HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law enacted in 1996 that sets national standards for protecting patient health information privacy and security. It applies to healthcare providers, health plans, and healthcare clearinghouses handling Protected Health Information (PHI). Non-compliance carries penalties ranging from $100 to $50,000 per violation.
The Privacy Rule governs how healthcare entities use and disclose Protected Health Information. It gives patients rights over their medical records and establishes how organizations can handle that data.
The Security Rule mandates technical and administrative safeguards to protect PHI. It requires administrative, physical, and technical controls. Unlike the Privacy Rule's prescriptive approach, the Security Rule is flexible—you choose your encryption algorithms and authentication methods, but they must be reasonable and appropriate for your organization's size and risks.
The Breach Notification Rule requires organizations to report unauthorized access or disclosure of PHI to affected individuals, regulators, and sometimes the media within 60 days.
Encryption: PHI must be encrypted in transit (TLS 1.2+) and at rest (AES-256).
Access Controls: Each user needs a unique identifier. Multi-factor authentication is strongly recommended for administrative access.
Audit Logging: All access to PHI must be logged—who accessed what, when, and for what purpose.