Skip to main content

Health Insurance Portability and Accountability Act - HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), is a U.S. federal law that governs what information is protected, and how protected health information can be used and disclosed. 

Purpose and Background:

  • HIPAA was enacted in 1996 with several key objectives:
  • Enable workers to carry forward healthcare insurance between jobs.
  • Prohibit discrimination against beneficiaries with pre-existing health conditions.
  • Guarantee coverage renewability in multi-employer health insurance plans.

Privacy Rule:

  • The Privacy Rule establishes national standards for the protection of certain health information.
  • It applies to covered entities, such as healthcare providers, health plans, and healthcare clearinghouses.

Key elements include:

  • Defining protected health information (PHI) and how it can be used and disclosed.
  • Balancing privacy with the flow of health information needed for quality care and public health.
  • Enforcing compliance through the Office for Civil Rights (OCR).

Security Rule:

  • The Security Rule focuses on safeguarding electronic protected health information (ePHI).
  • It outlines measures to protect the integrity, confidentiality, and availability of e-PHI held or transmitted by covered entities.

Overall Impact:

  • HIPAA ensures the confidentiality, integrity, and availability of patient health information.
  • It plays a crucial role in maintaining privacy while allowing necessary information flow for healthcare and public health purposes


View the full text of the law


The Health Insurance Portability and Accountability Act of 1996 (HIPPAA) protects the use and disclosure of an individual’s protected health information. Protected health information is defined under the HIPAA Privacy Rules as individually identifiable helath information that relates to the past, present or future physical or mental health or condition of an individual that either identifies or potentially identifies an individual. Education records as defined under FERPA are excluded from the Privacy Rules.