HIPAA Law: What It Is, Requirements, Rules, and Compliance

What Is HIPAA?

HIPAA law — the Health Insurance Portability and Accountability Act — was signed into federal law by President Bill Clinton on August 21, 1996. It set the first national standards in the United States for protecting sensitive patient health information from being disclosed without the patient's knowledge or consent. Before HIPAA, there was no uniform federal law governing how healthcare providers, insurers, and their partners handled medical records and personal health data.

The law has two primary titles. Title I addresses health insurance portability, allowing workers to maintain health insurance coverage when they change or lose jobs. Title II — often called the Administrative Simplification provisions — is what most compliance professionals focus on today. It established standards for electronic healthcare transactions, national identifiers, and critically, rules for privacy and security of protected health information (PHI).

HIPAA was later strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, which expanded HIPAA's reach, increased penalties for violations, and introduced stricter breach notification requirements. The Omnibus Rule of 2013 further refined and expanded obligations for both covered entities and their business associates, closing several gaps in earlier regulations.

In practice, HIPAA law affects virtually everyone who interacts with the U.S. healthcare system — patients, providers, insurers, billing companies, and the technology vendors that support them. Understanding HIPAA is essential for healthcare workers, compliance officers, IT professionals, and any business that handles health information on behalf of medical organizations.

The HIPAA Privacy Rule

The HIPAA Privacy Rule, which took effect on April 14, 2003, establishes national standards for the protection of individuals' medical records and other personal health information. It applies to health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.

The Privacy Rule gives patients significant rights over their own health information. Patients can request to see and obtain copies of their medical records, request corrections to inaccurate information, receive a notice of privacy practices from their providers, and request that their information not be shared with certain parties. These rights empower patients to be active participants in their own healthcare and ensure they understand how their data is used.

Under the Privacy Rule, covered entities may use or disclose PHI without patient authorization for specific purposes including treatment, payment, and healthcare operations (often abbreviated as TPO). For example, a physician can share a patient's records with a specialist as part of treatment without needing written consent. Similarly, a hospital can share records with a billing company for payment purposes. However, most other disclosures require explicit written authorization from the patient.

The Privacy Rule also establishes the concept of the minimum necessary standard. This means that covered entities must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose. You cannot share a patient's entire medical history when only a single diagnosis is relevant to the task at hand. This principle reduces the risk of unnecessary exposure and data sprawl across healthcare organizations.

Special categories of health information receive extra protection under the Privacy Rule. These include mental health records, HIV/AIDS status, substance abuse treatment records, genetic information, and reproductive health data. Many states also layer additional protections on top of the federal HIPAA floor, so organizations must comply with whichever standard is stricter — state or federal.

The HIPAA Security Rule

While the Privacy Rule covers all PHI in any form — paper, verbal, and electronic — the HIPAA Security Rule specifically governs electronic protected health information (ePHI). The Security Rule requires covered entities and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI they create, receive, maintain, or transmit.

Administrative safeguards are the policies, procedures, and management actions that govern how a covered entity protects ePHI. These include conducting regular security risk assessments, implementing a workforce training program, developing contingency plans, and designating a HIPAA security officer. The risk analysis requirement is perhaps the most critical — organizations must identify threats and vulnerabilities to ePHI and document their risk management strategy.

Physical safeguards control access to the physical locations and devices where ePHI is stored or processed. This includes facility access controls such as locked server rooms and badge access systems, workstation use policies specifying where and how employees can work with ePHI, and device and media controls governing how hardware containing ePHI is disposed of or reused. Simply shredding old hard drives is not enough — secure data destruction methods must be documented and verified.

Technical safeguards involve the technology used to protect ePHI and control access to it. Required measures include access controls that allow only authorized users to access ePHI, audit controls that record and examine access activity, integrity controls that prevent improper alteration or destruction of ePHI, and transmission security measures such as encryption for data sent over networks. While the Security Rule does not mandate specific technologies, encryption of ePHI at rest and in transit is strongly recommended and is treated as a safe harbor in breach situations.

