What Is HIPAA? A Complete Guide to the Privacy Rule, Security Rule, and Compliance

Overview of HIPAA Legislation

Scope and purpose

HIPAA—the Health Insurance Portability and Accountability Act—sets national standards for protecting health information. If you have ever asked “what is HIPAA,” think of it as the federal baseline that governs how organizations handle Protected Health Information (PHI) in any form and Electronic Protected Health Information (ePHI) specifically.

Who must comply

HIPAA applies to Covered Entities—healthcare providers, health plans, and healthcare clearinghouses—and to their vendors and partners, known as Business Associates, that create, receive, maintain, or transmit PHI on their behalf.

Key rules and updates

• The Privacy Rule defines when PHI may be used or disclosed and the rights individuals have over their information.
• The Security Rule establishes standards to safeguard ePHI through Administrative, Physical, and Technical Safeguards.
• Subsequent updates strengthened breach notification, vendor accountability, and enforcement to improve real-world compliance.

Preemption and state law

HIPAA creates a federal floor. If a state law is more protective of privacy, you must follow the stricter requirement.

Key Provisions of the Privacy Rule

What counts as PHI

PHI is individually identifiable health information—such as diagnoses, treatment details, billing data, or demographics—that relates to a person’s health, care, or payment. PHI can be verbal, paper, or electronic (ePHI). De-identified data and certain employment or education records are outside HIPAA’s scope.

Permitted uses and disclosures

You may use or disclose PHI without patient authorization for treatment, payment, and healthcare operations, and for limited public-interest purposes (for example, required by law or certain public health activities). Other uses generally require a valid, written authorization.

The minimum necessary standard

Except for treatment and a few other exceptions, you must access, use, and disclose only the minimum necessary PHI to accomplish the task. Role-based access, need-to-know workflows, and data segmentation help you meet this standard.

Individual rights

• Access: Individuals have a right to inspect or obtain a copy of PHI in a designated record set, typically within 30 days.
• Amendment: Patients may request corrections to inaccurate or incomplete information.
• Accounting of disclosures: Upon request, you must provide a list of certain non-routine disclosures.
• Restrictions and confidential communications: Individuals can request limits on disclosures and alternative communication channels.
• Notice of Privacy Practices (NPP): You must explain how PHI is used, shared, and protected.

Administrative requirements

You must designate a Privacy Official, train your workforce, establish privacy policies, apply appropriate safeguards, and mitigate harmful effects of improper uses or disclosures.

Essential Elements of the Security Rule

Risk-based framework and scope

The Security Rule protects ePHI. It is intentionally flexible: you must perform a risk analysis and implement reasonable and appropriate measures based on your size, complexity, and risks to confidentiality, integrity, and availability.

Administrative Safeguards

• Security management process: risk analysis, risk management, and periodic evaluations.
• Workforce security and information access management: least-privilege roles and authorization procedures.
• Security awareness and training: ongoing education, phishing and incident reporting drills.
• Security incident procedures and response: detect, document, and respond to events.
• Contingency planning: data backup, disaster recovery, and emergency mode operations.
• Business Associate Agreements (BAAs): require vendors to safeguard ePHI.

Physical Safeguards

• Facility access controls: limit and log physical entry to areas with ePHI.
• Workstation use and security: define acceptable use and secure workstations.
• Device and media controls: inventory, encryption, secure disposal, and media re-use procedures.

Technical Safeguards

• Access controls: unique user IDs, emergency access, automatic logoff, and encryption where appropriate.
• Audit controls: record and examine activity in systems containing ePHI.
• Integrity protections: prevent and detect improper alteration or destruction of ePHI.
• Person or entity authentication and transmission security: verify users and protect data in transit.

Documentation and review

Maintain written policies, procedures, and assessments, and retain documentation for at least six years from creation or last effective date. Review and update routinely as your environment or risks change.

Roles and Responsibilities of Covered Entities

Who are Covered Entities

Covered Entities include healthcare providers that transmit standard electronic transactions, health plans (insurers, group health plans), and healthcare clearinghouses. Each must comply with the Privacy Rule for PHI and the Security Rule for ePHI.

Operational duties

• Publish an NPP and honor individual rights to access, amend, and receive an accounting of disclosures.
• Apply the minimum necessary standard and role-based access controls.
• Train your workforce, enforce sanctions, and mitigate improper disclosures.
• Execute and manage BAAs with vendors that handle PHI.

