The Health Insurance Portability and Accountability Act (HIPAA) is a
federal law that was enacted in 1996 to protect the privacy and security of
individually identifiable health information. The law applies to a wide range
of entities, including healthcare providers, health plans, and healthcare
clearinghouses, known as covered entities.
HIPAA includes two sets of regulations: the Privacy Rule and the Security
Rule. The Privacy Rule regulates the use and disclosure of protected
health information (PHI), which is any information that can be used to
identify an individual and that relates to their health or healthcare. The
Security Rule regulates the technical and physical safeguards that must be
in place to protect electronic PHI (ePHI).
The Privacy Rule requires covered entities to:
Obtain written consent from individuals before using or disclosing
their PHI
Limit the use and disclosure of PHI to the minimum necessary to
accomplish a specific purpose
Notify individuals of their privacy rights
Have in place appropriate administrative, physical, and technical
safeguards to protect the privacy of PHI
The Security Rule requires covered entities to:
Implement administrative, physical, and technical safeguards to
protect the confidentiality, integrity, and availability of ePHI
Perform risk assessments to identify potential threats and
vulnerabilities to the confidentiality, integrity, and availability of ePHI
Implement security controls to address any identified threats and
vulnerabilities
HIPAA also requires covered entities to report certain types of data
breaches to individuals and the Department of Health and Human
Services (HHS). Organizations that fail to comply with HIPAA regulations
can face heavy fines and penalties, including civil and criminal penalties.