HIPAA stands for the Health Insurance Portability and Accountability Act. Congress passed it in 1996, and it's been reshaping how healthcare organizations handle patient data ever since. If you've ever signed a privacy notice at a doctor's office or wondered why your insurer can't just hand your records to anyone who asks, that's HIPAA at work.
At its core, HIPAA does two big things. It protects workers' health insurance when they change jobs or lose employment—that's the "portability" piece. And it sets national standards for protecting health information—that's the "accountability" side. Most people hear HIPAA in the context of privacy, but the law is broader than a lot of folks realize.
There's no single sentence that captures everything HIPAA does, but here's a working definition: HIPAA is a federal law that establishes standards for protecting sensitive patient health information from being disclosed without the patient's knowledge or consent.
Before HIPAA, there was no federal floor for healthcare privacy. States had their own patchwork of rules—some strong, some nearly nonexistent. Employers and insurers could use health data in ways patients never imagined. A hospital could share your diagnosis with your employer. An insurer could deny coverage based on pre-existing conditions and face no real accountability for how they used your records.
Congress wanted a consistent national standard. The technology landscape was also shifting—electronic health records were becoming more common, and paper-based privacy rules weren't keeping up. HIPAA was designed to modernize health information management while building in real protections for patients.
HIPAA isn't a single rule. It's a set of regulations that the Department of Health and Human Services (HHS) has fleshed out over the years. The three most important are:
There's also the Omnibus Rule from 2013, which expanded HIPAA's reach to business associates—third-party vendors who handle PHI on behalf of covered entities. Think IT contractors, billing companies, and cloud storage providers.
Want to test your HIPAA knowledge? Try a HIPAA practice test to see how well you understand the rules before an exam or certification review.
Not every organization in the country is bound by HIPAA—but the coverage is wide. The law applies to two main categories: covered entities and business associates.
Covered entities are the healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically. That includes:
If you're a solo family doctor who sends electronic claims to insurance companies, you're a covered entity. If you're a large hospital system with thousands of employees, you're a covered entity. The size of the organization doesn't change the obligation—though it does affect how you implement safeguards.
Business associates are companies or individuals that perform services for covered entities and, in doing so, come into contact with PHI. This category is huge and keeps growing as healthcare becomes more tech-dependent. Examples include:
Business associates must sign a Business Associate Agreement (BAA) with the covered entity. Without that agreement, the covered entity is potentially on the hook for how the associate uses patient data. This is one of the most common HIPAA compliance gaps in smaller healthcare organizations.
HIPAA doesn't cover everyone who touches health information. Life insurers, employers in general, workers' compensation carriers, and most school records are outside HIPAA's jurisdiction. Social media platforms aren't covered either—even if you post about your own health conditions. Many people assume HIPAA applies wherever health data exists. It doesn't. It applies where covered entities and their business associates handle protected health information.
PHI is any health information that can be linked to a specific individual. The Privacy Rule defines 18 identifiers that, when combined with health data, create PHI. These include names, dates (other than year), geographic data smaller than a state, phone numbers, email addresses, Social Security numbers, and more.
PHI covers information in any format—paper records, electronic files, and even spoken conversations. If a nurse mentions your diagnosis in a hallway loud enough for others to hear, that's a potential HIPAA concern. The rule applies to past, present, and future health information.
For data to become de-identified—and thus outside HIPAA's scope—all 18 identifiers must be removed. Organizations that want to use health data for research or marketing without privacy restrictions need to go through a proper de-identification process. This isn't as simple as removing a name from a file.
HIPAA doesn't just restrict how organizations use your data. It gives you real rights as a patient:
These rights matter more than most patients realize. When a hospital takes three months to provide records or a clinic refuses to show you what's in your file, there may be a HIPAA violation worth reporting.
The consequences for HIPAA violations are real—and they've gotten steeper over time. The Office for Civil Rights (OCR) within HHS is responsible for enforcement. They investigate complaints, conduct audits, and impose civil monetary penalties.
Penalties are tiered based on culpability:
Annual caps apply per violation category, but multi-million dollar settlements are common for serious breaches. The 2020s have seen record-setting enforcement actions—hospitals, insurers, and even dental practices have faced seven-figure fines.
