HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, a US federal law that lets people keep health coverage between jobs and sets national standards for protecting health information. Its Privacy, Security, and Breach Notification rules govern how protected health information (PHI) is used, secured, and disclosed, and are enforced by the HHS Office for Civil Rights.
HIPAA is the Health Insurance Portability and Accountability Act of 1996, a US federal law administered by the Department of Health and Human Services (HHS). The name captures its two halves: portability, protecting people's health coverage when they change or lose a job, and accountability, setting national standards for handling health information.
Most compliance work concerns the accountability half. Under it, HHS issued a family of rules, the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule, that together control how protected health information is used, secured, and disclosed. The HHS Office for Civil Rights enforces them, and the law has been strengthened over time, notably by the 2009 HITECH Act and the 2013 Omnibus Rule.
"HIPAA required the Secretary to issue privacy regulations governing individually identifiable health information."
Title I: protects health insurance coverage for workers and families when they change or lose jobs.
Title II: national standards for health information and the Privacy, Security, and Breach rules.
The HHS Office for Civil Rights (OCR) investigates complaints and imposes penalties.
HIPAA is organised into titles, but two matter most. The name maps directly onto them: portability is Title I, accountability is Title II.
Protects health insurance coverage for workers and their families when they change or lose their jobs, and limits exclusions for pre-existing conditions. This is the half that gave the law its name but rarely features in day-to-day compliance projects.
Directed HHS to create national standards for electronic health care transactions and the rules that protect health information, the Privacy, Security, and Breach Notification rules. This is the part virtually all HIPAA compliance work concerns.
Under Title II, HHS issued the rules that make up day-to-day HIPAA compliance. They share the same PHI and the same workforce, so most teams manage them as one programme.
Sets national standards for protecting PHI in any form and gives individuals rights over their health information. The foundational rule most people mean when they say "HIPAA."
Read the full guideRequires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). The "how" for keeping electronic health data confidential, available, and intact.
Requires covered entities to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI, generally within 60 days of discovery.
Establishes how the HHS Office for Civil Rights investigates complaints and imposes the tiered civil money penalties for violations.
HIPAA protects protected health information: individually identifiable health information held or transmitted by a covered entity or business associate, in any form. That includes a person's health condition, the care they received, and payment for that care, when tied to identifiers such as name, address, dates, or medical record number.
The electronic subset, ePHI, is the focus of the Security Rule. Properly de-identified data, with all 18 HIPAA identifiers removed under the Safe Harbor method or certified by expert determination, falls outside HIPAA entirely. Employment records and FERPA-covered education records are also excluded from PHI.
For the full list of patient rights, permitted uses, the minimum necessary standard, and the 18 Safe Harbor identifiers, see our dedicated guide to the HIPAA Privacy Rule.
HIPAA binds two groups. Scoping your status correctly is the first step of any compliance programme.
Health plans, health care clearinghouses, and health care providers who transmit health information electronically for a covered transaction (such as a claim).
Vendors and subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity, including cloud hosts, billing firms, and SaaS vendors. Directly liable since the 2013 Omnibus Rule.
The HHS Office for Civil Rights enforces HIPAA. Civil penalties are tiered by culpability, from a violation the entity did not know about up to willful neglect that was not corrected. Per-violation amounts and annual caps are adjusted for inflation each year and can reach into the millions of dollars for a category of violations.
The most serious knowing misuse of PHI can also be prosecuted criminally by the Department of Justice, with fines up to $250,000 and up to 10 years in prison. Beyond the dollars, OCR settlements usually require a multi-year corrective action plan, and large breaches appear on the public HHS breach portal.
Always confirm the live numbers. OCR republishes its inflation-adjusted penalty tiers annually, so treat any specific figure as a snapshot and check the current HHS guidance before quoting it.
Six steps that take a covered entity or business associate from uncertain to defensible. The documented risk analysis is the artifact OCR asks for first.
Determine whether you are a covered entity, a business associate, or both. Your obligations and your Business Associate Agreements flow from this.
Map every system, vendor, and workflow that creates, receives, maintains, or transmits PHI, in any form. You cannot protect data you have not located.
Conduct and document a risk analysis of threats to your electronic PHI. This is the single most-requested artifact in an OCR investigation.
Document Privacy and Security policies, publish a Notice of Privacy Practices, and designate a Privacy Officer and a Security Officer.
Put a written BAA in place with every vendor that touches PHI, and flow the same obligations down to subcontractors.
Train the workforce, track remediation of every gap to closure, and keep a timestamped evidence trail. Required HIPAA documentation must be retained for six years.
RiskWatch ships pre-built HIPAA Privacy and Security Rule assessments on a shared control library, runs the risk analysis, tracks remediation to closure, manages Business Associate Agreements, and keeps the timestamped evidence trail OCR asks for.
The questions people search most when they first encounter the law.
Pre-built HIPAA Privacy and Security assessments, the required risk analysis, BAA tracking, and a timestamped audit trail. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime
