Summary
HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law that sets national standards for protecting sensitive patient health information from disclosure without the patient's consent or knowledge.
What is HIPAA?
Enacted in 1996, HIPAA applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — as well as their business associates who handle protected health information (PHI). The law establishes three key rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.
The Security Rule specifically addresses electronic PHI (ePHI) and requires administrative, physical, and technical safeguards. Technical safeguards include access controls, audit controls, integrity controls, and transmission security. Organizations must conduct regular risk assessments to identify vulnerabilities.
The HITECH Act of 2009 strengthened HIPAA enforcement, significantly increasing penalties for violations. A single breach can result in fines ranging from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category.
Why is HIPAA relevant?
- Healthcare sector mandate: Required for any organization handling U.S. patient health data
- Business associate liability: Third-party vendors handling PHI are directly liable under HIPAA
- Risk assessment requirement: Regular security risk assessments are explicitly mandated
- Breach response: Covered entities must notify affected individuals, HHS, and sometimes media within 60 days of a breach