HIPAA (Health Insurance Portability and Accountability Act)

A U.S. federal law enacted in 1996 that establishes national standards for protecting health information privacy and security. HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. The Privacy Rule establishes standards for protected health information (PHI) use and disclosure, requiring patient authorization for most uses beyond treatment, payment, and healthcare operations. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI. The Breach Notification Rule requires notification when PHI is breached. HIPAA provides patients rights to access their health records, request corrections, receive accounting of disclosures, and request restrictions. The law permits but doesn't require many common health data uses, leaving covered entities to implement appropriate policies. HIPAA violations can result in civil and criminal penalties. Many health-related organizations aren't HIPAA-covered but should still protect health data appropriately.