HIPAA LAW: What Does It Protect?


What is HIPPA?

HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law enacted in 1996 in the United States. HIPAA’s primary aim is to safeguard the privacy, security, and confidentiality of individuals’ protected health information (PHI) by establishing a set of standards and regulations for healthcare providers, health plans, and other entities that maintain PHI. 

HIPAA Privacy Rule, Explained

The HIPAA Privacy Rule grants patients’ rights over their PHI, including the right to access, request amendments, and control the sharing of their health information. It also imposes obligations on covered entities to implement safeguards to protect PHI, train their workforce on privacy practices, and obtain individual consent for certain uses and disclosures. 

The Privacy Rule plays a vital role in keeping the confidentiality and security of personal health information, ensuring patients have control over their own data while allowing appropriate access for healthcare purposes.

HIPAA Security Rule, Explained

The HIPAA Security Rule is an essential part of the Health Insurance Portability and Accountability Act (HIPAA). The Security Rule sets forth administrative, physical, and technical safeguards that covered entities must implement to protect the confidentiality, integrity, and availability of ePHI. 

These safeguards include measures such as risk assessments, workforce training, access controls, encryption, and contingency planning to prevent unauthorized access, use, or disclosure of ePHI. Compliance with the HIPAA Security Rule is crucial for ensuring the secure handling of electronic health information, reducing the risk of data breaches, and maintaining the trust and confidentiality of sensitive patient data.

HIPAA Covered Entities

HIPAA defines specific entities that are subject to its regulations, known as covered entities. 

Covered entities include:

Healthcare Providers

Healthcare providers, such as doctors, hospitals, clinics, psychologists, and pharmacies, are considered covered entities under HIPAA. They play a vital role in the delivery of healthcare services and are responsible for maintaining the privacy and security of patients’ protected health information (PHI).

Healthcare providers must follow HIPAA regulations when electronically transmitting and overseeing PHI, implementing safeguards to protect patient data, and ensuring appropriate access and disclosures.

Health Plans

Health plans, including health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid, and government health programs, fall under the category of covered entities. These entities are responsible for managing health insurance coverage and must comply with HIPAA to protect the privacy of individuals’ health information.

Health plans have obligations to implement privacy policies, provide individuals with notice of their privacy practices, and set up safeguards to secure PHI against unauthorized access or disclosures.

Healthcare Clearinghouses 

Healthcare clearinghouses are entities that process nonstandard health information into standardized formats. They function as intermediaries between healthcare providers and health plans, facilitating the electronic exchange of health information.

Covered healthcare clearinghouses must adhere to HIPAA’s regulations, implementing security measures and safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). They play a critical role in ensuring the secure transmission and conversion of health data, contributing to the interoperability and efficiency of electronic healthcare transactions.

Business Associates

Business associates are external entities or individuals that provide services or perform functions involving PHI, such as third-party administrators, billing companies, IT providers, and certain consultants. 

Covered entities must have written agreements in place with their business associates, outlining the responsibilities and obligations regarding the protection of PHI. These agreements should address issues such as the permissible uses and disclosures of PHI, safeguards for data security, breach notification requirements, and compliance with HIPAA’s Privacy Rule.

Who is Not Required to Follow HIPAA Regulations? 

Entities not required to follow HIPAA laws include:

Life Insurers

Since life insurers primarily deal with underwriting life insurance policies, they do not manage or maintain protected health information (PHI) as defined by HIPAA.


Employers, in their role as employers, are not covered by HIPAA regulations because they manage employee health information for employment-related purposes only, rather than for healthcare operations.

Workers’ Compensation Carriers

Workers’ compensation carriers are exempt from HIPAA because the health information they handle is typically related to work-related injuries or illnesses, which falls outside the scope of HIPAA’s regulations.

Most Schools and School Districts

Schools and school districts, except for those that run healthcare facilities or have specific health programs, are generally not subject to HIPAA as they primarily handle educational records and student information.

Many State Agencies

State agencies, such as child protective service agencies, often deal with sensitive information related to child welfare or social services, which are typically regulated under state-specific privacy laws rather than HIPAA.

Most Law Enforcement Agencies

Law enforcement agencies, while involved in protecting public safety, are generally exempt from HIPAA as they primarily focus on law enforcement activities rather than the provision of healthcare services.

Many Municipal Offices

Municipal offices that do not function as healthcare providers or healthcare clearinghouses are not subject to HIPAA regulations. They primarily manage administrative and governmental functions rather than healthcare-related activities.

What Information is Protected Under HIPAA? 

HIPAA protects a broad range of health information, primarily focusing on individually identifiable health information known as Protected Health Information (PHI). 

Under HIPAA, PHI is subject to strict privacy and security safeguards, and covered entities must obtain individual consent or authorization before using or disclosing PHI, except in certain permitted circumstances. HIPAA also allows the use and disclosure of de-identified health information, which is health information that does not identify an individual and has undergone a process to remove specific identifiers.

De-identified health information is not subject to HIPAA’s privacy and security requirements because it does not contain identifiable information that could be used to link it back to an individual. However, covered entities must follow specific guidelines and methods outlined by HIPAA to ensure that information is properly de-identified and cannot be re-identified.

Overall, HIPAA provides protection and safeguards for a wide range of health information, with a specific focus on safeguarding individually identifiable health information (PHI) and allowing for the use and disclosure of de-identified health information under certain circumstances.

