HIPAA
Health Insurance Portability and Accountability Act — US Public Law 104-191
Standard Introduction
The Health Insurance Portability and Accountability Act (HIPAA) is a foundational US federal law enacted in August 1996 to protect sensitive patient health information from being disclosed without patient consent or knowledge. HIPAA establishes national standards for the protection of Protected Health Information (PHI), ensuring that healthcare providers, health plans, healthcare clearinghouses, and their business associates implement appropriate safeguards. The law comprises multiple rules including the Privacy Rule (effective April 2003), Security Rule (effective April 2005), and Breach Notification Rule (enforceable September 2009). HIPAA applies to 'covered entities' - healthcare providers conducting electronic transactions, health plans, and healthcare clearinghouses - as well as 'business associates' who handle PHI on behalf of covered entities.
HIPAA compliance requires implementing three categories of safeguards: Administrative (policies, procedures, training), Physical (facility access controls, workstation security), and Technical (access controls, encryption, audit controls). The Privacy Rule governs the use and disclosure of PHI, granting patients rights to access their records, request corrections, and receive an accounting of disclosures. The Security Rule specifically addresses electronic PHI (ePHI) protection through required and addressable implementation specifications. Recent updates include the 2024 Reproductive Health Privacy Rule and proposed 2025 cybersecurity enhancements addressing ransomware and hacking threats. The HHS Office for Civil Rights (OCR) enforces HIPAA through audits and investigations, with penalties ranging from $100 to $50,000 per violation, up to $1.5 million per year for each violation category. The 2024-2025 HIPAA audit program focuses on Security Rule compliance related to cybersecurity threats.
Protected Health Information
Establishes national standards for protecting individually identifiable health information (PHI) — including electronic, paper, and oral forms.
Security Rule Safeguards
Requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).
Breach Notification
Mandates notification to affected individuals, HHS, and (for large breaches) media within 60 days of discovering a breach of unsecured PHI.
list_alt Key Rules
- Privacy Rule — limits use and disclosure of PHI
- Security Rule — administrative, physical, and technical safeguards for ePHI
- Breach Notification Rule — 60-day notification requirement
- Enforcement Rule — investigation and penalty procedures
- Minimum Necessary standard — limit PHI to what is needed
- Business Associate Agreements (BAAs) required
- Patient right to access their health records
Who Needs to Comply?
Covered entities (health plans, healthcare clearinghouses, healthcare providers conducting electronic transactions) and their business associates that create, receive, maintain, or transmit PHI.
Key Requirements
Risk Analysis
Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.
Access Controls
Implement technical policies and procedures to limit access to ePHI to only those persons and software programs that have been granted access rights. Includes unique user IDs, emergency access, and automatic logoff.
Business Associate Agreements
Execute written contracts with all business associates that create, receive, maintain, or transmit PHI on your behalf. BAAs must specify permitted uses and require safeguards.
Audit Controls
Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
Workforce Training
Train all workforce members on HIPAA policies and procedures. Apply appropriate sanctions against employees who violate policies.
Penalties & Enforcement
Civil penalties range from $141 to $2,134,831 per violation depending on the level of culpability. Criminal penalties for knowing misuse include fines up to $250,000 and up to 10 years imprisonment. HHS OCR enforces through audits and investigations.
Official Documentation
HIPAA Basics for Providers
PDF • 425 KB • Privacy, Security & Breach Notification Rules
HHS HIPAA for Professionals
External Link • hhs.gov/hipaa • Official HHS Portal
HIPAA Security Rule Guidance
External Link • Security Implementation Specifications & Best Practices