HIPAA (pronounced “HIP-uh”) is the Health Insurance Portability and Accountability Act, a US federal law enacted in 1996 that sets national standards for protecting patient health information. Its Privacy Rule governs who can access patient data and under what circumstances. Its Security Rule sets technical safeguards for electronic health information.
Any organisation that handles protected health information (PHI) — providers, insurers, clearinghouses, and their business associates — must comply with HIPAA.
You’ll hear this when…
“That’s a HIPAA violation” is one of the most frequently invoked phrases in healthcare. HIPAA comes up in training, compliance reviews, data security discussions, and everyday workplace conversations about patient privacy.
In health-tech, HIPAA compliance is a fundamental product requirement. Software that stores, transmits, or processes patient data must meet HIPAA’s security standards. This includes encryption, access controls, audit logging, and Business Associate Agreements (BAAs) with any third-party vendors.
What it actually requires
HIPAA doesn’t prohibit sharing health information — it sets rules for when and how it can be shared. Providers can share PHI for treatment, payment, and healthcare operations without patient consent. Sharing for marketing, research, or with employers requires explicit authorisation. Violations carry civil penalties up to $1.5 million per incident category per year, and criminal penalties for intentional misuse.
Source: US Department of Health and Human Services (HHS) — HIPAA administrative simplification