The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was enacted in 1996 to protect the privacy and security of individually identifiable health information. The law applies to a wide range of entities, including healthcare providers, health plans, and healthcare clearinghouses, known as covered entities.
HIPAA includes two sets of regulations: the Privacy Rule and the Security Rule. The Privacy Rule regulates the use and disclosure of protected health information (PHI), which is any information that can be used to identify an individual and that relates to their health or healthcare. The Security Rule regulates the technical and physical safeguards that must be in place to protect electronic PHI (ePHI).
The Privacy Rule requires covered entities to:
- Obtain written consent from individuals before using or disclosing their PHI
- Limit the use and disclosure of PHI to the minimum necessary to accomplish a specific purpose
- Notify individuals of their privacy rights
- Have in place appropriate administrative, physical, and technical safeguards to protect the privacy of PHI
The Security Rule requires covered entities to:
- Implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI
- Perform risk assessments to identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI
- Implement security controls to address any identified threats and vulnerabilities
HIPAA also requires covered entities to report certain types of data breaches to individuals and the Department of Health and Human Services (HHS). Organizations that fail to comply with HIPAA regulations can face heavy fines and penalties, including civil and criminal penalties.