What is HIPAA (Health Insurance Portability and Accountability Act)?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 that establishes national standards for the protection of individually identifiable health information, known as Protected Health Information (PHI). HIPAA applies to covered entities (health plans, healthcare clearinghouses, and healthcare providers who conduct certain electronic transactions) and their business associates (organizations that perform functions or activities involving PHI on behalf of covered entities).

HIPAA consists of several rules: the Privacy Rule establishes standards for the use and disclosure of PHI; the Security Rule sets standards for safeguarding electronic PHI (ePHI) through administrative, physical, and technical safeguards; the Breach Notification Rule requires notification of breaches of unsecured PHI; and the Enforcement Rule establishes procedures for investigations and penalties. The Privacy Rule permits use and disclosure of PHI for treatment, payment, and healthcare operations without individual authorization, while most other uses require written authorization.

The Office for Civil Rights (OCR) within the Department of Health and Human Services enforces HIPAA, with penalties ranging from $100 to $50,000 per violation, up to $1.5 million per year for each violation category. Criminal penalties can also apply. Organizations handling PHI can leverage IQWorks to identify and protect health information across systems using DiscoverIQ for locating PHI and ProtectIQ for implementing appropriate safeguards.