100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

HIPAA

BeginnerConcept8K learners

S. federal law that sets national standards for protecting sensitive patient health information from being disclosed without the patient's consent or knowledge.

Definition

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law that sets national standards for protecting sensitive patient health information from being disclosed without the patient's consent or knowledge.

Overview

Enacted in 1996, HIPAA applies to "covered entities" — healthcare providers, health plans, and healthcare clearinghouses — as well as their "business associates," which includes many technology vendors that handle Protected Health Information (PHI) on their behalf, such as cloud hosting providers or software platforms. Its Privacy Rule governs how PHI may be used and disclosed, while its Security Rule sets specific requirements for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards, including access controls, audit logging, and encryption at rest and encryption in transit. Organizations handling PHI must sign Business Associate Agreements (BAAs) with any vendor that processes that data on their behalf, and must have breach notification procedures for both patients and regulators when PHI is exposed. Violations can result in civil penalties ranging from thousands to over a million dollars per year for repeated violations, plus reputational damage, and in cases of willful neglect, potential criminal charges. Developers building healthcare software need to understand HIPAA's technical safeguards early in the design process, a consideration touched on in Cloud Security Fundamentals when working with regulated data.

Key Concepts

  • U.S. federal law protecting health information (PHI)
  • Applies to covered entities and their business associates (including tech vendors)
  • Privacy Rule governs use and disclosure of PHI
  • Security Rule mandates administrative, physical, and technical safeguards for ePHI
  • Requires Business Associate Agreements (BAAs) with third-party vendors
  • Breach notification obligations to patients and regulators

Use Cases

Healthcare providers protecting electronic medical records
Cloud vendors offering HIPAA-eligible services with signed BAAs
Health tech startups designing access controls and audit logs for PHI
Insurance companies securing patient billing and claims data
Telehealth platforms encrypting video and messaging data in transit

Frequently Asked Questions