HIPAA Laws: Rules, Requirements, and Who Must Comply

What Are HIPAA Laws?

HIPAA — the Health Insurance Portability and Accountability Act — is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. While it started as legislation focused on health insurance portability (allowing workers to maintain coverage when changing jobs), it has evolved through subsequent rules and amendments into the primary legal framework governing the privacy, security, and proper handling of protected health information (PHI) in the United States. If you work in healthcare, health insurance, or any vendor role that touches patient data, you're almost certainly operating in HIPAA's jurisdiction.

The "laws" that practitioners refer to as HIPAA aren't a single statute but a set of administrative rules issued by the Department of Health and Human Services (HHS) under the authority of the 1996 act. These include the Privacy Rule (2003), the Security Rule (2005), the Breach Notification Rule (2009), and the Enforcement Rule. Together, they define what counts as protected information, who must protect it, how it must be secured, what patients' rights are regarding their own information, and what penalties apply when organizations fail to comply.

Understanding HIPAA's scope is the first step toward meaningful compliance. Not every healthcare worker or business that touches medical information is automatically subject to HIPAA — the law applies specifically to covered entities and their business associates.

Broadly, that means healthcare providers who transmit information electronically, health plans, healthcare clearinghouses, and vendors who handle PHI on their behalf. A plumber who overhears a patient conversation in a waiting room isn't subject to HIPAA; a medical billing company that processes claims on behalf of a hospital very much is. For a foundational overview, see what HIPAA is and who it applies to.

HIPAA isn't static. HHS regularly issues guidance documents, enforcement actions, and formal rule updates that change how specific provisions apply in practice. The COVID-19 pandemic, for example, generated multiple enforcement discretion notices that temporarily modified standard HIPAA requirements for telehealth. Staying current with HHS's Office for Civil Rights (OCR) guidance matters as much as knowing the base rules — particularly for organizations in rapidly evolving care delivery environments like telehealth, remote monitoring, and AI-assisted clinical decision tools where the application of existing HIPAA rules to new technologies is frequently clarified through enforcement actions and guidance rather than formal rulemaking.

The HIPAA Privacy Rule

The HIPAA Privacy Rule is the foundation of patient rights under federal law. It defines protected health information (PHI), establishes when covered entities can use or disclose it, and gives patients specific rights over their own health data.

PHI is broadly defined: it covers any individually identifiable health information — name, address, birth date, Social Security number, account numbers, or any information that could reasonably identify a specific person — held by a covered entity or business associate in any format, whether electronic, paper, or spoken. The fact that spoken information is included means HIPAA applies to conversations in hallways and waiting rooms, not just to what's stored in electronic records systems.

The Privacy Rule operates on a minimum-necessary standard. Covered entities can only use or disclose the minimum PHI required for a particular purpose. A treating physician can access a patient's full medical record for treatment; the same physician cannot access that record out of personal curiosity. This principle requires covered entities to implement policies that restrict PHI access by role and need — not just technically (through system permissions), but through workforce training and policy enforcement.

Patients have six core rights under the Privacy Rule: the right to access and obtain copies of their PHI; the right to request corrections to inaccurate records; the right to receive an accounting of disclosures; the right to request restrictions on certain uses; the right to receive communications through alternative means (e.g., receiving mail at a different address for privacy reasons); and the right to a Notice of Privacy Practices explaining how their information is handled. Covered entities must honor these rights within specific timeframes — typically 30 days for access requests, extendable to 60 days with notice.

HIPAA specifically permits certain PHI disclosures without patient authorisation: for treatment, payment, and healthcare operations (TPO); for public health reporting; for law enforcement under specific circumstances; for mandatory reporting requirements like abuse or neglect; and in other narrowly defined situations. Any disclosure outside a permitted exception requires explicit written patient authorisation. Understanding which disclosures are permitted versus which require authorisation is where compliance failures most commonly occur in day-to-day clinical operations.

