What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. Originally passed to improve the portability of health insurance coverage, HIPAA evolved into the primary legal framework governing the privacy and security of health data in the United States.
HIPAA applies to covered entities — healthcare providers, health plans and healthcare clearinghouses — and their business associates who handle protected health information (PHI) on their behalf. Unlike PCI DSS or ISO 27001, HIPAA does not prescribe specific technical controls. Instead it requires organisations to implement reasonable and appropriate safeguards based on their size, complexity and risk profile.
Why Was HIPAA Created?
In 1996 healthcare records were largely paper-based but rapidly moving to electronic systems. Congress recognised that this transition created both opportunity and significant risk — patient data could be exploited, shared without consent or lost in a breach. HIPAA was enacted to set a federal floor for health data protection that would apply consistently across all states.
The original 1996 Act was followed by several major rules: the Privacy Rule (2000), the Security Rule (2003), the Enforcement Rule (2006) and the Breach Notification Rule (2009). The HITECH Act of 2009 significantly strengthened HIPAA by increasing penalties and extending obligations directly to business associates. The Omnibus Rule of 2013 consolidated these changes into the comprehensive HIPAA framework in use today.
| Standard Body | US Department of Health and Human Services (HHS) |
| Current Version | Omnibus Rule 2013 (most recent major update) |
| Mandatory or Voluntary | Mandatory — federal law |
| Geography | USA — applies to covered entities and business associates |
| Maximum penalty | Up to $1.9 million per violation category per year + criminal charges |
| Official Resource | hhs.gov/hipaa |
Who Does HIPAA Apply To?
| Entity type | Examples |
|---|---|
| Covered entities — Healthcare providers | Hospitals, clinics, doctors, dentists, pharmacies, nursing homes |
| Covered entities — Health plans | Health insurance companies, HMOs, Medicare, Medicaid, employer health plans |
| Covered entities — Healthcare clearinghouses | Entities that process non-standard health information into standard formats |
| Business associates | Cloud providers, billing companies, IT support firms, legal counsel, accountants, EHR vendors — any third party handling PHI on behalf of a covered entity |
The Four HIPAA Rules
HIPAA compliance is governed by four main rules, each addressing a different aspect of health data protection.
| Rule | Purpose | Key requirement |
|---|---|---|
| Privacy Rule | Governs use and disclosure of PHI | PHI may only be used or disclosed for treatment, payment or healthcare operations — or with patient authorisation |
| Security Rule | Protects electronic PHI (ePHI) | Administrative, physical and technical safeguards must be implemented to protect ePHI confidentiality, integrity and availability |
| Breach Notification Rule | Requires notification after a breach | Covered entities must notify affected individuals within 60 days, HHS annually (or immediately for breaches of 500+), and media for large breaches |
| Enforcement Rule | Sets penalties for non-compliance | HHS Office for Civil Rights investigates complaints and can impose civil and criminal penalties |
The HIPAA Security Rule — Three Safeguard Categories
The Security Rule requires covered entities and business associates to implement safeguards across three categories. Each category contains both required and addressable specifications — required specifications must be implemented, addressable specifications must be implemented if reasonable and appropriate.
Administrative Safeguards
| Standard | Description | Type |
|---|---|---|
| Security management process | Implement policies to prevent, detect, contain and correct security violations — includes risk analysis and risk management | Required |
| Assigned security responsibility | Identify the security official responsible for developing and implementing security policies | Required |
| Workforce security | Implement policies to ensure workforce members have appropriate access to ePHI and prevent unauthorised access | Addressable |
| Information access management | Implement policies for authorising access to ePHI consistent with the Privacy Rule | Addressable |
| Security awareness and training | Implement security awareness and training programme for all workforce members including management | Addressable |
| Security incident procedures | Implement policies to address security incidents — identify, respond to, mitigate and document incidents | Required |
| Contingency plan | Establish policies for responding to emergencies that damage systems containing ePHI — data backup, disaster recovery, emergency mode operations | Required |
| Evaluation | Perform periodic technical and non-technical evaluations of security measures in response to environmental or operational changes | Required |
| Business associate contracts | Obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI through written contracts (BAAs) | Required |
Physical Safeguards
| Standard | Description | Type |
|---|---|---|
| Facility access controls | Implement policies to limit physical access to electronic information systems and the facilities in which they are housed | Addressable |
| Workstation use | Implement policies specifying proper functions performed on workstations and physical attributes of the surroundings | Required |
| Workstation security | Implement physical safeguards for workstations that access ePHI to restrict access to authorised users only | Required |
| Device and media controls | Implement policies governing receipt and removal of hardware and electronic media containing ePHI — includes disposal, re-use, accountability and data backup | Addressable |
Technical Safeguards
| Standard | Description | Type |
|---|---|---|
| Access control | Implement technical policies to allow access to ePHI only to authorised persons or software — unique user identification, emergency access, automatic logoff, encryption | Required |
| Audit controls | Implement hardware, software or procedural mechanisms to record and examine activity in systems that contain or use ePHI | Required |
| Integrity controls | Implement policies to protect ePHI from improper alteration or destruction — authentication mechanisms to corroborate that ePHI has not been altered | Addressable |
| Person or entity authentication | Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed | Required |
| Transmission security | Implement technical security measures to guard against unauthorised access to ePHI transmitted over electronic communications networks — encryption strongly recommended | Addressable |
Patient Rights Under HIPAA
| Right | Description |
|---|---|
| Right of access | Patients can request copies of their health records — must be provided within 30 days |
| Right to amend | Patients can request corrections to their health records if they believe information is incorrect or incomplete |
| Right to accounting of disclosures | Patients can request a list of disclosures of their PHI made in the previous six years |
| Right to request restrictions | Patients can request restrictions on how their PHI is used or disclosed — covered entities must comply with restrictions on disclosures to health plans for self-paid services |
| Right to confidential communications | Patients can request to receive communications through alternative means or at alternative locations |
| Right to notice of privacy practices | Patients must receive a clear written notice explaining how their PHI may be used and their rights |
Securitora Assessment
HIPAA is one of the most complex compliance frameworks to implement because of its flexibility — the lack of prescriptive technical controls means organisations must make their own risk-based decisions, which requires genuine security expertise. The most common failure points are inadequate risk assessments, missing Business Associate Agreements and poor access controls on electronic health records. For healthcare technology vendors, HIPAA compliance is table stakes for selling into the US healthcare market.
| Recommended for | Healthcare providers, health plans, clearinghouses and all their business associates |
| Difficulty to implement | High — flexible but requires deep risk assessment expertise and ongoing programme management |
| Best used with | HITRUST CSF · NIST CSF 2.0 · ISO 27001 |
| Official resource | hhs.gov/hipaa → |