What Is HIPAA?

In the spring of 1996, Congress passed a law that most Americans had never heard of. The Health Insurance Portability and Accountability Act was primarily designed to ensure workers could maintain health insurance coverage between jobs. But tucked inside its pages was a provision that would fundamentally reshape how the nation handles medical information.

Nearly three decades later, HIPAA has become one of the most recognised — and most misunderstood — regulatory frameworks in American healthcare. This guide breaks down what HIPAA actually requires, who it covers, and what it means for your organisation.

What Does HIPAA Stand For?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191). While the law's original focus was on insurance portability, its most lasting legacy has been the Administrative Simplification provisions — rules that established national standards for protecting health information.

The law has been amended several times, most significantly by the HITECH Act of 2009, which strengthened enforcement, extended requirements to business associates, and introduced the Breach Notification Rule.

Why HIPAA Matters

The numbers tell the story. In 2024 alone, the HHS Office for Civil Rights received over 33,000 HIPAA-related complaints. Major breaches at Change Healthcare, Ascension, and other organisations exposed the records of hundreds of millions of patients. The average cost of a healthcare data breach now exceeds $10 million — the highest of any industry for thirteen consecutive years.

But HIPAA is not simply about avoiding fines. The regulations exist because patients deserve to trust that their most sensitive information — diagnoses, medications, mental health records, reproductive health decisions — will not be exposed without their consent. When that trust breaks down, patients delay or avoid seeking care, which creates a public health consequence that extends well beyond any single organisation.

The Five HIPAA Rules You Need to Know

HIPAA is not a single rule but a collection of interlocking regulations. The five core rules are:

1. The Privacy Rule

Established in 2000 and modified in 2002, the Privacy Rule sets standards for when and how protected health information can be used or disclosed. It gives patients rights over their health data and limits what covered entities can share without authorisation.

The Privacy Rule introduced several cornerstone principles that continue to shape healthcare operations:

• The minimum necessary standard, which requires entities to limit the use, disclosure, and request of PHI to the minimum amount needed to accomplish the intended purpose
• Patient access rights, including the right to view, obtain copies of, and request amendments to their health records
• Notice of Privacy Practices, which entities must provide to patients explaining how their information may be used

2. The Security Rule

Published in 2003, the Security Rule specifically addresses electronic protected health information (ePHI). It requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

Unlike the Privacy Rule, the Security Rule is technology-neutral. It does not mandate specific products or solutions. Instead, it establishes a risk-based framework where organisations must assess their own environment and implement appropriate protections. The three safeguard categories break down as follows:

• Administrative safeguards — risk analysis, workforce training, security management processes, and contingency planning
• Physical safeguards — facility access controls, workstation security, and device and media controls
• Technical safeguards — access controls (including unique user IDs), audit controls, integrity controls, and transmission security

3. The Breach Notification Rule

Finalised in 2009 under the HITECH Act , this rule requires covered entities and business associates to notify individuals, the HHS Secretary, and in some cases the media, following a breach of unsecured PHI.

The notification timelines are strict:

• Individuals must be notified without unreasonable delay and no later than 60 days from the discovery of the breach
• HHS must be notified within 60 days for breaches affecting 500 or more individuals, or annually for smaller breaches
• Prominent media outlets must be notified if a breach affects more than 500 individuals in a single state or jurisdiction

4. The Enforcement Rule

This rule establishes the procedures for investigating complaints and imposing penalties for HIPAA violations. It gives the HHS Office for Civil Rights the authority to levy substantial fines across four penalty tiers, ranging from $145 per violation for unknowing violations to over $2.1 million for violations due to wilful neglect that are not corrected. See our detailed breakdown of HIPAA violations and penalties for real-world enforcement examples.

5. The Omnibus Rule

Published in 2013, the Omnibus Rule implemented a number of HITECH Act provisions, extended HIPAA requirements to business associates and their subcontractors, and strengthened patient rights. It also prohibited the sale of PHI without authorisation and restricted the use of PHI for marketing purposes.

Who Must Comply with HIPAA?

HIPAA applies to three categories of entities:

• Covered entities — Health plans, healthcare clearinghouses, and healthcare providers who conduct standard electronic transactions
• Business associates — Any person or entity that performs functions on behalf of a covered entity involving the use or disclosure of PHI (see our guide to who must comply with HIPAA for detailed examples)
• Subcontractors of business associates — Third parties that handle PHI on behalf of business associates

If you are wondering whether your organisation falls under HIPAA, the answer is almost certainly yes if you touch patient health information in any capacity. This includes not only hospitals and clinics, but also cloud storage providers, billing companies, IT consultants, lawyers handling health-related cases, and shredding companies that destroy medical records.

What Is Protected Health Information?

Protected Health Information, or PHI, is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. For a deeper explanation with examples, see our guide to the 18 HIPAA identifiers. The eighteen identifiers include:

1. Names
2. Geographic data smaller than a state
3. Dates related to an individual (birth, admission, discharge, death)
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate or licence numbers
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers (fingerprints, voiceprints)
17. Full-face photographs
18. Any other unique identifying number, characteristic, or code

It is worth noting that PHI exists in all forms — paper, oral, and electronic. When PHI is stored or transmitted electronically, it is referred to as electronic protected health information, or ePHI, and is subject to the additional requirements of the Security Rule.

Common HIPAA Misconceptions

There are several persistent myths about HIPAA that create confusion:

Myth: HIPAA only applies to doctors and hospitals. In reality, health plans, clearinghouses, business associates, and their subcontractors are all subject to HIPAA requirements. If your company provides services to a healthcare client and handles PHI in the process, you are covered.

Myth: HIPAA prohibits all sharing of health information. The Privacy Rule permits disclosures for treatment, payment, and healthcare operations without patient authorisation. It also allows disclosures required by law, for public health activities, and in certain emergency circumstances.

Myth: Patients can sue directly under HIPAA. There is no private right of action under HIPAA. Only the HHS Office for Civil Rights and state attorneys general can enforce HIPAA penalties. However, patients can file complaints with OCR, and many states have their own health privacy laws that do provide for private causes of action.

Myth: HIPAA compliance is a one-time project. Compliance is an ongoing process that requires annual risk assessments, regular training, policy updates, and continuous monitoring of safeguards.

HIPAA Compliance: Where to Start

If your organisation is new to HIPAA or reviewing its compliance posture, the most critical first steps are:

1. Conduct a security risk analysis — This is the foundational requirement of the Security Rule. You cannot protect what you have not identified. Our risk assessment guide walks through the process step by step.
2. Designate a privacy officer and a security officer — These roles are responsible for developing and implementing policies.
3. Implement a training programme — All workforce members, including volunteers and contractors, must receive HIPAA training.
4. Execute business associate agreements — Ensure that every vendor who touches PHI has a signed BAA in place.
5. Develop written policies and procedures — Document how your organisation handles PHI in every context.
6. Establish an incident response plan — Know exactly what steps to take when a breach occurs.

Key Takeaways

• HIPAA is a framework of multiple rules, not a single regulation
• It applies to covered entities, business associates, and their subcontractors
• PHI includes any health information that can identify an individual, across all formats
• Non-compliance can result in fines ranging from $145 to over $2.1 million per violation category per year
• The rules continue to evolve — recent proposed changes address reproductive health care protections and cybersecurity requirements
• Compliance is an ongoing process that requires continuous attention and resources

Understanding HIPAA is not optional for healthcare organisations. The regulations are complex, but the underlying principle is straightforward: protect patient information as if it were your own. For most organisations, the path to compliance begins with a thorough risk assessment and a commitment to making data protection a core part of operations.