What Is HIPAA? A Guide for Healthcare Teams

What Is HIPAA? What Healthcare Organizations and Vendors Need to Know

HIPAA is a federal law. It sets national standards for protecting certain health information. It is also known for standardizing parts of healthcare administration.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.

The law addresses health insurance portability and administrative simplification. But most today use "HIPAA" to mean the privacy, security, and breach notification rules. These govern protected health information, or PHI. If your organization provides healthcare, you are a Covered Entity under the rule. This applies as well to those who pay for care, process claims, or handle PHI for another entity. HIPAA is attached to what you do.

For a detailed look at what compliance actually costs by practice size, see our HIPAA compliance cost breakdown for 2026.

What HIPAA Actually Does

At a practical level, HIPAA does four things that matter to most organizations:

• Sets rules for when PHI can be used or disclosed
• Requires safeguards for electronic protected health information, or ePHI
• Gives patients important rights over their health information
• Creates breach notification obligations when unsecured PHI is exposed

For most readers, the key point is simple: HIPAA is not an abstract privacy law. It affects how health information is collected, accessed, shared, secured, documented, and reported.

Who HIPAA Applies To

HIPAA applies to covered entities and business associates.

Covered Entities

Covered entities generally include:

• Health plans
• Healthcare clearinghouses
• Healthcare providers that conduct certain standard electronic transactions, such as electronic billing

Business Associates

Business associates are third parties hired to perform a specific task. By completing the task, there is a disclosure of PHI (Protected Health Information). This disclosure is often related to why you hired the BA in the first place. This is an acceptable disclosure with the proper items in place.

Common examples include:

• Managed IT providers
• Cloud hosting vendors
• Billing companies
• EHR support firms
• Consultants handling PHI
• Document storage vendors
• Certain legal, analytics, and software providers

A Business Associate Agreement (BAA) must be in place before PHI gets disclosed to a BA.

Who HIPAA Does Not Automatically Apply To

HIPAA doesn't apply to every employer, wellness app, or company that touches PHI. Whether HIPAA applies depends on the role the organization plays. It's about information and its handling inside a covered-entity or business-associate relationship. That distinction matters because when many people ask "Is this a HIPAA issue?" the real answer may involve employment law, platform terms, or another regulatory framework.

What PHI Means

PHI means Protected Health Information. It is anything one can use to link a medical record to an individual. Examples include:

• Medical records
• Diagnoses
• Lab results
• Treatment information
• Insurance and billing records
• Patient names tied to health details
• Dates of birth
• Addresses
• Phone numbers
• Other identifiers linked to health information

When that information exists in electronic form, it is often referred to as ePHI.

If you want the full breakdown, read our guide on Protected Health Information (PHI).

The Three HIPAA Rules Most Organizations Deal With

1. HIPAA Privacy Rule

The Privacy Rule governs how PHI gets used or disclosed. It also gives individuals rights over their information. Individuals have the right to access records and request amendments in certain situations.

2. HIPAA Security Rule

The Security Rule applies to ePHI and requires administrative, physical, and technical safeguards. In practice, that means things like access controls. It means conducting regular risk analyses. It means making decisions about encryption and device protections. Also, we'd be remiss to leave out workforce training. Always document security procedures. For deeper operational guidance, see:

• HIPAA risk assessment process
• HIPAA encryption requirements
• Physical safeguards under the HIPAA Security Rule

3. HIPAA Breach Notification Rule

The Breach Notification Rule requires organizations to assess incidents involving unsecured PHI. When an incident qualifies as reportable, you must provide notice to affected individuals. In some cases you need to report to regulators and media. That process is more nuanced than "any exposure equals a reportable breach." The analysis depends on factors like the nature of the data and who received it. The hard part can be whether it was actually acquired or viewed. Then you need to document how the incident is mitigated.

