HIPAA is a set of federal rules that govern how health information is protected, used, and shared. It applies to specific types of organizations and their partners, covering everything from who can see your medical records to how electronic health data must be secured. The requirements fall into several distinct areas: privacy protections, security safeguards, breach notification procedures, and individual rights.
Who Has to Follow HIPAA
HIPAA does not apply to every company that touches health information. It applies to three categories of “covered entities” and to the business associates that work with them.
- Health care providers such as doctors, clinics, dentists, psychologists, chiropractors, nursing homes, and pharmacies, but only if they transmit information electronically in connection with standard transactions like billing or insurance claims.
- Health plans including health insurance companies, HMOs, employer-sponsored health plans, and government programs like Medicare, Medicaid, and veterans health care.
- Health care clearinghouses that process nonstandard health information into standard electronic formats, or the reverse.
If your organization doesn’t fit one of these three categories, HIPAA doesn’t directly apply to you. But there’s an important extension: any outside company hired by a covered entity to handle protected health information is considered a “business associate.” Think billing companies, IT contractors, cloud storage providers, or consultants with access to patient data. Covered entities must have a written contract with each business associate spelling out what the associate can and cannot do with the information. Business associates are directly liable for certain HIPAA violations, not just contractually responsible.
What Counts as Protected Health Information
The Privacy Rule protects “protected health information,” or PHI, which is any health data that can be linked to a specific person. HIPAA defines 18 identifiers that make health information identifiable. When all 18 are stripped out, the data is considered de-identified and no longer subject to HIPAA restrictions.
The 18 identifiers include names, addresses (anything more specific than state level), dates directly related to a person (birth date, admission date, discharge date, and all ages over 89), phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers and license plates, device serial numbers, web URLs, IP addresses, biometric data like fingerprints or voiceprints, full-face photographs, and any other unique identifying number or code.
Privacy Rule Requirements
The Privacy Rule sets limits on when and how covered entities can use or share a person’s health information. PHI can generally be used for treatment, payment, and health care operations without the patient’s explicit authorization. Most other uses, such as marketing or sharing information with an employer, require written authorization from the individual.
Covered entities must give patients a Notice of Privacy Practices that explains how their information may be used, what their rights are, and how to file a complaint. They must also designate a privacy officer, train their workforce on privacy policies, and implement safeguards to prevent unnecessary or unauthorized access to PHI. The rule applies a “minimum necessary” standard: when using or disclosing PHI, organizations should limit the information shared to the smallest amount needed for the purpose.
Patient Rights Under HIPAA
HIPAA grants individuals several specific rights over their own health information. The most important is the right to access and obtain copies of your medical records. This covers medical and billing records, health plan enrollment data, claims information, and any other records used to make decisions about your care. Covered entities can charge reasonable, cost-based fees for copying and postage, but they cannot deny access as a way to pressure you.
There are narrow exceptions. Psychotherapy notes, information compiled for legal proceedings, and certain lab results restricted by federal law fall outside the right of access. A provider can also deny access if a health care professional determines it could cause harm, but in that case, you’re entitled to have the denial reviewed by a different licensed professional.
You also have the right to request amendments to your records when information is inaccurate or incomplete. If a covered entity accepts your amendment, it must make reasonable efforts to notify anyone who previously received the incorrect information and might rely on it. If your request is denied, the entity must provide the denial in writing and let you submit a statement of disagreement that becomes part of your record.
Security Rule Safeguards
The Security Rule specifically protects electronic protected health information (e-PHI) and requires three categories of safeguards: administrative, physical, and technical. Some requirements are mandatory. Others are “addressable,” meaning an organization must implement them or document why an alternative measure is equally effective.
Administrative Safeguards
These are the policies and procedures that govern how an organization manages its security program. Key requirements include conducting a thorough risk analysis, implementing a risk management process, enforcing a sanctions policy for employees who violate security rules, reviewing system activity logs, and maintaining a contingency plan with data backup and disaster recovery procedures. Organizations must also designate a security officer and establish workforce clearance and termination procedures to control who has access to e-PHI.
Physical Safeguards
Physical safeguards control access to the actual buildings, equipment, and devices where e-PHI is stored. This includes facility access controls, policies for workstation use and security, and rules for disposing of or reusing electronic media like hard drives and USB devices. When devices are retired or repurposed, all e-PHI must be properly erased or destroyed.
Technical Safeguards
Technical safeguards address the technology used to protect e-PHI and control access to it. Required measures include assigning unique user IDs so activity can be tracked to individuals, establishing emergency access procedures, and maintaining audit controls that record who accessed what and when. Addressable measures include automatic logoff, encryption of stored data, and encryption of data during transmission. “Addressable” does not mean optional. If encryption isn’t implemented, the organization must document the rationale and use an equivalent alternative.
Risk Analysis: The Foundation of Compliance
A risk analysis is the single most important compliance activity under the Security Rule, and it’s also one of the most common areas where organizations fall short during audits. The analysis must cover all e-PHI that the organization creates, receives, stores, or transmits, across every system and medium, including portable devices, network drives, and cloud storage.
The process involves identifying where e-PHI lives, documenting potential threats (natural disasters, cyberattacks, insider errors), evaluating existing security measures, estimating the likelihood and impact of each threat, and assigning risk levels. There’s no required format, but the analysis must be documented. It’s also not a one-time exercise. Organizations must update their risk analysis whenever they adopt new technology, change business operations, or experience a security incident.
Breach Notification Requirements
When a breach of unsecured PHI occurs, the Breach Notification Rule dictates who must be told and how quickly. A breach is generally any unauthorized access, use, or disclosure of PHI that compromises its security or privacy.
Affected individuals must be notified in writing within 60 days of discovering the breach. If the breach affects 500 or more residents of a single state or jurisdiction, the organization must also notify prominent local media outlets within that same 60-day window. The Department of Health and Human Services must be notified within 60 days for breaches affecting 500 or more people. For smaller breaches affecting fewer than 500 individuals, organizations can report them to HHS annually, with the report due no later than 60 days after the end of the calendar year in which the breaches were discovered.
Training and Documentation
HIPAA requires organizations to train their workforce “as necessary and appropriate” for their job functions. While the law doesn’t specify an exact frequency, regulators expect a documented, risk-based training schedule with proof of completion. In practice, this means training new employees before they access PHI (many organizations set a written deadline, such as within 30 days of hire), providing annual privacy and security refresher courses, retraining promptly when policies or systems change, and delivering additional training after incidents or audit findings. The same requirements apply to contractors, volunteers, students, and temporary staff who handle PHI.
All HIPAA-related documentation, including policies, procedures, risk analyses, training records, and business associate agreements, must be retained for a minimum of six years from when the document was created or was last in effect, whichever is later.
Penalties for Violations
HIPAA enforcement falls to the Office for Civil Rights (OCR) within HHS. Penalties are structured in four tiers based on the level of culpability:
- Unknowing violations: $100 to $50,000 per violation, with an annual cap of $25,000.
- Reasonable cause (not willful neglect): $1,000 to $50,000 per violation, capped at $100,000 per year.
- Willful neglect, corrected within 30 days: $10,000 to $50,000 per violation, capped at $250,000 per year.
- Willful neglect, not corrected: $50,000 per violation, with an annual maximum of $1.5 million.
Because a single incident can involve thousands of individual records, each counting as a separate violation, total penalties can escalate rapidly. Criminal penalties, including fines and imprisonment, are also possible for knowingly obtaining or disclosing PHI in violation of the law. Those cases are handled by the Department of Justice rather than OCR.