Health Insurance Portability and Accountability Act — the federal standard governing the privacy and security of protected health information.
HIPAA is the federal law that establishes national standards to protect individuals' medical records and other individually identifiable health information — collectively known as "protected health information" (PHI).
Signed into law by President Bill Clinton on August 21, 1996, HIPAA was originally designed to ensure that workers could maintain health insurance coverage between jobs (portability) and to reduce administrative costs in the healthcare industry (accountability). Over time, its privacy and security provisions have become its most prominent and impactful elements.
The law is implemented through a series of regulatory rules issued by the U.S. Department of Health and Human Services (HHS). The two most significant are the Privacy Rule (effective April 14, 2003) and the Security Rule (effective April 21, 2005). The Breach Notification Rule, added by the HITECH Act in 2009, and the Omnibus Rule of 2013 further expanded the law's reach — most notably extending HIPAA's obligations directly to business associates and their subcontractors.
The Office for Civil Rights (OCR) within HHS is the primary enforcement body. It investigates complaints, conducts compliance audits, and may impose civil monetary penalties for violations. In cases of willful neglect or criminal conduct, the Department of Justice may also bring criminal charges.
Note: "HIPAA" is the correct spelling (Health Insurance Portability and Accountability Act). The common misspelling "HIPPA" does not refer to any law.
Establishes national standards for the protection of PHI. Defines when covered entities may use or disclose PHI, and grants patients rights over their health information. Effective April 14, 2003.
Requires covered entities and BAs to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Effective April 21, 2005.
Requires covered entities to notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI. Timelines are strict: 60 days from discovery for individuals; annual report or 60-day notice to HHS depending on size.
Establishes procedures for investigations, hearings, and penalties for HIPAA violations. Provides OCR authority to impose civil monetary penalties and refer criminal matters to the DOJ. Sets out the tiered penalty structure.
Expanded the scope of HIPAA to directly apply to business associates and their subcontractors. Strengthened patients' rights, increased penalties, and incorporated HITECH Act requirements. Effective March 26, 2013.
PHI is any information held or transmitted by a covered entity or its business associate that relates to an individual's past, present, or future physical or mental health condition, the provision of health care, or payment for health care — and that can reasonably identify the individual. It applies in any form: electronic (ePHI), paper, or oral.
Under the Safe Harbor de-identification method (45 C.F.R. § 164.514(b)), a covered entity must remove all 18 categories of identifiers to render information non-PHI. These include: names, geographic data smaller than state, dates (except year) directly related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, VINs and serial numbers, device identifiers, URLs, IP addresses, biometric identifiers (fingerprints, voice prints), full-face photos, and any other unique identifying number, characteristic, or code.
HIPAA applies to covered entities directly and, since the 2013 Omnibus Rule, to business associates and their subcontractors who create, receive, maintain, or transmit PHI on behalf of a covered entity.
Organizations that provide or pay for the cost of medical care. HIPAA applies regardless of whether they are public or private.
Entities that process nonstandard health information received from another entity into standard data elements or vice versa.
Any provider who transmits health information electronically in connection with a transaction for which HHS has adopted standards.
Persons or entities that perform functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. Must sign a Business Associate Agreement (BAA).
Since the 2013 Omnibus Rule, subcontractors of business associates who create, receive, maintain, or transmit PHI are themselves directly subject to HIPAA. They must also execute BAAs with the business associate.
Many entities that handle health data are not subject to HIPAA and are instead governed by other federal or state privacy laws.
The Privacy Rule establishes the framework for when PHI may be used or disclosed. The general rule is that a covered entity may not use or disclose PHI without valid authorization — but there are important exceptions for treatment, payment, and healthcare operations (TPO), plus a range of public-interest uses.
The Security Rule requires covered entities and business associates to implement three categories of safeguards — Administrative, Physical, and Technical — to protect the confidentiality, integrity, and availability of all electronic PHI (ePHI) they create, receive, maintain, or transmit. Standards are a mix of required and addressable implementations.
A breach is, presumptively, any impermissible use or disclosure of unsecured PHI. Covered entities must overcome this presumption by demonstrating a low probability that PHI was compromised based on a four-factor risk assessment. If the presumption is not overcome, notification is required.
Written notice by first-class mail (or email with agreement). If 10+ individuals have insufficient contact info, substitute notice via web or media is required.
For breaches affecting 500 or more individuals, notify HHS within 60 days of discovery. Notification is posted publicly on the HHS "Wall of Shame."
For breaches affecting fewer than 500 individuals, covered entities may log breaches and submit an annual report to HHS within 60 days of the end of the calendar year.
If a breach affects 500 or more residents of a single state or jurisdiction, covered entities must notify prominent media outlets serving that area.
To determine whether a breach has occurred, entities must evaluate: (1) the nature and extent of the PHI involved; (2) the identity of the unauthorized person who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to PHI has been mitigated. If the risk assessment demonstrates low probability of compromise, breach notification is not required.
Three situations are not treated as breaches requiring notification: (1) an unintentional acquisition, access, or use of PHI by a workforce member acting in good faith; (2) an inadvertent disclosure of PHI by a person authorized to access it to another authorized person at the same entity; and (3) a disclosure to a recipient who in good faith would not reasonably be able to retain the PHI.
The HITECH Act (2009) dramatically strengthened HIPAA's penalty structure. OCR enforces HIPAA through complaint investigations, compliance reviews, and audits. The tiered civil monetary penalty system reflects the degree of culpability, ranging from unknowing violations to willful neglect.
The covered entity did not know, and by exercising reasonable diligence would not have known, of the violation.
