HIPAA 1996 Explained: What It Is, Key Rules, and Compliance Requirements

HIPAA Overview

Purpose and scope

HIPAA is the Health Insurance Portability and Accountability Act of 1996. It protects the privacy and security of health data, standardizes electronic transactions, and strengthens accountability for misuse of Protected Health Information (PHI).

You must follow HIPAA if you create, receive, maintain, or transmit PHI for healthcare delivery, payment, or operations. The law sets baseline national rules that apply in every state; stricter state laws still control.

Key terms you need to know

Protected Health Information (PHI) includes any individually identifiable health information in any form—paper, verbal, or electronic—that relates to a person’s health, care, or payment. De-identified data is not PHI.

Covered Entities are health plans, healthcare clearinghouses, and healthcare providers who transmit standard electronic transactions. Business Associates are vendors or subcontractors that handle PHI on behalf of Covered Entities; they are directly liable for compliance.

HIPAA Titles

HIPAA is organized into five titles. Title II’s Administrative Simplification provisions drive most day-to-day privacy, security, and enforcement requirements you must implement.

• Title I: Improves health insurance portability and limits preexisting condition exclusions.
• Title II: Establishes privacy and security standards for PHI, electronic transaction standards, unique identifiers, and the Enforcement Rule.
• Title III: Sets certain tax-related health provisions, such as medical savings account rules.
• Title IV: Further refines group health plan requirements and coverage protections.
• Title V: Contains revenue offset provisions and rules on company-owned life insurance and expatriates.

Privacy Rule

Scope and permitted uses

The Privacy Rule governs how Covered Entities and Business Associates may use and disclose PHI. You may use or disclose PHI without authorization for treatment, payment, and healthcare operations and for specific public-interest purposes defined by HIPAA.

The “minimum necessary” standard requires you to limit PHI access and disclosures to what is reasonably needed. Document role-based access and apply it consistently.

Individual rights

Patients have rights to access and obtain copies of their PHI, request amendments, receive an accounting of certain disclosures, request restrictions, and ask for confidential communications. You must provide a clear Notice of Privacy Practices describing these rights and your obligations.

Authorizations and de-identification

When a use or disclosure is not otherwise permitted, you must obtain a valid, written authorization. To remove data from HIPAA’s scope, you may de-identify it using safe-harbor removal of specified identifiers or expert determination that the risk of re-identification is very small.

Security Rule

Risk-based approach

The Security Rule protects electronic PHI (ePHI) by requiring you to ensure its confidentiality, integrity, and availability. Start with formal, documented Risk Assessments and use findings to prioritize safeguards proportionate to your risks.

Administrative Safeguards

Implement security management processes, assign a security officer, apply workforce security and training, enforce sanction policies, and develop contingency and incident response plans. Evaluate Business Associates and execute Business Associate Agreements that reflect your risk posture.

Technical Safeguards

Use unique user IDs and role-based access, strong authentication, automatic logoff, and encryption for ePHI in transit and at rest where reasonable and appropriate. Maintain audit controls and integrity checks, and actively monitor logs for anomalies.

Physical safeguards

Control facility access, secure workstations and devices, and manage media handling and disposal. Apply device and media controls to prevent unauthorized removal or reuse of hardware containing ePHI.

Breach Notification Rule

When notification is required

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. Perform a documented risk assessment to determine the probability of compromise; properly encrypted PHI typically falls under a safe harbor and is not considered “unsecured.”

Who to notify and by when

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches involving 500 or more residents of a state or jurisdiction, you must also notify prominent media and report to the U.S. Department of Health and Human Services; smaller breaches are reported to HHS annually.

What to include

Notices must describe what happened, the types of PHI involved, steps individuals should take, what you are doing to mitigate harm and prevent recurrence, and how to contact you for more information. Keep complete incident and notification documentation.

Enforcement Rule

Investigations and resolutions

The Office for Civil Rights (OCR) enforces HIPAA through complaints, breach reports, and compliance reviews. Outcomes may include technical assistance, corrective action plans, resolution agreements, and ongoing monitoring for sustained compliance.

Civil and Criminal Penalties

Civil penalties follow a tiered structure based on the level of culpability, ranging from lack of knowledge to willful neglect not corrected. Penalties may be assessed per violation with annual caps per violation type. Criminal penalties—enforced by the Department of Justice—apply to knowingly obtaining or disclosing PHI in violation of HIPAA and can include significant fines and imprisonment, with higher penalties for offenses committed under false pretenses or for personal gain or malicious harm.

Compliance Requirements

Core program actions

• Governance: Appoint privacy and security officers, define accountability, and integrate HIPAA into enterprise risk management.
• Risk Assessments: Perform and update enterprise-wide risk analyses, document risk decisions, and track remediation to completion.
• Policies and procedures: Implement the Privacy Rule, Security Rule (Administrative Safeguards and Technical Safeguards), and breach response procedures. Review and update at least annually.
• Access and security controls: Enforce least privilege, multi-factor authentication, encryption, patching, endpoint protection, secure messaging, and audit logging.
• Business Associates: Vet vendors, execute Business Associate Agreements, set security requirements, and monitor performance and incidents.
• Workforce training: Provide role-based, initial and periodic training; test comprehension; and apply sanctions for violations.
• Individual rights and NPP: Maintain processes to fulfill access and amendment requests promptly and to distribute and post your Notice of Privacy Practices.
• Incident response: Establish intake, triage, investigation, containment, forensics, harm analysis, notification, and post-incident reviews.
• Contingency planning: Maintain backups, disaster recovery, and emergency operations procedures; test them and document results.
• Documentation and retention: Keep required HIPAA documentation, decisions, and BAAs for at least six years and make them available to OCR upon request.

Conclusion

HIPAA 1996 sets national rules for safeguarding PHI and holding organizations accountable. By applying a risk-based program—anchored in solid Risk Assessments, strong Administrative and Technical Safeguards, clear policies, and vendor oversight—you can meet legal obligations and earn patient trust.

FAQs.

What entities are covered under HIPAA?

Covered Entities include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions. Business Associates—such as billing companies, cloud providers, and analytics vendors that handle PHI for Covered Entities—are also directly liable for HIPAA compliance.

What are the main requirements of the Privacy Rule?

You must limit PHI uses and disclosures to permitted purposes, apply the minimum necessary standard, provide a Notice of Privacy Practices, obtain authorizations when required, and honor individual rights to access, amend, obtain an accounting of disclosures, request restrictions, and receive confidential communications.

How does the Breach Notification Rule work?

After discovering a potential incident, you perform a documented risk assessment to determine if unsecured PHI was compromised. If a breach occurred, notify affected individuals without unreasonable delay and no later than 60 days, report to HHS, and notify media for breaches affecting 500 or more residents in a state or jurisdiction. Include required details and retain documentation.

What penalties exist for HIPAA violations?

OCR may impose tiered civil monetary penalties that scale with the level of culpability and compliance history, potentially reaching substantial amounts per violation with annual caps per violation type. Criminal penalties can include significant fines and imprisonment—up to higher terms for offenses involving false pretenses or intent to profit or cause harm.