Health Information Privacy and HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes the federal baseline for protecting individually identifiable health information in the United States. This page covers the law's definitional scope, the operational mechanics of its Privacy and Security Rules, the scenarios in which protections apply or yield to permitted disclosures, and the boundary conditions that distinguish covered entities from non-covered actors. Understanding these distinctions matters because violations carry civil and criminal penalties administered by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Definition and scope
HIPAA's Privacy Rule, codified at 45 C.F.R. Parts 160 and 164, defines Protected Health Information (PHI) as any individually identifiable health information held or transmitted by a covered entity or its business associates, in any format — oral, paper, or electronic. The 18 identifiers specified by HHS that, when combined with health data, render information identifiable include name, geographic data smaller than a state, dates (other than year) directly related to an individual, phone numbers, and Social Security numbers, among others.
Covered entities fall into three categories under 45 C.F.R. § 160.103:
- Health plans (insurers, HMOs, Medicare and Medicaid programs)
- Health care clearinghouses (entities that process nonstandard data into standard formats)
- Health care providers who transmit health information electronically in connection with covered transactions
Business associates — contractors and vendors who handle PHI on behalf of a covered entity — became directly liable under the HITECH Act of 2009, which amended HIPAA and extended the Privacy and Security Rules to that class. Telehealth and virtual medical services platforms, for instance, typically qualify as business associates when they store or process patient records for a covered provider.
HIPAA does not cover all entities that hold health data. Employers handling employee medical records under ERISA, life insurers, and consumer wellness apps that operate independently of a covered entity fall outside HIPAA's direct reach — a boundary condition with practical consequences explored in the Decision Boundaries section below.
How it works
HIPAA operates through four interlocking rules administered by HHS OCR:
- Privacy Rule — Establishes patients' rights over their PHI and restricts use and disclosure without written authorization, with enumerated exceptions.
- Security Rule — Requires covered entities to implement administrative, physical, and technical safeguards for electronic PHI (ePHI), under 45 C.F.R. §§ 164.302–164.318.
- Breach Notification Rule — Mandates notification to affected individuals within 60 days of discovering a breach, and to HHS and, for breaches affecting 500 or more individuals in a state, to prominent media outlets (45 C.F.R. §§ 164.400–164.414).
- Enforcement Rule — Establishes a tiered civil money penalty structure ranging from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS OCR Enforcement).
The Security Rule uses a required vs. addressable implementation distinction. Required safeguards must be implemented regardless of circumstances. Addressable safeguards must be implemented if reasonable and appropriate; if not, the covered entity must document an equivalent alternative measure. This is not an opt-out mechanism — it is a structured risk-assessment framework aligned with NIST SP 800-66 Rev. 2, HHS's referenced guidance document for Security Rule implementation.
Patient rights in medical settings under HIPAA include the right to access and receive copies of PHI, request amendments, obtain an accounting of disclosures, and request restrictions on certain uses — all enforceable through HHS OCR complaint procedures.
Common scenarios
Treatment, Payment, and Operations (TPO): Covered entities may use or disclose PHI without patient authorization for treatment (a physician sharing records with a specialist), payment (billing an insurer), and health care operations (quality audits). TPO disclosures represent the broadest permitted-use category under 45 C.F.R. § 164.506.
Public health reporting: HIPAA permits disclosure to public health authorities — including state health departments and the CDC — for activities authorized by law, such as communicable disease surveillance. Public health departments and services rely on this exception to receive reportable disease data from providers without individual authorization.
Mental health records: Mental health services in the U.S. involve a layered privacy framework. Psychotherapy notes receive heightened protection under HIPAA and are excluded from the standard TPO disclosure pathway, requiring specific authorization in most circumstances. Substance use disorder records maintained by federally assisted programs are governed by the separate 42 C.F.R. Part 2 regulations, which impose stricter consent requirements than HIPAA.
Breach incidents: HHS OCR's breach portal — publicly accessible as the "Wall of Shame" — has logged breaches affecting 500 or more individuals since 2009. As of data published by HHS OCR, hacking and IT incidents account for the largest share of reported large breaches by volume of records affected.
Decision boundaries
The critical classification question under HIPAA is whether a given entity or data element falls within the law's scope. Four boundary conditions govern this analysis:
| Scenario | HIPAA Applies? | Governing Authority |
|---|---|---|
| Hospital billing department transmitting claims electronically | Yes | 45 C.F.R. § 160.103 (covered entity) |
| Employer-operated on-site clinic with separate records | Yes — limited | 45 C.F.R. § 164.530(i) |
| Consumer fitness app with no covered entity relationship | No | FTC Act (FTC Health Breach Notification Rule applies) |
| Research institution receiving de-identified data | No, if properly de-identified | 45 C.F.R. § 164.514(a) |
De-identification removes HIPAA's protections entirely. Two methods are recognized: the Safe Harbor method (removing all 18 specified identifiers) and the Expert Determination method (a qualified statistician certifies that re-identification risk is very small). Once data is de-identified under either standard, it is no longer PHI and HIPAA no longer governs its use.
State law preemption: HIPAA sets a federal floor, not a ceiling. State privacy laws that are more protective of patient information are not preempted. California's Confidentiality of Medical Information Act (CMIA) and New York's SHIELD Act impose requirements exceeding HIPAA's baseline in specific respects. Medical and health services regulatory bodies at the state level may enforce these additional standards independently of HHS OCR.
The Minimum Necessary Standard under 45 C.F.R. § 164.502(b) requires that uses and disclosures of PHI be limited to the minimum amount necessary to accomplish the intended purpose — except for disclosures to the individual, for treatment, or pursuant to a valid authorization. This standard distinguishes HIPAA's operational design from an all-or-nothing access model and directly shapes how diagnostic and imaging services and other provider-to-provider sharing workflows must be structured.
References
- U.S. Department of Health and Human Services — HIPAA for Professionals
- HHS Office for Civil Rights — HIPAA Enforcement
- 45 C.F.R. Parts 160 and 164 — eCFR (HIPAA Administrative Simplification)
- 45 C.F.R. Part 160 — General Administrative Requirements
- 42 C.F.R. Part 2 — Confidentiality of Substance Use Disorder Patient Records
- NIST SP 800-66 Rev. 2 — Implementing the HIPAA Security Rule
- [HHS OCR Breach Portal (Wall of Shame)](https://ocrportal.hhs