>

Glossary Home

What will I learn?

  1. What is HIPAA?
  2. What information is protected under HIPAA?
  3. Key purposes of HIPAA
  4. The four pillars of HIPAA
  5. Who does HIPAA apply to?
  6. Why is HIPAA compliance important?

Related Content

Glossary Home

HIPAA

What is HIPAA? 

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. Federal law passed in 1996. It establishes national standards to protect sensitive patient health information (PHI) from unauthorized access, use, or disclosure. 

HIPAA requires covered entities such as healthcare providers, insurers, and their business associates to implement strict privacy and security safeguards to protect medical records and health data. 

What information is protected under HIPAA? 

HIPAA covers Protected Health Information (PHI), which refers to individually identifiable health information transmitted by electronic media or maintained in any form, including electronic, paper, or other formats. 

According to the U.S. Department of Health and Human Services (HHS), PHI includes information related to: 

  • Health status: An individual’s past, present, or future physical or mental health condition.
  • Provision of care: Medical services provided to an individual, such as surgeries, diagnoses, or lab results.
  • Payment for care: Billing records, insurance claims, and payment history related to their healthcare. 

HIPAA also identifies 18 elements of information as PHI. These include any data that can uniquely identify an individual, such as: 

  • Name
  • Address
  • Email address
  • Phone numbers
  • Past medical records
  • Billing information
  • Health insurance information 

Key purposes of HIPAA 

HIPAA was passed to achieve the following objectives: 

  • Privacy and security: Defines rules and standards for protecting PHI.
  • Standardization: Mandates uniform formats and code sets for health-related electronic transactions.
  • Portability: Ensures that individuals can maintain health insurance coverage when changing jobs or health plans. 

The four pillars of HIPAA 

HIPAA is enforced through four primary rules that work together to protect PHI. 

1. The HIPAA privacy rule 

The privacy rule defines who can access an individual’s PHI and under what circumstances it can be used or disclosed. It grants individuals rights over their health information. It requires covered entities to implement privacy safeguards to protect PHI. 

2. The HIPAA security rule 

The security rule defines standards for protecting electronic PHI (ePHI). It requires covered entities and associated businesses to implement administrative, physical, and technical safeguards to protect ePHI. 

3. The HIPAA breach notification rule 

The breach notification rule requires covered entities and business associates to notify affected individuals, HHS, and, in certain cases, the media, within 60 days of discovering a breach involving unsecured PHI. 

4. The HIPAA enforcement rule 

The enforcement rule establishes procedures for investigating complaints, conducting compliance audits, and imposing penalties for HIPAA violations. It authorizes the HHS Office for Civil Rights (OCR) to enforce HIPAA regulations. 

Who does HIPAA apply to? 

HIPAA compliance is mandatory for the following categories. 

Covered entities (CEs) 

Covered entities are individuals or organizations who handle, create, receive, maintain, or transmit PHI electronically. 

Examples include: 

  • Healthcare providers: Doctors, hospitals, clinics, dentists, pharmacies, and nursing homes.
  • Health plans: Insurance companies, HMOs, employer-sponsored plans, Medicare, and Medicaid.
  • Healthcare clearing houses: Entities that process non-standard health information into standard formats (e.g., billing services). 

Business associates (BAs) 

Business associates are individuals or organizations that perform services for covered entities and having access to PHI. 

Examples include: 

  • IT vendors and cloud service providers (hosting, email, backup)
  • Billing companies and collection agencies
  • Electronic Medical Record (EMR) vendors
  • Consultants and legal firms reviewing PHI
  • Subcontractors who assist business associates
  • Shredding and document destruction services
  • Data analytics companies processing health data 

Hybrid entities 

Hybrid entities are organizations that perform covered functions (like providing health care or operating a health plan) and non-covered functions (such as education or retail). Only their designated healthcare components are required to comply with HIPAA. 

Researchers 

Researchers must comply with HIPAA when they create, access, or use PHI for research purposes. 

Why is HIPAA compliance important? 

HIPAA compliance is mandatory for organizations that handle the PHI of U.S. citizens, regardless of whether the organization operates within or outside the United States. For healthcare organizations, compliance offers several benefits. 

Enhanced data security 

HIPAA mandates strong administrative, physical, and technical safeguards such as multifactor authorization, encryption, access controls, and audit logging. 

HIPAA also requires covered entities to retain policies, procedures, and related documentation for a minimum of six years. Email archiving and security solutions like Zoho eProtect help organizations meet this requirement by storing emails securely in a tamper-proof archive. Emails cannot be changed or lost, and they can be easily searched and retrieved during audits or legal reviews. These solutions also help to reduce the risk of cyberattacks and subsequent data breaches. 

Increased patient trust 

HIPAA compliance demonstrates an organization’s commitment to protecting patient data. This builds trust and makes patients feel more confident and comfortable sharing their health-related information with the organization. 

Individual rights under HIPAA 

HIPAA gives individuals the right to access their health information, request corrections, understand how their data is used, and file complaints if they believe their rights have been violated. 

Competitive advantage 

Organizations that follow HIPAA are often preferred for business partnerships and contracts, as HIPAA compliance shows their commitment to following regulations. 

Avoids penalties and law suits 

The U.S. HHS OCR enforces HIPAA compliance.The penalties for violations include civil monetary penalties ranging from $145 to over $2 million per violation, depending on the severity. Criminal penalties can also be imposed for intentional HIPAA violations, leading to imprisonment. By adhering to HIPAA compliance, organizations can significantly reduce the risk of penalties, legal action, and reputational damage. 

Operational benefits 

Implementing HIPAA standards strengthens an organization’s overall data security posture. It streamlines information handling and establishes clear internal processes, improving operational efficiency while reducing breach risks.