The violation was due to reasonable cause and not willful neglect — the entity knew or should have known but lacked willful disregard.
Willful neglect of HIPAA rules, but the covered entity corrected the violation within 30 days of discovery.
Willful neglect of HIPAA rules that was not corrected within 30 days. The highest civil penalty tier; OCR is required to impose a penalty.
Criminal penalties apply when a person knowingly obtains or discloses PHI in violation of HIPAA. Penalties scale from $50,000 / 1 year imprisonment for basic violations, to $100,000 / 5 years for offenses committed under false pretenses, to $250,000 / 10 years for offenses committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.
Patients have the right to inspect and obtain a copy of their PHI in a designated record set. Covered entities must respond within 30 days (extendable once by 30 days). Since the 2021 HITECH rule update, providers must respond promptly when patients direct records to a third party through their EHR.
Patients may request amendments to PHI held in a designated record set if they believe the information is inaccurate or incomplete. Covered entities may deny the request under specific circumstances (e.g., if the record was not created by the entity).
Patients may request an accounting of disclosures of their PHI for purposes other than treatment, payment, and operations. Covered entities must track non-TPO disclosures and provide a 6-year accounting upon request.
Patients may request that a covered entity restrict certain uses or disclosures of their PHI. The entity is not required to agree — except when the patient pays out-of-pocket in full and requests restriction to a health plan for that item or service.
Patients may request that covered entities communicate with them by alternative means or at alternative locations. Healthcare providers must accommodate reasonable requests; health plans must comply if the individual states that disclosure could endanger them.
Patients have the right to receive a clear, written Notice of Privacy Practices (NPP) describing how their PHI may be used, their rights, and how to exercise them. Healthcare providers must make a good-faith effort to obtain written acknowledgment of receipt.
| Obligation | Type | Frequency | Details |
|---|---|---|---|
| Risk Analysis | Required | Ongoing / on change | Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by the entity. |
| Risk Management Plan | Required | Ongoing | Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, documented in a written plan. |
| Notice of Privacy Practices (NPP) | Required | At first encounter; on material change | Provide patients with a written NPP describing how PHI is used/disclosed, their rights, and how to file complaints. Must be posted prominently at the facility and on the website. |
| Business Associate Agreements (BAA) | Required | Before PHI sharing | Execute a written BAA with every business associate before allowing them to create, receive, maintain, or transmit PHI on behalf of the covered entity. |
| Workforce Training | Required | At hire; periodically | Train all workforce members on HIPAA policies and procedures as necessary for them to carry out their job functions. Retrain when material changes occur. |
| HIPAA Privacy Officer Designation | Required | Standing appointment | Designate a Privacy Officer responsible for developing and implementing HIPAA privacy policies and procedures and receiving and processing privacy complaints. |
| HIPAA Security Officer Designation | Required | Standing appointment | Designate a Security Officer responsible for developing and implementing the entity's security policies and procedures relating to ePHI. |
| Breach Assessment & Notification | Required | Within 60 days of discovery | Assess all potential breaches using the four-factor risk assessment. Notify affected individuals, HHS, and (for 500+ breaches) prominent media as required. |
| Policy and Procedure Documentation | Required | Ongoing; retain 6 years | Implement and document written HIPAA privacy and security policies and procedures. Retain all documentation for 6 years from creation or last effective date. |
| Internal Audit Program | Best Practice | Annually | Conduct periodic internal audits and assessments of HIPAA compliance. OCR's audit protocol provides the benchmark used in formal compliance reviews. |
| Penetration Testing & Vulnerability Scans | Best Practice | Regularly | Perform regular technical vulnerability assessments and penetration tests on systems handling ePHI. Required indirectly as part of a complete risk management program. |
Don't treat the risk analysis as a one-time exercise. Conduct a thorough analysis at least annually and whenever significant environmental or operational changes occur. OCR's first inquiry in almost every investigation is whether a compliant risk analysis was performed.
While encryption is "addressable" under the Security Rule, in practice OCR treats unencrypted ePHI on a lost device as presumptive willful neglect. Encrypt all laptops, mobile devices, storage media, and data transmissions carrying ePHI.
Maintain a comprehensive inventory of all business associates. Execute a BAA before any PHI transfer occurs. Periodically review BAAs and assess each BA's security posture — you can face penalties for a BA's violations if you failed to take reasonable steps to cure the breach.
Human error — phishing clicks, misdirected emails, improper disposal — causes the majority of healthcare data breaches. Invest in ongoing, role-specific training, simulated phishing exercises, and a security-aware culture rather than annual checkbox training.
Develop and regularly test a detailed incident response plan that covers detection, containment, risk assessment, notification decisions, documentation, and remediation. The 60-day notification clock starts on discovery — not on conclusion of the investigation.
Implement role-based access controls so workforce members can only access PHI necessary for their job function. Review and audit access logs regularly. Promptly revoke access upon termination or role change — former employee access is a recurring source of breaches.
If workforce members access ePHI on personal devices, implement a formal BYOD policy with MDM software that can enforce encryption, remote wipe, and screen lock. Lost and stolen mobile devices remain a top category of reportable breaches.
HIPAA requires documentation of policies, procedures, training, risk analyses, and breach assessments — retain for 6 years. In an OCR investigation, documentation is your primary defense. If it is not documented, it is presumed not to have occurred.
HIPAA sets a federal floor; many states have stricter health privacy laws (e.g., California's CMIA, mental health confidentiality statutes, HIV/AIDS information acts). Where state law is more protective of patient privacy, it governs. Always analyze both federal and state requirements.