HIPAA (the Health Insurance Portability and Accountability Act) is a 1996 federal law with two core purposes: keeping your health insurance coverage intact when you change jobs, and protecting the privacy and security of your medical information. The name is frequently misspelled as “HIPPA,” but the acronym stands for Health Insurance Portability and Accountability Act, with one P. While most people associate HIPAA with medical privacy, the law actually covers a broader set of goals, from fighting healthcare fraud to standardizing how the entire industry handles paperwork and electronic records.
The Two Main Goals of HIPAA
HIPAA was designed around two titles, each tackling a different problem. Title I focuses on health insurance portability, meaning your ability to keep or obtain health coverage when you switch employers, lose a job, or have a pre-existing condition. Before HIPAA, changing jobs could mean losing coverage entirely or being denied a new plan because of a prior diagnosis. Title I limits those gaps.
Title II addresses fraud, administrative inefficiency, and the protection of health data. It created national standards for electronic healthcare transactions, established penalties for healthcare fraud, and, most famously, led to the Privacy Rule and Security Rule that govern how your medical information is handled. Together, these two titles cover the full scope of what HIPAA does: protect your insurance access and protect your health information.
How HIPAA Protects Your Medical Privacy
The Privacy Rule is the part of HIPAA most people encounter. It sets national standards for who can see your health information, how it can be shared, and what rights you have over it. The law covers what’s called Protected Health Information, or PHI. That includes anything that identifies you and relates to your physical or mental health, any care you’ve received, or payment for that care. It doesn’t matter whether the information is in an electronic record, written on paper, or spoken aloud. All of it is protected.
PHI is broader than most people realize. Your name, address, birth date, Social Security number, and medical record number all count when they’re linked to health information. Even demographic data falls under HIPAA protection if there’s a reasonable basis to believe it could be used to identify you.
The Privacy Rule doesn’t lock down health information completely, though. Its stated goal is to protect your data while still allowing the flow of information needed to deliver quality healthcare and protect public health. That means your doctor can share relevant information with a specialist treating you, your insurer can process claims, and public health authorities can receive reports on certain diseases. These permitted uses keep the healthcare system functional without requiring your written authorization every time information changes hands.
Your Rights Under HIPAA
HIPAA gives you concrete rights over your own health records. You can request a copy of your medical records from any covered provider, and they must respond within 30 calendar days. If they need more time, they can take an additional 30 days, but only if they notify you in writing during that first window, explain the delay, and give you a specific date they’ll have the records ready.
You also have the right to request corrections to your records if something is inaccurate, to ask for an accounting of who your information has been disclosed to, and to request restrictions on how your information is used or shared. Providers don’t have to agree to every restriction you request, but they must consider it and follow through if they do agree.
Who Has to Follow HIPAA
HIPAA applies to three categories of organizations, called covered entities: healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers include doctors, clinics, dentists, psychologists, chiropractors, nursing homes, and pharmacies, but only if they transmit health information electronically for standard transactions like billing. Health plans include insurance companies, HMOs, employer-sponsored health plans, and government programs like Medicare, Medicaid, and veterans’ health programs. Clearinghouses are the behind-the-scenes entities that convert nonstandard health data into standardized electronic formats.
Beyond these covered entities, HIPAA also applies to business associates. These are companies or individuals that perform services for a covered entity and handle PHI in the process, such as billing companies, IT contractors, cloud storage providers, or law firms. Written contracts must be in place before any business associate can create, receive, store, or transmit protected health information.
One common misconception: HIPAA does not apply to every organization that has your health-related data. Your employer, your fitness app, and most consumer health websites are generally not covered entities. HIPAA’s rules only bind the specific types of organizations defined in the law.
Securing Electronic Health Records
The Security Rule complements the Privacy Rule by setting specific requirements for protecting electronic health information. It requires covered entities and their business associates to implement three categories of safeguards: administrative, physical, and technical.
Administrative safeguards include conducting thorough risk assessments, designating a security official, training all staff on security policies, and having contingency plans for emergencies like data loss or system failures. Physical safeguards cover things like controlling who can physically access buildings, servers, and workstations where electronic records are stored, and having policies for wiping data from devices before they’re reused or discarded. Technical safeguards require access controls so only authorized people can view records, audit systems that track who accessed what, integrity checks to confirm records haven’t been tampered with, and authentication procedures to verify that users are who they claim to be.
Organizations must also periodically evaluate whether their safeguards are actually working, through both technical testing and policy reviews.
Cutting Paperwork Across the Industry
One of HIPAA’s less discussed but practically significant purposes is administrative simplification. Before HIPAA, healthcare billing and insurance transactions were a patchwork of different formats, codes, and identifiers that varied from one insurer or provider to the next. HIPAA established national standards for electronic transactions, code sets (like the diagnostic and procedure codes used in billing), unique identifiers for providers and health plans, and operating rules that govern how these transactions work.
These standards mean that a claim submitted by a small clinic in rural Montana uses the same electronic format as one from a major hospital system in New York. That consistency reduces errors, speeds up processing, and lowers administrative costs across the entire healthcare system.
What Happens When HIPAA Is Violated
HIPAA violations carry civil penalties organized into four tiers based on the level of awareness and negligence involved. An unknowing violation can result in fines of $100 to $50,000 per incident, with a yearly cap of $25,000 for repeat violations. Violations due to reasonable cause range from $1,000 to $50,000 each, capped at $100,000 annually. Willful neglect that gets corrected in time carries fines of $10,000 to $50,000 per violation, with an annual maximum of $250,000. The steepest penalties hit organizations that willfully neglect the rules and fail to fix the problem: $50,000 per violation, up to $1.5 million per year.
When a data breach occurs, covered entities must notify affected individuals. If 500 or more people are affected, the organization must also notify the U.S. Department of Health and Human Services within 60 days and alert prominent media outlets in the affected state. Smaller breaches affecting fewer than 500 individuals can be reported to HHS annually, by the end of the calendar year following discovery.
Recent Changes to HIPAA
HIPAA has continued to evolve. In 2024, HHS finalized a rule specifically addressing reproductive health care privacy. The rule prohibited covered entities from using or disclosing health information to investigate or impose liability on someone for seeking, obtaining, providing, or facilitating lawful reproductive health care. It also required entities receiving certain requests for reproductive health records to obtain a signed attestation that the request wasn’t for a prohibited purpose. However, in June 2025, a federal court vacated most of this reproductive health privacy rule, leaving only certain modifications to privacy practice notices in effect. The legal landscape around these protections remains in flux.