What HIPAA Compliance Means In Reality

"HIPAA compliant" is often used in a cavalier way. Compliance is not a one-time badge, a software feature, or a signed template sitting in a folder. Real HIPAA compliance usually means your organization can show that it has:

• Assigned privacy and security responsibility
• Performed and documented a risk analysis
• Implemented written policies and procedures
• Trained workforce members
• Managed vendor relationships and BAAs
• Applied reasonable administrative, physical, and technical safeguards
• Documented incidents, decisions, and remediation steps
• Reviewed and updated the program over time

If you run a smaller organization, our HIPAA compliance checklist for small practices is your next step.

Common HIPAA Misunderstandings

"HIPAA means I can never share patient information."

Not exactly. HIPAA allows many uses and disclosures for treatment, payment, and healthcare operations. This is along with other specific permitted or required disclosures. The issue is whether the disclosure is permissible, necessary, and handled properly.

"If we use encrypted systems, we are HIPAA compliant."

No. Encryption helps. It does, I can't stress that enough. However, it doesn't replace HIPAA requirements. Don't forget things such as:

• Risk analyses
• Training
• Access controls
• Policies
• Vendor management
• Breach response

"Only hospitals need to worry about HIPAA."

No. HIPAA applies to:

• Small practices
• Specialty clinics
• Dental offices
• Telehealth providers
• MSOs
• Other vendors handling PHI

"HIPAA only matters after a breach."

Also no. OCR enforcement focuses on missing fundamentals. Core things like risk analysis, access controls, documentation, and training.

For examples of where organizations get into trouble, see common HIPAA violations and how to avoid them.

Patient Rights Under HIPAA

HIPAA gives individuals important rights, including rights related to:

• Accessing their records
• Requesting amendments
• Receiving a notice of privacy practices
• Requesting restrictions in some circumstances
• Asking for confidential communications
• Receiving an accounting of certain disclosures

These rights are a major reason HIPAA is not just a security rule. It is also a patient rights framework.

What Healthcare Organizations Should Do First

If you are trying to move from confusion to action, start here:

1. Determine whether you are a covered entity or business associate.
2. Identify where PHI and ePHI enter, move through, and leave your organization.
3. Run a documented risk analysis.
4. Review your policies, training, and access controls.
5. Confirm which vendors require BAAs.
6. Build an incident response and breach review process.
7. Assign clear ownership for privacy and security.

If your team does not have a dedicated lead, our HIPAA compliance officer guide explains what that role should cover.

Frequently Asked Questions

What does HIPAA stand for?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.

Who complies with HIPAA?

HIPAA applies to covered entities and business associates.

Covered entities include:

• Health plans
• Healthcare clearinghouses
• Healthcare providers that conduct certain standard electronic transactions

Business associates are vendors and service providers that handle protected health information on behalf of those covered entities.

What is PHI under HIPAA?

PHI means protected health information. It is individually identifiable health information held or transmitted by a covered entity or business associate.

Examples include:

• Medical records
• Billing records
• Diagnoses
• Lab results
• Patient identifiers tied to health information

What is the difference between PHI and ePHI?

PHI is protected health information in any form. ePHI is protected health information in electronic form.

Does HIPAA apply to employers?

Not automatically. HIPAA usually does not apply to employers in their role as employers. HIPAA's application depends on if an organization is a covered entity or business associate. It also depends on how they interact with and handle PHI.

Does HIPAA apply to software vendors?

Sometimes. A software vendor is a BA when creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity or another business associate.

What are the main HIPAA rules?

The three rules most organizations deal with:

• HIPAA Privacy Rule
• HIPAA Security Rule
• HIPAA Breach Notification Rule

What should a small practice do first for HIPAA compliance?

Start by determining whether you are a covered entity or business associate. To do this, identify where PHI enters and moves through your systems. Then, be sure to book your free demo with Chuck. He'll let you know all the rest you need to do.

Bottom Line

HIPAA is federal law. It protects certain health information in the United States.

For healthcare organizations and vendors, the important question is not "What is HIPAA?" It is "How does HIPAA apply to the way we actually handle PHI every day?"

HIPAA by Practice Type

Every practice handles PHI differently. See our specialty guides for dental offices, therapists and counselors, pharmacies, and medical practices.