HIPAA — Health Insurance Portability and Accountability Act

Effective overview last updated: January 2026

What Is HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996. While HIPAA originally focused on health insurance portability, it's best known today for its privacy and security provisions — specifically the Privacy Rule (2003) and the Security Rule (2005), later strengthened by the HITECH Act (2009) and the Omnibus Rule (2013).

HIPAA establishes national standards for protecting individuals' medical records and other personal health information.

Who Must Comply

HIPAA applies to two categories of entities:

Covered Entities

• Healthcare providers who conduct electronic transactions (hospitals, physicians, dentists, chiropractors, nursing homes, pharmacies)
• Health plans (health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid)
• Healthcare clearinghouses (entities that process health information from nonstandard to standard formats)

Business Associates

Any person or organization that performs functions or activities on behalf of a covered entity that involve access to Protected Health Information (PHI). This includes:

• Cloud service providers hosting health data
• IT companies with access to systems containing PHI
• Billing and coding companies
• Law firms with access to PHI
• Shredding and disposal companies
• Consultants who access PHI
• SaaS platforms used in healthcare workflows

Business associates must sign a Business Associate Agreement (BAA) with each covered entity they work with and must comply with applicable HIPAA requirements directly.

Protected Health Information (PHI)

PHI is any individually identifiable health information held or transmitted by a covered entity or its business associates. This includes:

• Medical records, lab results, and diagnoses
• Insurance claims and billing information
• Conversations between doctors and nurses about patient care
• Information in a health plan's computer system
• Billing information about a patient

PHI can be in any form — electronic (ePHI), paper, or oral. The Security Rule specifically addresses ePHI.

The 18 HIPAA Identifiers

HIPAA defines 18 types of identifiers that make health information "individually identifiable":

Names, geographic data smaller than a state, dates (except year) related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.

The Privacy Rule

The Privacy Rule establishes standards for how covered entities and business associates use and disclose PHI. Key provisions:

Permitted Uses and Disclosures

PHI may be used or disclosed without individual authorization for:

• Treatment: Providing, coordinating, or managing healthcare
• Payment: Billing, claims management, utilization review
• Healthcare Operations: Quality assessment, compliance, business planning, credentialing

Additional permitted disclosures (without authorization) include situations involving public health, abuse or neglect, health oversight, judicial proceedings, law enforcement, organ donation, research (with limitations), threats to health or safety, workers' compensation, and government functions.

Authorization Required

Written authorization from the individual is required for:

• Use of PHI for marketing purposes
• Sale of PHI
• Disclosure of psychotherapy notes
• Most other uses not related to treatment, payment, or operations

Minimum Necessary Standard

When using or disclosing PHI, covered entities must make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. This doesn't apply to treatment-related disclosures.

Individual Rights Under the Privacy Rule

• Right to access their PHI (with limited exceptions)
• Right to request amendments to their records
• Right to an accounting of disclosures
• Right to request restrictions on certain uses or disclosures
• Right to request confidential communications
• Right to receive a paper copy of the Notice of Privacy Practices

The Security Rule

The Security Rule applies specifically to electronic PHI (ePHI) and requires covered entities and business associates to implement:

Administrative Safeguards

• Security management process (risk analysis, risk management)
• Assigned security responsibility
• Workforce security (authorization, clearance, termination procedures)
• Information access management
• Security awareness and training
• Security incident procedures
• Contingency planning
• Evaluation of security controls

Physical Safeguards

• Facility access controls
• Workstation use and security policies
• Device and media controls (disposal, re-use, accountability, backup)

Technical Safeguards

• Access controls (unique user IDs, emergency access, automatic logoff, encryption)
• Audit controls (logging and monitoring)
• Integrity controls (mechanisms to confirm ePHI hasn't been altered)
• Transmission security (encryption of ePHI in transit)

The Security Rule distinguishes between "required" and "addressable" implementation specifications. "Addressable" doesn't mean optional — it means you must implement the specification or document why an equivalent alternative is reasonable and appropriate.

The Notice of Privacy Practices

The Notice of Privacy Practices (NPP) is a legally mandated document that covered entities must provide to individuals. This is where your privacy policy directly matters under HIPAA.

What the NPP Must Include

The Privacy Rule (45 CFR § 164.520) is specific about required content:

• A header stating "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." (Yes, this exact language is required.)
• Description of uses and disclosures for treatment, payment, and healthcare operations, with at least one example of each
• Description of each other purpose for which the entity is permitted or required to disclose PHI without authorization
• Description of types of uses requiring authorization, and a statement that authorization can be revoked
• Individual rights and how to exercise them
• The entity's duties (maintain privacy of PHI, provide notice of its practices, abide by the terms of the current notice)
• A statement about the right to file complaints, with contact information for both the entity and the Secretary of HHS
• Contact information for the entity's privacy officer
• Effective date of the notice
• A statement that the entity reserves the right to change the notice and how revised notices will be distributed

Distribution Requirements

• Healthcare providers with direct treatment relationships must provide the NPP at the first service encounter and make a good-faith effort to obtain written acknowledgment
• Health plans must provide the NPP at enrollment and within 60 days of any material revision
• The NPP must be posted prominently at the provider's physical location
• The NPP must be available on the entity's website if it maintains one

Business Associates and the NPP

Business associates are not required to have their own NPP. However, they must comply with the HIPAA requirements specified in their BAA and must have their own privacy and security policies governing their handling of PHI.

The HITECH Act and Breach Notification

The HITECH Act (2009) added significant provisions:

• Breach notification requirements: Covered entities must notify affected individuals, the HHS Secretary, and (for breaches affecting 500+ individuals) prominent media outlets within 60 days of discovering a breach of unsecured PHI.
• Direct liability for business associates: Business associates became directly liable for HIPAA violations, not just contractually liable through BAAs.
• Increased penalties: Tiered penalty structure based on the level of negligence, up to $1.5 million per violation category per year (now adjusted for inflation — currently up to approximately $2.1 million).
• State Attorney General enforcement: State AGs gained authority to bring civil actions for HIPAA violations on behalf of state residents.

Enforcement

HIPAA is enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). Enforcement actions include:

• Complaint-driven investigations (the most common trigger)
• Compliance reviews initiated by OCR
• Breach report investigations (triggered by breach notifications)

Penalties range from $137 to $2,134,831 per violation (2024 adjusted amounts), with an annual maximum of $2,134,831 per identical violation category. Criminal penalties (handled by the Department of Justice) can include fines up to $250,000 and imprisonment up to 10 years for offenses committed with intent to sell PHI.

How Privacy Policy Review Helps

If you're a covered entity, your Notice of Privacy Practices is a legally mandated document with specific required content. Our service reviews your NPP against the Privacy Rule requirements in 45 CFR § 164.520, identifying missing sections, incomplete disclosures, and language that doesn't meet the regulatory specificity standards. An attorney verifies the findings in a signed Record of Review.

If you're a business associate, you're not required to have an NPP, but you likely have a privacy policy for your own product or service. We can review that against HIPAA principles to ensure your public-facing statements are consistent with your obligations under your BAAs.