If you're working in healthcare or building a product that handles patient data, you've probably heard the term "HIPAA" thrown around. But what exactly is it, and why does it matter?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets the standard for protecting sensitive patient health information. Whether you're a doctor, dentist, therapist, health tech startup, or any business that handles medical records, understanding HIPAA is essential—not just to avoid fines, but to protect the people who trust you with their most private information.
What is HIPAA?
HIPAA was passed by Congress in 1996 with two main goals:
- Make it easier for people to keep health insurance when they change or lose their jobs (the "portability" part)
- Set national standards for protecting health information (the "accountability" part)
Today, when people talk about "HIPAA compliance," they're usually referring to the privacy and security protections—the rules that govern how patient health information can be used, stored, and shared.
Key Point
HIPAA isn't just about technology security—it covers all forms of patient information: paper records, verbal conversations, electronic files, and everything in between.
Who Does HIPAA Apply To?
HIPAA applies to two main groups: Covered Entities and Business Associates.
Covered Entities
Organizations that directly provide healthcare or process health information:
- Healthcare providers (doctors, dentists, clinics, hospitals)
- Health plans (insurance companies, HMOs, Medicare)
- Healthcare clearinghouses (billing services)
Business Associates
Third parties that handle patient data on behalf of covered entities:
- Cloud storage providers hosting medical records
- Medical billing companies
- IT vendors managing healthcare systems
- Consultants accessing patient information
Important Update
Since 2013, business associates have the same HIPAA compliance obligations as covered entities. If you're a vendor handling patient data, you can be directly fined for violations—you can't hide behind "we're just a contractor."
The Three Main HIPAA Rules
1. The Privacy Rule
The Privacy Rule establishes national standards for protecting Protected Health Information (PHI). It controls when and how patient information can be used or shared.
Key requirements:
2. The Security Rule
The Security Rule focuses specifically on protecting electronic Protected Health Information (ePHI). It requires three types of safeguards:
Administrative
Policies, procedures, training, risk assessments, and security management processes
Physical
Facility access controls, workstation security, and device/media disposal procedures
Technical
Access controls, encryption, audit logging, and authentication (including MFA)
3. The Breach Notification Rule
When a breach of unsecured PHI occurs, organizations must notify affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media.
Notification requirements:
What is Protected Health Information (PHI)?
PHI is any health information that can identify an individual. This includes obvious things like names and Social Security numbers, but also extends to:
Direct Identifiers:
- Names
- Addresses (including city, zip code)
- Dates (birth, admission, discharge, death)
- Phone numbers and email addresses
- Social Security numbers
- Medical record numbers
Combined with Health Data:
- Medical diagnoses
- Treatment records
- Test results
- Prescription information
- Insurance information
- Billing records
Rule of thumb: If you can connect health information to a specific person, it's PHI. When in doubt, treat it as protected information.
Your HIPAA Compliance Checklist
Ready to start your compliance journey? Here's what you need to do:
Conduct a Risk Assessment
Identify where PHI is stored, how it's transmitted, and potential vulnerabilities
Develop Policies and Procedures
Document how your organization will protect PHI and comply with HIPAA requirements
Designate a Privacy and Security Official
Assign someone responsible for overseeing HIPAA compliance (can be the same person)
Train Your Workforce
Ensure all employees understand HIPAA requirements and their responsibilities
Implement Technical Safeguards
Deploy encryption, access controls, audit logging, and multi-factor authentication
Execute Business Associate Agreements
Get signed BAAs from all vendors who handle PHI on your behalf
Create an Incident Response Plan
Know what to do when a breach occurs—before it happens
Document Everything
Maintain records of policies, training, risk assessments, and compliance activities
Key Takeaways
- HIPAA applies to healthcare providers, health plans, clearinghouses, AND their business associates
- The Privacy Rule governs all PHI; the Security Rule focuses on electronic PHI (ePHI)
- Protected Health Information includes any health data that can identify an individual
- Compliance requires administrative, physical, and technical safeguards
- Documentation is crucial—if it's not documented, it didn't happen
- Business associates have the same liability as covered entities since 2013
Next Steps
Understanding HIPAA is the first step. The next step is assessing your current compliance posture and identifying gaps that need to be addressed.
Related Articles
Common HIPAA Violations and How to Avoid Them
Learn about the top HIPAA violations that lead to fines and penalties, and discover practical prevention strategies.
Read ArticleWhat is PHI? Definition & Examples
Comprehensive guide to Protected Health Information under HIPAA, including the 18 identifiers and real-world examples.
Read Article