The Health Insurance Portability and Accountability Act establishes national standards for protecting sensitive patient health information in the United States, requiring safeguards for electronic health data and giving patients rights over their medical records.

What is HIPAA? | Privacy Glossary

HIPAA protects your health information from unauthorized disclosure. Hospitals, doctors, insurance companies, and their business associates must follow strict rules about how they handle your medical data.

Key Components

Privacy Rule

Protects individually identifiable health info
Limits use and disclosure
Gives patients access to records

Security Rule

Requires administrative safeguards
Physical safeguards
Technical safeguards (encryption, access controls)

Breach Notification Rule

Must notify affected individuals
Must notify HHS (Health & Human Services)
Media notification for large breaches

Protected Health Information (PHI)

Information that:

Relates to health condition, care, or payment
Identifies the individual
Held by covered entity or business associate

Examples of PHI

Medical records
Lab results
Insurance claims
Prescription information
Health plan enrollment

Not PHI (When De-identified)

Statistical health data
Anonymized research data
Education records (FERPA instead)

Who Must Comply

Covered Entities

Healthcare providers
Health plans
Healthcare clearinghouses

Business Associates

Companies handling PHI on behalf of covered entities
IT providers, billing companies
Must sign Business Associate Agreement

Patient Rights

Access

View and copy your records
Request amendments
Get accounting of disclosures

Control

Request restrictions on use
Request confidential communications
File complaints about violations

Penalties

Tier	Violation Type	Fine per Violation
1	Unaware	$100 - $50,000
2	Reasonable cause	$1,000 - $50,000
3	Willful neglect (corrected)	$10,000 - $50,000
4	Willful neglect (not corrected)	$50,000+

Criminal penalties possible for intentional violations.

What is HIPAA?