HIPAA sets the legal and operational requirements that healthcare organizations follow to protect protected health information, standardize permitted uses and disclosures, implement security safeguards for electronic protected health information, notify affected parties when unsecured protected health information is breached, and demonstrate compliance through policies, training, documentation, and accountability structures. HIPAA applies to HIPAA Covered Entities and to Business Associates that create, receive, maintain, or transmit protected health information on their behalf.
The HIPAA Privacy Rule establishes the baseline rules for when protected health information may be used or disclosed without an authorization, including for treatment, payment, and health care operations, and it requires authorization for other uses and disclosures unless an exception applies. The HIPAA Privacy Rule also establishes individual rights, including access, amendment, restrictions in limited circumstances, confidential communications, and accounting of disclosures in applicable situations. Operationally, organizations implement privacy governance through role-based access decisions, disclosure management workflows, minimum necessary controls when applicable, and required notices and training.
The HIPAA Security Rule drives the design and operation of security programs for systems that store, process, or transmit electronic protected health information. Organizations perform risk analysis and risk management, implement administrative safeguards such as workforce security and contingency planning, apply physical safeguards for facilities and devices, and deploy technical safeguards such as access controls, audit controls, authentication, integrity protections, and transmission security. Security program documentation and evidence supports audits, investigations, internal oversight, and contractual assurance to partners and payers.
The HIPAA Breach Notification Rule defines when an incident involving unsecured protected health information requires notifications to affected individuals and the Department of Health and Human Services and, in specified cases, to media outlets. Business associate agreements define required protections and reporting duties for vendors and other partners that handle protected health information. Enforcement by the HHS Office for Civil Rights links these requirements to investigations, corrective action plans, monitoring, and civil money penalties when HIPAA Covered Entities or Business Associates fail to meet regulatory standards.