrative, technical, and operational safeguards. Here are the core requirements organizations should address:
- Conduct a risk analysis to identify potential vulnerabilities to protected health information.
- Implement risk management measures to reduce identified risks to a reasonable and appropriate level.
- Designate a privacy and security official responsible for overseeing HIPAA compliance efforts.
- Develop and maintain written policies and procedures addressing privacy, security, and breach response.
- Train workforce members on HIPAA requirements and organizational policies.
- Establish access controls to limit PHI access to authorized individuals.
- Implement technical safeguards such as authentication mechanisms, audit controls, and data protection measures for electronic PHI (ePHI).
- Execute business associate agreements (BAAs) with vendors or service providers that handle PHI.
- Establish breach notification procedures consistent with regulatory requirements.
- Document compliance efforts and maintain records as required under HIPAA.
Frequently asked questions
HIPAA was enacted to improve health insurance portability, combat healthcare fraud and abuse, standardize certain healthcare transactions, and establish national privacy and security standards for protected health information. Today, it is primarily recognized for regulating how health information is used, disclosed, and safeguarded.
HIPAA applies to covered entities, including certain healthcare providers, health plans, and healthcare clearinghouses, as well as business associates and their subcontractors that create, receive, maintain, or transmit protected health information on their behalf.
HIPAA is implemented through four primary rules: the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule. Together, these rules establish standards for how protected health information must be handled, secured, disclosed, and enforced.
Yes, HIPAA applies to regulated entities operating within the United States. However, foreign organizations may also be subject to HIPAA if they qualify as covered entities or business associates in relation to U.S.-based healthcare operations.
