HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a foundational US federal law enacted in August 1996 to protect sensitive patient health information from being disclosed without patient consent or knowledge. HIPAA establishes national standards for the protection of Protected Health Information (PHI), ensuring that healthcare providers, health plans, healthcare clearinghouses, and their business associates implement appropriate safeguards. The law comprises multiple rules including the Privacy Rule (effective April 2003), Security Rule (effective April 2005), and Breach Notification Rule (enforceable September 2009). HIPAA applies to 'covered entities' - healthcare providers conducting electronic transactions, health plans, and healthcare clearinghouses - as well as 'business associates' who handle PHI on behalf of covered entities.

HIPAA compliance requires implementing three categories of safeguards: Administrative (policies, procedures, training), Physical (facility access controls, workstation security), and Technical (access controls, encryption, audit controls). The Privacy Rule governs the use and disclosure of PHI, granting patients rights to access their records, request corrections, and receive an accounting of disclosures. The Security Rule specifically addresses electronic PHI (ePHI) protection through required and addressable implementation specifications. Recent updates include the 2024 Reproductive Health Privacy Rule and proposed 2025 cybersecurity enhancements addressing ransomware and hacking threats. The HHS Office for Civil Rights (OCR) enforces HIPAA through audits and investigations, with penalties ranging from $100 to $50,000 per violation, up to $1.5 million per year for each violation category. The 2024-2025 HIPAA audit program focuses on Security Rule compliance related to cybersecurity threats.