When Can PHI Be Disclosed? 

Under HIPAA, Protected Health Information (PHI) can be disclosed in a variety of situations, including:

General Principle for Uses and Disclosure

PHI can be disclosed for treatment, payment, and healthcare operations without explicit authorization, following the general principle that PHI should be used or disclosed based on the minimum necessary information needed to accomplish the intended purpose.

Permitted Uses and Disclosures

PHI can be shared without individual authorization for activities such as public health activities, healthcare oversight, research (with privacy safeguards), law enforcement purposes, and when required by law, including reporting certain diseases and vital events.

Authorized Uses and Disclosures

PHI can be disclosed based on the individual’s written authorization, allowing specific uses and disclosures beyond what is permitted without authorization, such as sharing PHI for marketing purposes or with third-party organizations.

PHI Uses and Disclosures Limited to the Minimum Necessary

Covered entities are required to make reasonable efforts to limit PHI uses and disclosures to the minimum necessary to accomplish the intended purpose. This means sharing only the information necessary for the specific situation, whether it is for treatment, payment, healthcare operations, or other permitted purposes.

Notice and Individual Rights

Covered entities must provide individuals with a Notice of Privacy Practices, explaining how their PHI may be used and disclosing their rights regarding their health information. Individuals have rights such as accessing their PHI, requesting amendments, and requesting restrictions on certain uses or disclosures. 

Privacy Practices Notice

Covered entities must respect these rights and enable individuals to exercise them. 

Notice distribution

Covered entities must make efforts to distribute the Notice of Privacy Practices to individuals, including posting it prominently in their facilities and providing a copy to individuals upon request. They should also make reasonable attempts to obtain written acknowledgment of receipt.

Acknowledgment of Notice Receipt

Covered entities should document individuals’ acknowledgment of receiving the Notice of Privacy Practices. This acknowledgment can be obtained through various means, such as a signed form or electronic confirmation, ensuring that individuals have been made aware of their rights and the entity’s privacy practices.


Individuals have the right to access their PHI and obtain copies of their health records upon request, with certain exceptions and reasonable fees.


Individuals can request amendments or corrections to their PHI if they believe it is incomplete, inaccurate, or requires updating.

Disclosure Accounting

Covered entities must provide individuals with an accounting of certain disclosures of their PHI, upon request, excluding disclosures for treatment, payment, healthcare operations, and other exceptions.

Restriction Request

Individuals have the right to request restrictions on the use or disclosure of their PHI, although covered entities are not required to agree to all requested restrictions.

Confidential Communications Requirement

Covered entities must accommodate reasonable requests from individuals to receive communications of their PHI through alternative means or at alternative locations to protect privacy.

Administrative Requirements

Covered entities must establish and implement privacy policies and procedures to ensure compliance with HIPAA’s Privacy Rule, including designating a Privacy Officer responsible for overseeing privacy practices.

Privacy Personnel

Covered entities should have designated privacy personnel responsible for developing and implementing privacy policies, handling privacy inquiries, and ensuring compliance.

Workforce Training and Management

Covered entities must provide training to their workforce members regarding privacy policies, procedures, and the protection of PHI. They should also have mechanisms in place to manage workforce members’ compliance with privacy practices.


Covered entities must take reasonable steps to mitigate any harmful effects resulting from the use or disclosure of PHI in violation of the Privacy Rule.

Data Safeguards

Covered entities are required to implement reasonable safeguards to protect PHI from unauthorized access, disclosure, or use.


Covered entities must have a process in place for individuals to file complaints regarding privacy practices, and they must not retaliate against individuals who exercise their privacy rights.

Retaliation and Waiver

Covered entities cannot retaliate against individuals for exercising their privacy rights, and individuals cannot be required to waive their rights as a condition for receiving treatment or benefits.

Documentation and Record Retention

Covered entities must retain documentation related to their privacy practices and policies for at least six years.

Fully Insured Group Health Plan Exception

The Privacy Rule does not apply directly to fully insured group health plans, although the plans must follow other federal and state laws governing the privacy of health information.

These various requirements and provisions ensure that covered entities adhere to privacy practices, protect individuals’ rights, and keep the security and confidentiality of PHI.

How is PHI Protected?

PHI is protected through various measures to safeguard its confidentiality, integrity, and security:

  1. Safeguards – Safeguards can include physical, technical, and administrative measures such as secure storage, encryption, access controls, and firewalls.
  1. Minimum Necessary – This means that only the information needed for a particular task or situation should be accessed or shared.
  1. Access and Authorization Controls – Covered entities must have procedures in place to control and limit who can view and access PHI. This includes implementing access controls, user authentication, and authorization processes to ensure that only authorized individuals can access and handle PHI.
  1. Employee Training – Training ensures that employees understand their responsibilities, know how to handle PHI securely, and are aware of potential risks and safeguards.
  1. Business Associates – Business associates, who handle PHI on behalf of covered entities, are also obligated to implement safeguards to protect PHI and comply with HIPAA regulations. This ensures that third-party entities involved in healthcare operations support the same level of privacy and security standards when handling PHI.

Get HIPAA Compliant With Our Checklist

By implementing the above-mentioned HIPAA safeguards, limiting the use and disclosure of PHI, and supplying employee training, covered entities and their business associates can work together to protect the privacy and security of individuals’ health information, and prevent improper use or disclosure. Want more tips to stay compliant? Check out our HIPAA Compliance Checklist.