The Security Rule uses a tiered system of required versus addressable implementation specifications. Required specifications must be implemented as stated. Addressable specifications must either be implemented as written, implemented with an equivalent alternative measure, or documented as not applicable with justification. This flexibility allows organizations of different sizes and technical sophistication to comply in ways appropriate to their circumstances, though it does not mean addressable specifications can be ignored.

The Breach Notification Rule

The HIPAA Breach Notification Rule, added by the HITECH Act in 2009, requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, when a breach of unsecured PHI occurs. A breach is generally defined as an impermissible use or disclosure of PHI that poses a significant risk of financial, reputational, or other harm to the affected individuals.

When a breach affects 500 or more individuals, covered entities must notify HHS and prominent media outlets in the affected state or jurisdiction within 60 days of discovering the breach. They must also notify each affected individual within 60 days. These notifications must include a description of what happened, the types of PHI involved, steps individuals should take to protect themselves, what the covered entity is doing to investigate and mitigate harm, and contact information for follow-up questions.

Breaches affecting fewer than 500 individuals must still be reported to each affected individual within 60 days. However, the covered entity may maintain a log of these smaller breaches and submit them to HHS annually, no later than 60 days after the end of the calendar year in which they occurred.

The rule includes a safe harbor provision: if the PHI was encrypted according to HHS guidelines, or if the data was destroyed so that it cannot be reconstructed, the disclosure may not constitute a reportable breach. This creates a strong incentive for organizations to encrypt ePHI as a risk management strategy. However, encryption must meet the National Institute of Standards and Technology (NIST) guidelines to qualify for the safe harbor.

Business associates who discover a breach must notify the covered entity within 60 days of discovery. The covered entity then takes responsibility for notifying individuals and HHS. This chain of responsibility ensures that even when a breach originates with a vendor or contractor, the covered entity is kept informed and can take appropriate action to protect patients.

What Is Protected Health Information (PHI)?

Protected Health Information, or PHI, is any individually identifiable health information that is held or transmitted by a covered entity or business associate in any form — electronic, paper, or oral. The key is that the information must both relate to health and be capable of identifying a specific individual. If health information is fully de-identified, it is no longer considered PHI and falls outside HIPAA's protections.

HIPAA identifies 18 specific categories of identifiers that, when combined with health information, create PHI. These include names, geographic data smaller than a state, dates (other than year) directly related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers such as fingerprints, full-face photographs, and any other unique identifying number or code.

Electronic PHI (ePHI) refers to PHI created, stored, transmitted, or received electronically. This is the category specifically governed by the Security Rule. As healthcare has digitized, the volume of ePHI has grown exponentially — from electronic health records and patient portals to wearable devices and telehealth platforms. Every system that touches ePHI must be assessed for HIPAA compliance.

De-identification is the process of removing or obscuring PHI so that information cannot reasonably be used to identify an individual. HIPAA allows two methods of de-identification: the Expert Determination method, where a qualified statistical expert certifies that the risk of identification is very small, and the Safe Harbor method, where all 18 categories of identifiers are removed and the covered entity has no actual knowledge that the remaining information could identify an individual. De-identified data can be used and shared freely without HIPAA restrictions, which is valuable for research and public health purposes.

Healthcare workers often mistakenly believe that only obvious identifiers like names or Social Security numbers constitute PHI. In reality, a combination of diagnosis, age, and zip code can be enough to identify a patient in a small community. The definition is intentionally broad to provide comprehensive protection, which means compliance requires careful analysis of all the data your organization handles, not just the obvious identifiers.

Common HIPAA Violations

HIPAA violations can range from minor procedural oversights to catastrophic data breaches affecting millions of patients. Understanding the most common violations helps organizations prioritize their compliance efforts and avoid the costly mistakes that have resulted in multi-million dollar settlements for healthcare organizations of all sizes.

