Blog Post View

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act, which is a federal law enacted in 1996 in the USA. The law is designed to protect the privacy and security of individuals' health information, and it applies to healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.

HIPAA has two main parts: the Privacy Rule and the Security Rule. The Privacy Rule sets standards for how health information can be used and shared between patient and providers and their associates. The Security Rule sets standards for how health information must be protected from unauthorized access, use, disclosure, disruption, modification, and destruction.

HIPAA also includes a number of other provisions such as requirements for patients to be given access to their health information and to have the ability to correct any inaccuracies. Patients also have the right to privacy and confidentiality of their health information. This includes the right to control who has access to their medical records and to expect that their health information will not be disclosed without their consent.

Patients have the right to file a complaint if they believe their rights under HIPAA have been violated. HIPAA is enforced by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). OCR can investigate complaints of HIPAA violations and can impose civil penalties on violators.

What are the key components of HIPAA?

HIPAA has several key components, including:

  • Privacy Rule: This rule sets standards for the use and disclosure of individuals' health information by covered entities, such as healthcare providers, health plans, healthcare clearinghouses, and their associates.
  • Security Rule: This rule establishes standards for the security of electronic health information, including requirements for administrative, physical, and technical safeguards to protect against unauthorized access and disclosures.
  • Breach Notification Rule: This rule requires covered entities to notify individuals in the event of a breach of their unsecured health information.
  • Enforcement Rule: This rule sets out the procedures for investigating and enforcing compliance with HIPAA's privacy, security, and breach notification rules.

Who should be compliant with HIPAA?

HIPAA applies to "covered" organizations that handle and store protected health information (PHI), which includes health plans, healthcare clearinghouses, and healthcare providers that transmit PHI electronically. Examples of covered entities include:

  • Health plans, such as insurance companies and government programs like Medicare and Medicaid.
  • Healthcare providers, such as doctors, dentists, hospitals, clinics, and pharmacies.
  • Healthcare clearinghouses, which process and convert health information into standardized formats.

Business associates who work with "covered" organizations that perform certain services on behalf of a covered entity that involves access to PHI. Examples of business associates include:

  • Third-party billing companies
  • Medical transcription services
  • Healthcare IT companies
  • Law firms
  • Accounting firms

Covered entities and business associates must comply with the HIPAA Privacy and Security Rules. These rules require organizations to implement administrative, physical, and technical safeguards to protect PHI and ePHI (electronic PHI), as well as policies and procedures for reporting and responding to breaches of PHI.


HIPAA is designed to give patients greater control over their health information and to ensure that healthcare providers and other covered entities protect the privacy and security of that information. Patients can use their HIPAA rights to help ensure that their healthcare is personalized, respected, and safeguard against unauthorized access.

HIPAA is an important law that helps to protect the privacy and security of individuals' health information, and promotes the integrity of the healthcare system.

Share this post