HIPAA
Health Insurance Portability and Accountability Act
US federal law setting national standards for protecting sensitive patient health information from disclosure without patient knowledge or consent.
Overview
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established the first US national standards for the privacy and security of protected health information (PHI). The law applies to covered entities β health plans, healthcare clearinghouses, and most healthcare providers β and their business associates, which are vendors and contractors that create, receive, maintain, or transmit PHI on behalf of a covered entity.
HIPAA has three main rules: the Privacy Rule governs the use and disclosure of PHI and gives patients rights over their health information; the Security Rule sets standards for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards; and the Breach Notification Rule requires notification of patients, HHS, and in some cases the media when unsecured PHI is breached. The HITECH Act of 2009 significantly strengthened HIPAA enforcement, increased penalties, and extended obligations directly to business associates.
HIPAA enforcement has intensified significantly over the past decade. HHS/OCR has levied hundreds of millions of dollars in fines, and enforcement actions increasingly target organisations of all sizes. State attorneys general can also enforce HIPAA, and violations can trigger civil and criminal liability. The 21st Century Cures Act (2016) and ongoing rulemaking continue to evolve HIPAA requirements, including around information blocking and patient data access.
Scope & Applicability
HIPAA applies to covered entities (health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically) and their business associates. Protected Health Information (PHI) is individually identifiable health information β including demographic data β that relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare, or the payment for healthcare. The Security Rule applies specifically to electronic PHI (ePHI).
Key Principles
- 1Minimum Necessary β covered entities must make reasonable efforts to use, disclose, and request only the minimum PHI necessary for the intended purpose
- 2Individual Rights β patients have rights to access, amend, and receive an accounting of disclosures of their PHI
- 3Safeguards β covered entities and business associates must implement administrative, physical, and technical safeguards for PHI
- 4Accountability β covered entities must designate a Privacy Officer and Security Officer, train workforce members, and document policies and procedures
- 5Breach Prevention and Response β robust processes must detect, contain, and report breaches of unsecured PHI
- 6Business Associate Management β contractual safeguards must flow down HIPAA obligations to all business associates handling PHI
Data Subject Rights
Patients have the right to inspect and receive copies of their PHI in a designated record set within 30 days (extendable to 60). OCR has aggressively enforced this right, fining providers for unreasonable access barriers.
Patients can request amendment of their PHI if they believe it is inaccurate or incomplete. Covered entities can deny the amendment in specific circumstances but must provide a mechanism for the individual to submit a statement of disagreement.
Patients can request a list of disclosures of their PHI made for purposes other than treatment, payment, and healthcare operations for the prior six years.
Patients can request restrictions on how their PHI is used or disclosed. Covered entities must honour a patient's request to restrict disclosure to a health plan when the patient has paid out-of-pocket in full.
Patients can request that covered entities communicate with them through alternative means or at alternative locations, and reasonable requests must be accommodated.
Patients are entitled to receive a Notice of Privacy Practices (NPP) describing how their PHI may be used and their rights, at first point of service.
Business Obligations
Designated Privacy and Security Officers
Covered entities and business associates must designate a Privacy Officer responsible for privacy policies and a Security Officer responsible for ePHI security.
Risk Analysis and Risk Management
An accurate and thorough assessment of the potential risks and vulnerabilities to ePHI must be conducted, and a risk management plan must be implemented and reviewed regularly.
Business Associate Agreements (BAAs)
Written contracts with all business associates must establish the permitted uses and disclosures of PHI, require appropriate safeguards, and mandate breach reporting to the covered entity.
Workforce Training
All workforce members must receive regular HIPAA training on policies, procedures, and their obligations regarding PHI, with training documented.
Technical and Physical Safeguards
ePHI must be protected by access controls, audit controls, transmission security (encryption), and physical facility access controls as required by the Security Rule.
Breach Notification
Unsecured PHI breaches affecting 500+ individuals in a state must be notified to HHS and the media (within 60 days); smaller breaches are reported to HHS annually. Affected individuals must always be notified within 60 days.
Cross-Border Transfer Rules
HIPAA does not include specific cross-border data transfer restrictions analogous to GDPR. However, covered entities and business associates remain responsible for PHI security and privacy regardless of where data is processed or stored. International vendors handling PHI must sign BAAs and provide equivalent safeguards. Organisations subject to both HIPAA and international privacy laws (e.g., GDPR) must navigate both frameworks simultaneously, as HIPAA generally sets the floor for health data protection.
Breach Notification Requirements
Within 60 days of discovering the breach β for large breaches (500+ individuals in a state) notification to HHS and media is required within 60 days; small breaches are reported annually to HHS
HHS Office for Civil Rights β large breaches require prompt media notice and simultaneous HHS notification within 60 days of discovery
All affected individuals must receive written notification by first-class mail (or email if authorised) within 60 days of discovery of the breach
How TruePrivacy Helps
Purpose-built tools for every HIPAA obligation.
Automated scanning identifies and classifies PHI across all systems β EHRs, cloud storage, email, analytics platforms β building a comprehensive PHI inventory.
A centralised BAA register tracks every vendor with PHI access, monitors contract expiry, flags missing BAAs, and triggers renewal workflows.
Structured breach response workflows assess whether an incident constitutes a reportable breach, generate HHS notification reports, and draft individual notices within the 60-day window.
Guided risk analysis templates align with the HHS Security Risk Assessment Tool methodology, producing audit-ready documentation for OCR investigations.
A compliant patient portal handles access requests with identity verification, fee management, and 30-day deadline tracking, reducing manual burden on the Privacy Officer.
Tamper-evident audit logs track every instance of PHI access, modification, and disclosure, supporting the Security Rule's audit control requirements.
Ready to achieve HIPAA compliance?
TruePrivacy automates your compliance workflows so your team can focus on what matters.