Criminal penalties are handled by the Department of Justice. Knowingly obtaining or disclosing PHI without authorization can lead to fines up to $50,000 and one year in prison. If the violation involves false pretenses, those numbers jump to $100,000 and five years. Intent to sell or use PHI for personal gain? Up to $250,000 and ten years.
Most violations aren't dramatic data heists. They're mundane mistakes that stack up:
The breach notification rule also means that organizations can't quietly absorb a data incident. Breaches affecting 500 or more individuals in a state must be reported to the media as well as to HHS. Breaches affecting 500+ people across the country land on HHS's public "Wall of Shame"—a searchable database of reported breaches.
HIPAA was written in 1996, before smartphones, cloud computing, or telehealth as we know it today. The law has been updated—notably through the HITECH Act in 2009 and the Omnibus Rule in 2013—but it's still catching up with technology.
Telehealth exploded during the COVID-19 pandemic. HHS issued temporary enforcement discretion to allow providers to use platforms like FaceTime and Zoom without worrying about full HIPAA compliance—but that flexibility was always meant to be temporary. Healthcare organizations using video platforms for patient care need to ensure they're using HIPAA-compliant solutions with proper BAAs in place.
Wearable devices are another gray area. Your Fitbit data isn't PHI if Fitbit collects it directly—because Fitbit isn't a covered entity. But if your cardiologist's office integrates that data into your health record, the dynamic changes. This intersection of consumer tech and healthcare data is where HIPAA's edges get blurry.
Artificial intelligence in healthcare adds another layer. AI tools trained on patient data, used for diagnosis or treatment recommendations, touch PHI. Whether AI vendors qualify as business associates—and what safeguards they must implement—is an active area of regulatory guidance.
For healthcare organizations, HIPAA compliance isn't a checkbox. It's an ongoing program. The Security Rule, in particular, requires organizations to conduct regular risk analyses—identifying where ePHI lives, how it moves, and what could go wrong.
A real compliance program includes:
Small practices sometimes try to handle HIPAA with a one-time policy manual they downloaded from the internet. That approach rarely survives an audit. OCR expects to see evidence of an active compliance culture—not just documentation that exists but isn't followed.
For anyone working toward a HIPAA-related certification or role, understanding these practical realities is just as important as knowing the statutory text. The HIPAA practice test questions on certification exams often test real-world judgment, not just definitions.
HIPAA stands for the Health Insurance Portability and Accountability Act. It was enacted by the U.S. Congress in 1996 and is primarily enforced by the Department of Health and Human Services Office for Civil Rights.
HIPAA applies to covered entities—healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically—and to their business associates, which are third-party vendors or contractors that handle protected health information on behalf of covered entities.
Protected health information (PHI) is any individually identifiable health information held or transmitted by a covered entity or its business associate. This includes 18 specific identifiers—such as names, dates, geographic data, Social Security numbers, and phone numbers—when combined with health or payment data related to an individual's medical care.
No. HIPAA only applies to covered entities and their business associates. General employers, life insurance companies, workers' compensation programs, and social media platforms are not covered under HIPAA, even when they handle information about someone's health. A friend posting about your illness online or your employer learning about a diagnosis doesn't create a HIPAA violation.
Civil penalties range from $137 per violation for unknowing violations to over $2 million per violation category annually for willful neglect that goes uncorrected. Criminal penalties—handled by the Department of Justice—can include fines up to $250,000 and prison sentences up to 10 years for the most serious intentional misuse of PHI.
HIPAA gives patients the right to access and receive copies of their health records, request corrections to inaccurate information, get an accounting of who has received their PHI, request certain restrictions on how their information is used, and request that communications be delivered through specific channels. Providers generally must respond to access requests within 30 days.
HIPAA sets a federal floor for health privacy protections. States can pass stronger laws—and many have—but they can't pass laws that are weaker than HIPAA's requirements. When state law provides greater protections for patients, the state law applies. Organizations must comply with whichever standard is stricter in their jurisdiction.