HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Although it began as a law about keeping health insurance coverage when people changed jobs, today most people use the word "HIPAA" to mean the federal rules that protect the privacy and security of health information.
What HIPAA does
HIPAA gives patients rights over their health information and sets limits on how that information can be used and shared. It also requires organizations that handle health data to safeguard it. The U.S. Department of Health and Human Services (HHS) writes the detailed rules, and its Office for Civil Rights (OCR) enforces them.
The main HIPAA rules
Several regulations sit under the HIPAA umbrella. The ones that matter most day to day are:
| Rule | What it covers |
|---|---|
| Privacy Rule | How protected health information (PHI) may be used and disclosed; patient rights such as access to records. |
| Security Rule | Safeguards for electronic PHI (ePHI): administrative, physical, and technical protections. |
| Breach Notification Rule | What to do, and whom to notify, when unsecured PHI is breached. |
| Enforcement Rule | How OCR investigates complaints and imposes penalties. |
What is protected health information?
Protected health information is individually identifiable health information held or transmitted by a covered entity or its business associate. It includes obvious things like diagnoses and test results, but also identifiers tied to health data, such as names, addresses, dates, and account numbers. When PHI is in electronic form, the Security Rule calls it ePHI.
Who must follow HIPAA?
HIPAA applies to two groups:
- Covered entities - health plans, health care clearinghouses, and most health care providers who transmit health information electronically in connection with certain transactions.
- Business associates - vendors and contractors that create, receive, maintain, or transmit PHI on a covered entity's behalf, such as billing companies, cloud hosts, and IT firms.
Patient rights under HIPAA
HIPAA gives individuals several rights, including the right to see and get a copy of their records, to request corrections, to receive a notice of privacy practices, and to ask for an accounting of certain disclosures. Providers and plans must generally honor a valid access request within set timeframes.
How the rules fit together
It helps to see the HIPAA rules as layers rather than separate silos. The Privacy Rule decides whether a particular use or disclosure of health information is permitted and what rights patients hold. The Security Rule then governs how electronic health information is protected technically and operationally so that permitted uses do not become accidental exposures. The Breach Notification Rule sets out what happens when protection fails, and the Enforcement Rule describes the consequences. An organization that focuses on only one layer, for example locking down its servers while ignoring patient access rights, can still fall out of compliance. Treating the rules as a connected framework is what produces durable, defensible handling of health information.
A brief history
Although HIPAA was enacted in 1996, the privacy and security protections most people associate with it came later. The Privacy Rule and Security Rule were issued in the early 2000s, and the 2009 HITECH Act and the 2013 Omnibus Rule significantly strengthened them, including by making business associates directly liable and adding the Breach Notification Rule. Knowing this history explains why HIPAA is best understood as an evolving framework rather than a fixed 1996 statute, and why organizations need to watch for ongoing updates.
Why HIPAA matters
For organizations, HIPAA is both a legal obligation and a trust issue. Violations can lead to investigations, corrective action plans, and civil money penalties. Just as important, mishandling health information erodes the confidence patients place in their providers. A strong compliance program treats HIPAA not as paperwork but as a baseline for responsible handling of sensitive data.
The sections that follow break down each rule in more detail. Because HIPAA is a framework rather than a checklist, the right approach for your organization depends on your size, the data you handle, and the risks you face.