HIPAA — Health Insurance Portability and Accountability Act
HIPAA (1996) protects the privacy and security of protected health information (PHI) in the US with strict requirements for healthcare providers and their business associates.
Summary
HIPAA (Health Insurance Portability and Accountability Act) was signed in 1996 and is the primary US federal law protecting health data. It establishes national standards for protecting sensitive patient health information and restricts its disclosure without patient consent.
- Privacy Rule: Sets standards for who may access protected health information (PHI) and under what circumstances it may be disclosed.
- Security Rule: Mandates administrative, physical, and technical safeguards for electronic PHI (ePHI).
- Breach Notification Rule: Requires notification of data breaches affecting PHI.
- Business Associate Agreements: Third parties handling PHI must sign binding agreements.
History
HIPAA was signed by President Clinton on 21 August 1996. Originally focused on health insurance portability, Congress added privacy and security provisions as healthcare digitization increased. The Privacy Rule was finalized in 2003, the Security Rule in 2005. The HITECH Act (2009) significantly expanded HIPAA through stricter penalty provisions and the Breach Notification Rule. The 2013 Omnibus Rule (HIPAA/HITECH Omnibus Rule) extended requirements to business associates and strengthened sanctions. On December 27, 2024, HHS published an NPRM to fundamentally overhaul the Security Rule — the first major update since 2013. Finalization is targeted for May 2026.
Scope
HIPAA applies to "Covered Entities": healthcare providers who transmit health information electronically in connection with certain transactions; health plans; healthcare clearinghouses. "Business Associates" are third parties processing PHI on behalf of a covered entity and are also directly subject to HIPAA. The geographic scope covers all entities processing US health information, regardless of location.
Key Requirements
- Minimum necessary standard: Only the minimum necessary PHI may be used or disclosed.
- Patient rights: Right to access, copy, amend, and restrict use of their own PHI.
- Administrative safeguards: Security officer, risk analysis, workforce training, access management.
- Physical safeguards: Access controls to facilities and workstations/devices.
- Technical safeguards: Access control, audit controls, transmission security, encryption (addressable).
- Breach notification: Notification to affected individuals (60 days), HHS, and media for large breaches.
- Fines: Up to USD 2,190,294 per violation category per year (inflation-adjusted, as of 2026); criminal penalties up to 10 years imprisonment.
Related Frameworks
Corrections & Errata
1 correction:
- Incorrect date for Breach Notification Rule
3 updates:
- Outdated maximum penalty: $1.9M instead of $2.19M (2026)
- Missing recent development: Security Rule NPRM (December 2024)
- last_amended outdated — missing 2024 HIPAA Privacy Rule amendment