HIPAA
S. federal law that sets national standards for protecting sensitive patient health information from being disclosed without the patient's consent or knowledge.
Definition
HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law that sets national standards for protecting sensitive patient health information from being disclosed without the patient's consent or knowledge.
Overview
Enacted in 1996, HIPAA applies to "covered entities" — healthcare providers, health plans, and healthcare clearinghouses — as well as their "business associates," which includes many technology vendors that handle Protected Health Information (PHI) on their behalf, such as cloud hosting providers or software platforms. Its Privacy Rule governs how PHI may be used and disclosed, while its Security Rule sets specific requirements for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards, including access controls, audit logging, and encryption at rest and encryption in transit. Organizations handling PHI must sign Business Associate Agreements (BAAs) with any vendor that processes that data on their behalf, and must have breach notification procedures for both patients and regulators when PHI is exposed. Violations can result in civil penalties ranging from thousands to over a million dollars per year for repeated violations, plus reputational damage, and in cases of willful neglect, potential criminal charges. Developers building healthcare software need to understand HIPAA's technical safeguards early in the design process, a consideration touched on in Cloud Security Fundamentals when working with regulated data.
Key Concepts
- U.S. federal law protecting health information (PHI)
- Applies to covered entities and their business associates (including tech vendors)
- Privacy Rule governs use and disclosure of PHI
- Security Rule mandates administrative, physical, and technical safeguards for ePHI
- Requires Business Associate Agreements (BAAs) with third-party vendors
- Breach notification obligations to patients and regulators