AuditXYZ

Lesson 1 of 5

What Is HIPAA? A Complete Introduction

10 min readBeginner

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. HIPAA applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and their business associates.

Why HIPAA Exists

HIPAA was originally designed to improve the portability of health insurance and reduce healthcare fraud. The privacy and security provisions were added to protect patient information as healthcare moved from paper to electronic records. Today, HIPAA is primarily known for its data protection requirements.

Protected Health Information (PHI)

PHI is any individually identifiable health information held or transmitted by a covered entity or business associate. This includes medical records, billing information, health plan enrollment data, and any information that identifies a patient and relates to their health condition, treatment, or payment. Electronic PHI (ePHI) is PHI stored or transmitted electronically.

The Major HIPAA Rules

HIPAA contains several rules, but three are most important for compliance. The Privacy Rule governs how PHI can be used and disclosed. The Security Rule requires safeguards to protect ePHI. The Breach Notification Rule requires notification when PHI is compromised. We cover each in detail in subsequent lessons.

Who Must Comply

Covered entities — healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses — must comply with all HIPAA rules. Business associates — organizations that handle PHI on behalf of covered entities — must comply with the Security Rule and parts of the Privacy Rule.

Penalties for Non-Compliance

HIPAA violations carry penalties ranging from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. Criminal penalties can include fines up to $250,000 and imprisonment. The Office for Civil Rights (OCR) enforces HIPAA and publishes a public breach portal — informally known as the "Wall of Shame."

In the next lesson, we will cover the HIPAA Security Rule in detail.