Breach notification responsibilities

If unsecured PHI is breached, assess risk and notify affected individuals without unreasonable delay and no later than 60 days after discovery. Depending on the size and nature of the breach, you may also notify regulators and, in some cases, the media.

Business Associates and Compliance

What is a Business Associate

A Business Associate is any person or organization that performs services for a Covered Entity involving PHI—examples include billing companies, cloud service providers, EHR vendors, legal and consulting firms, and telehealth platforms. Subcontractors that handle PHI are also Business Associates.

Essential elements of BAAs

• Permitted and required uses and disclosures of PHI.
• Obligation to implement Administrative, Physical, and Technical Safeguards.
• Reporting of incidents and breaches, including timelines and cooperation.
• Downstream compliance by subcontractors.
• Termination rights and return or destruction of PHI.

Direct liability and oversight

Business Associates are directly liable for certain Privacy Rule violations and for failing to safeguard ePHI under the Security Rule. Covered Entities should perform vendor due diligence, monitor performance, and enforce BAAs throughout the vendor lifecycle.

HIPAA Enforcement and Penalties

Who enforces HIPAA

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA, investigates complaints and breaches, and issues guidance. State attorneys general may bring civil actions, and the Department of Justice handles criminal cases.

Investigations and outcomes

OCR investigations can lead to technical assistance, voluntary compliance, or resolution agreements with corrective action plans. These typically require policy updates, training, monitoring, and regular reporting.

Civil and criminal penalties

Civil penalties are tiered based on the level of culpability—from lack of knowledge to willful neglect not corrected in time—with per-violation amounts and annual caps that increase with severity. Criminal penalties may apply for knowingly obtaining or disclosing PHI unlawfully, with higher penalties for false pretenses or intent to profit or harm.

HIPAA Compliance Best Practices

Build strong governance

• Appoint a Privacy Official and a Security Officer with clear authority and accountability.
• Create a governance structure that reviews risks, metrics, incidents, and vendor performance.

Perform risk analysis and manage risks

• Inventory systems and data flows containing ePHI.
• Identify threats, vulnerabilities, and likelihood/impact; document a treatment plan with owners and timelines.
• Reassess after major changes such as new vendors, mergers, or technology shifts.

Control access and protect data

• Enforce least privilege, MFA, and timely provisioning/deprovisioning.
• Encrypt ePHI at rest and in transit; segment networks; harden endpoints and mobile devices.
• Enable logging and audit trails; regularly review alerts and anomalies.

Train and test your workforce

• Provide role-specific training at hire and periodically thereafter.
• Run simulations for phishing, misdirected communications, and incident reporting.

Prepare for incidents and breaches

• Maintain playbooks for investigation, containment, evidence preservation, and remediation.
• Define notification decision trees, templates, and vendor coordination steps.

Document and audit

• Maintain policies, risk analyses, BAAs, training logs, and system records for at least six years.
• Conduct periodic internal audits and remediate findings promptly.

Conclusion

HIPAA sets clear expectations: protect PHI, safeguard ePHI, respect individual rights, and document what you do. By embedding the Privacy Rule and Security Rule into daily operations—and holding Business Associates to the same standards—you build trust, reduce risk, and demonstrate sustained compliance.

FAQs

What types of information does HIPAA protect?

HIPAA protects PHI—any identifiable information about an individual’s health, care, or payment for care. This spans diagnoses, test results, prescriptions, claims, and demographics. PHI in electronic form is ePHI. De-identified data and certain employment or education records are not PHI.

How does the Security Rule differ from the Privacy Rule?

The Privacy Rule governs when PHI may be used or disclosed and the rights individuals have over their information. The Security Rule focuses on how you protect ePHI through Administrative, Physical, and Technical Safeguards, guided by a risk-based approach.

Who is responsible for enforcing HIPAA compliance?

The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services leads HIPAA enforcement. State attorneys general can bring civil actions, and the Department of Justice handles criminal violations.

What are the consequences of HIPAA violations?

Consequences range from corrective action and monitoring to significant civil monetary penalties and, in severe cases, criminal charges. Beyond fines, you may face reputational harm, operational disruption, and mandated corrective action plans that require ongoing oversight.