The Privacy Rule also establishes requirements for Business Associate Agreements (BAAs). Any time a covered entity shares PHI with a vendor or contractor who uses it on its behalf, a BAA must be in place before any PHI is disclosed. The BAA contractually binds the business associate to HIPAA-compliant handling, limits how the BA can use PHI, requires the BA to report breaches, and mandates that the BA return or destroy PHI when the relationship ends.

A covered entity that fails to execute BAAs with its vendors — or executes deficient agreements that don't meet HIPAA's required content — is itself violating the Privacy Rule, regardless of what the BA does with the PHI.

The HIPAA Security Rule

The Security Rule narrows HIPAA's protection to electronic PHI (ePHI) specifically — health information created, received, maintained, or transmitted in electronic form. It requires covered entities and business associates to implement three categories of safeguards: administrative, physical, and technical. The rule is deliberately flexible: organisations can select appropriate safeguards based on their size, complexity, and risk profile, but the outcomes — protecting ePHI confidentiality, integrity, and availability — are mandatory regardless of which specific safeguards they choose.

The Security Rule's most important requirement is the risk analysis. Every covered entity and BA must conduct a thorough and accurate assessment of potential risks to ePHI confidentiality, integrity, and availability. This isn't a one-time exercise — it must be updated when significant changes occur (new systems, new staff roles, new service lines, major regulatory changes). OCR enforcement actions consistently show that organisations with no documented risk analysis, or one that hasn't been updated in years, face the steepest penalties — not because the risk analysis itself prevents breaches, but because its absence signals systemic compliance neglect.

Administrative safeguards include workforce training, security responsibility designations (a Security Officer), access management policies, contingency planning, and business associate oversight. Physical safeguards govern workstation use policies, facility access controls, and device disposal procedures. Technical safeguards cover access controls (unique user IDs, emergency access procedures), audit controls (logging who accesses what), integrity controls (ensuring ePHI isn't improperly altered), and transmission security (encryption in transit). Building a genuine HIPAA compliance program requires addressing all three safeguard categories, not just the technical ones that IT departments tend to prioritise.

One common Security Rule misconception is that encryption is mandatory. It isn't — encryption of ePHI at rest is an addressable specification, meaning covered entities must assess whether it's appropriate and either implement it or document why an equivalent alternative protects ePHI equally well. In practice, encryption is the default standard that virtually every serious security framework adopts, and OCR looks closely at entities that claim an alternative is adequate without strong documentation supporting that conclusion.

HIPAA Violations and Penalties

HIPAA violations range from technical paperwork failures to egregious breaches of patient privacy, and the penalty structure reflects that range. OCR uses a four-tier penalty framework based on culpability: violations where the covered entity didn't know and couldn't have known (Tier 1, $100–$50,000 per violation); violations due to reasonable cause without willful neglect (Tier 2, $1,000–$50,000); willful neglect violations that were corrected within 30 days (Tier 3, $10,000–$50,000); and willful neglect violations not corrected promptly (Tier 4, $50,000 per violation). Each tier has an annual cap per violation category of $1.9 million after 2023 inflation adjustments.

These penalties apply per violation — not per incident — meaning a single breach exposing thousands of records can trigger penalties calculated per affected individual.

Criminal penalties under HIPAA are administered through the Department of Justice rather than HHS. Knowingly accessing or disclosing PHI without authorisation carries up to 1 year imprisonment; doing so under false pretenses carries up to 5 years; doing so for personal gain or malicious intent carries up to 10 years. These criminal penalties apply to individuals, not just organisations — hospital employees who access celebrity patient records out of curiosity have faced federal prosecution under HIPAA's criminal provisions.

OCR also has proactive audit authority — it doesn't just investigate complaints. The HIPAA Audit Program reviews covered entities and business associates for compliance with specific Privacy and Security Rule requirements even in the absence of a reported breach or complaint. For a detailed breakdown of what constitutes a HIPAA violation and how enforcement actions typically unfold, see our dedicated violation guide, which covers real enforcement case examples and the specific issues that trigger OCR investigations most frequently.

