HIPAA is a US federal law, enacted in 1996, that sets national standards for protecting individuals' health information. Its protections are implemented through regulations issued by the US Department of Health and Human Services (HHS): the Privacy Rule, the Security Rule, and the Breach Notification Rule, found at 45 CFR Parts 160 and 164.

HIPAA applies to specific organizations — health plans, health care clearinghouses, most health care providers ("covered entities"), and the vendors that handle health data on their behalf ("business associates"). It is enforced by the HHS Office for Civil Rights (OCR), which investigates complaints and can impose civil and, via the Department of Justice, criminal penalties.

Who must comply with HIPAA?

HIPAA applies to two groups:

  • Covered entities — (1) health plans, (2) health care clearinghouses, and (3) health care providers who transmit health information electronically in connection with certain standard transactions (e.g., claims).
  • Business associates — persons or organizations that perform functions or services for a covered entity that involve access to protected health information (e.g., billing companies, cloud storage vendors, claims processors). Business associates are directly liable under the Security Rule and parts of the Privacy and Breach Notification Rules.

HIPAA does not regulate every entity that holds health data — for example, many fitness apps and life insurers fall outside its scope.

What is PHI and ePHI?

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or business associate, in any form — oral, paper, or electronic. It includes medical records and information relating to an individual's past, present, or future physical or mental health, the provision of care, or payment for care that identifies the individual.

Electronic Protected Health Information (ePHI) is the subset of PHI that is created, received, maintained, or transmitted in electronic form. ePHI is the focus of the Security Rule. (PHI communicated orally or on paper is covered by the Privacy Rule but not the Security Rule.)

What does the Privacy Rule require?

The Privacy Rule sets national standards for how PHI may be used and disclosed. Key requirements:

  • Limits on use and disclosure — PHI generally may not be used or disclosed without the individual's authorization, except as the Rule permits (e.g., for treatment, payment, and health care operations).
  • Minimum necessary — covered entities must limit PHI use, disclosure, and requests to the minimum amount needed to accomplish the purpose.
  • Individual rights — individuals can inspect and obtain copies of their records, request corrections, and receive an accounting of certain disclosures.
  • Notice of Privacy Practices — entities must give individuals a plain-language notice describing how their information is used and their rights.

What does the Security Rule require?

The Security Rule requires covered entities and business associates to protect the confidentiality, integrity, and availability of all ePHI they handle, and to protect against reasonably anticipated threats and impermissible disclosures. It mandates three categories of safeguards:

  • Administrative safeguards — risk analysis and management, security policies, workforce training, and assigning a security official.
  • Physical safeguards — facility access controls, workstation security, and device and media controls.
  • Technical safeguards — access controls, audit controls, integrity controls, and transmission security (e.g., encryption where appropriate).

The Rule is designed to be scalable to an organization's size and circumstances.

What does the Breach Notification Rule require, and what are the timelines?

The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unsecured PHI. Timelines:

  • To affected individuals — without unreasonable delay and no later than 60 days after discovery of the breach.
  • To HHS — for breaches affecting 500 or more individuals, no later than 60 days after discovery; for breaches affecting fewer than 500, on an annual basis, no later than 60 days after the end of the calendar year in which they were discovered.
  • To the media — for breaches affecting more than 500 residents of a state or jurisdiction, without unreasonable delay and no later than 60 days after discovery.

Business associates must notify the covered entity following discovery of a breach.

Who enforces HIPAA and what are the penalties?

The HHS Office for Civil Rights (OCR) enforces the Privacy, Security, and Breach Notification Rules, investigating complaints and conducting compliance reviews. The HIPAA Enforcement Rule governs investigations and civil money penalties.

Civil penalties are tiered by the violator's level of culpability:

  • Tier 1 — did not know (and would not have known by exercising reasonable diligence).
  • Tier 2 — violation due to reasonable cause, not willful neglect.
  • Tier 3 — willful neglect, timely corrected.
  • Tier 4 — willful neglect, not timely corrected.

Penalty amounts per violation and annual caps increase with each tier and are adjusted for inflation. Criminal penalties for knowingly obtaining or disclosing PHI are pursued by the Department of Justice and range up to a $250,000 fine and 10 years' imprisonment for offenses committed for personal gain or malicious harm.

Frequently asked questions

Is HIPAA a federal or state law?

HIPAA is a US federal law, enacted by Congress in 1996. Its rules apply nationwide. States may enact health-privacy laws that are more stringent, which can apply alongside HIPAA.

Does HIPAA apply to all organizations that hold health data?

No. HIPAA applies only to covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates. Many other holders of health data, such as some consumer health apps, fall outside HIPAA's scope.

What is the difference between PHI and ePHI?

PHI is protected health information in any form — oral, paper, or electronic. ePHI is the electronic subset of PHI. The Privacy Rule covers all PHI; the Security Rule applies specifically to ePHI.

How quickly must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Breaches affecting 500 or more individuals must also be reported to HHS within 60 days; smaller breaches may be reported to HHS annually.

Who investigates HIPAA violations?

The HHS Office for Civil Rights (OCR) investigates complaints and reviews compliance with the Privacy, Security, and Breach Notification Rules. The Department of Justice handles criminal cases.

What are the three main HIPAA rules?

The Privacy Rule governs how PHI may be used and disclosed; the Security Rule sets safeguards for ePHI; and the Breach Notification Rule requires notification when unsecured PHI is breached.

Official sources