Impermissible disclosures are consistently among the most common violation types. These occur when PHI is shared without proper authorization or outside of the permitted TPO purposes. Examples include staff discussing patient information in public areas, sending PHI to the wrong recipient, posting information about patients on social media, or sharing records with family members without patient authorization. Even well-intentioned disclosures — like telling a worried family member about a patient's condition without consent — can constitute violations.

Failure to conduct or adequately document a security risk analysis is one of the most frequently cited Security Rule violations. The Office for Civil Rights (OCR) has made clear in numerous enforcement actions that a thorough, enterprise-wide risk analysis is foundational to the Security Rule — not optional. Organizations that skip this step or conduct superficial analyses leave themselves exposed to both breaches and penalties.

Lack of business associate agreements (BAAs) is another common source of violations. Any time a covered entity shares PHI with a business associate, a written BAA must be in place before any PHI is disclosed. Many organizations fail to identify all their business associates, overlook vendors that gain incidental access to PHI, or use outdated BAA templates that don't reflect current regulations.

Inadequate workforce training contributes to many HIPAA violations. Employees who don't understand HIPAA's requirements make mistakes — clicking phishing links, using personal email for PHI, discussing patient information inappropriately, or failing to report potential breaches. Annual training that is meaningful, role-specific, and documented is a core compliance requirement and an effective prevention tool.

Patient right of access violations have become an enforcement priority for OCR in recent years. Patients have the right to receive copies of their medical records within 30 days of requesting them (with one possible 30-day extension). Many providers still fail to meet this deadline, charge excessive fees, or deny requests without legal justification. OCR has levied multiple fines specifically targeting these violations, including several against small practices to send a clear message that size is no excuse.

Achieving and Maintaining HIPAA Compliance

HIPAA compliance is not a one-time project but an ongoing program that requires sustained organizational commitment. The regulatory framework is deliberately flexible — it does not prescribe specific technologies or rigid procedures — but this flexibility means organizations must make thoughtful, documented decisions about how to meet the standards in their specific environment.

The foundation of any HIPAA compliance program is a comprehensive, enterprise-wide security risk analysis. This assessment must identify where PHI and ePHI exist in your organization, what threats could compromise that information, what vulnerabilities exist in your systems and processes, and what the likelihood and impact of different risk scenarios would be. The risk analysis must be reviewed and updated regularly — at least annually and whenever significant changes occur in the environment.

Policies and procedures are the backbone of compliance. Every covered entity needs documented policies addressing access controls, workforce training, incident response, business associate management, media disposal, workstation use, and dozens of other areas. These policies must be reviewed annually, updated to reflect regulatory changes and organizational developments, and actively enforced rather than left to gather dust on a shelf.

Training all members of the workforce who have access to PHI is a non-negotiable HIPAA requirement. Training must cover the organization's privacy and security policies, the types of information that constitute PHI, how PHI can and cannot be used and shared, how to recognize and report potential breaches, and the consequences of violations. Training records must be maintained for at least six years. New employees must be trained before accessing PHI, and all staff should receive refresher training at least annually.

Vendor management is an increasingly important compliance challenge as healthcare organizations rely on more cloud services, software platforms, and outsourced functions. Before sharing any PHI with a vendor, you must determine whether they are a business associate, execute a compliant BAA, and assess their security controls. Many organizations use standardized security questionnaires and audit rights in contracts to ensure their vendors maintain appropriate protections.

Audit and monitoring programs help organizations detect compliance gaps before they become violations or breaches. Regular internal audits of PHI access logs, policy compliance, and technical controls can identify problems early. Many organizations also conduct periodic third-party assessments or penetration tests to get an independent view of their security posture. Documenting these reviews and the actions taken in response is essential for demonstrating good-faith compliance efforts.

When incidents occur — and in most organizations, they eventually will — having a well-practiced incident response and breach notification plan is critical. The plan should define what constitutes a breach, establish roles and responsibilities for investigation and notification, include templates for required notifications, and specify timelines to ensure the 60-day reporting deadline is met. Tabletop exercises that simulate breach scenarios help ensure the plan is practical and that key staff know their roles.