Resolution agreements — published documents that OCR and covered entities agree to when settling an investigation — are among the most valuable compliance resources available. They name specific failures, describe the corrective actions required, and often include multi-year compliance monitoring. Reading recent resolution agreements in your sector tells you exactly what OCR found problematic in organisations similar to yours. HHS publishes these on its website and they're searchable by covered entity type, state, and issue area.

Who Must Comply with HIPAA Laws?

Determining whether HIPAA applies to your organisation is the prerequisite to any compliance program. The law defines two primary categories of obligated entities: covered entities and business associates. Covered entities are healthcare providers who transmit any health information electronically (even one insurance claim), health plans (including employer-sponsored plans with 50+ participants), and healthcare clearinghouses.

Business associates are vendors or contractors who create, receive, maintain, or transmit PHI on behalf of a covered entity — from medical billing companies to cloud hosting providers to IT support firms with server access. Understanding which category you fall into determines which specific HIPAA requirements apply to you and what documentation you need.

A frequently misunderstood aspect of HIPAA is that it doesn't apply to all health information everywhere. If you tell your employer you have diabetes, your employer isn't subject to HIPAA (though other employment laws may apply). If a consumer fitness app collects your health data, it's likely not subject to HIPAA unless it's operating on behalf of a covered entity. HIPAA's scope is narrower than many people assume — and the data that falls outside it (from consumer health apps, DNA testing services, and workplace wellness programs) is often less protected than patients expect.

Many small businesses and solo practitioners underestimate their HIPAA obligations. A solo therapist who uses an electronic scheduling system that's connected to billing? Covered entity. A freelance medical transcriptionist who receives audio files of patient appointments? Business associate. Dental offices with fewer than five employees? Still covered entities if they file any electronic claims. The organisational size doesn't determine covered entity status — the nature of the information handled does. Those considering HIPAA certification training often discover they have compliance gaps they weren't aware of before they began formal study.

Workforce members — employees, contractors, volunteers — of covered entities and business associates aren't directly subject to HIPAA as individuals (the law imposes obligations on the organisations). However, they can be personally subject to criminal prosecution for HIPAA violations they commit, particularly when accessing PHI without authorisation or disclosing it for personal benefit. This is why workforce training isn't optional — it's the mechanism that makes organisational HIPAA obligations operational at the individual level where most data handling actually occurs.

HIPAA and State Laws

HIPAA sets a federal floor, not a ceiling. States can — and many do — enact stricter health privacy laws than HIPAA requires. When state law provides greater protection to individuals or imposes stricter requirements on covered entities, state law applies. When HIPAA is stricter, HIPAA applies. The result is a patchwork that compliance officers must navigate jurisdiction by jurisdiction, particularly for organisations operating across multiple states. Multi-state telehealth providers face this challenge acutely — a single patient visit can trigger the laws of both the provider's state and the patient's state simultaneously.

Several states have enacted substantially stricter health privacy laws in recent years. California's Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) impose requirements beyond HIPAA for entities operating in California — including applying to some businesses that aren't HIPAA-covered entities at all. Washington State's My Health My Data Act (2023) and Texas Health Data Privacy Law are additional examples of states expanding protections beyond federal minimums, driven partly by gaps in HIPAA's coverage of consumer health apps and data brokers.

Mental health records, HIV/AIDS records, substance abuse treatment records, and genetic information often have stricter state-level protections than HIPAA's baseline. In many states, a standard HIPAA-compliant authorisation is insufficient to release mental health or substance abuse records — additional state-specific consent requirements apply. For the full framework of federal requirements and how they interact with state law in specific contexts, the HIPAA law guide provides a detailed breakdown of preemption rules and the key areas where state law routinely overrides federal minimums.