Glossary term
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a federal law that sets privacy, security, transaction, and portability rules for certain health information held by covered entities.
Updated
Read time
What Is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a federal law best known for health information privacy and security rules, but it also includes administrative simplification and health coverage portability provisions.
For consumers, HIPAA most often shows up when medical records, health plan information, billing data, or claims information are used or shared. It governs covered entities such as health plans, many health care providers, and health care clearinghouses, as well as certain business associates that handle protected health information for them.
Key Takeaways
- HIPAA is not spelled HIPPA.
- HIPAA protects certain health information held by covered entities and business associates.
- It does not apply to every app, employer, website, or person that learns health information.
- HIPAA gives patients certain rights to access, request corrections to, and receive accounting information about their health records.
- HIPAA also includes rules for electronic health transactions, identifiers, security, and breach notification.
Where HIPAA Applies
HIPAA applies based on who holds the information and why. A hospital, doctor's office, health insurer, or claims clearinghouse may be a covered entity. A billing vendor, cloud service, consultant, or administrator may be a business associate if it handles protected health information for a covered entity.
Entity or situation | Typical HIPAA relevance | Consumer takeaway |
|---|---|---|
Health plan | Covered entity that handles claims, enrollment, and payment information. | HIPAA rights often apply to plan records and communications. |
Health care provider | Covered when it conducts standard electronic transactions. | Medical record access, privacy notices, and disclosure limits may apply. |
Business associate | May need HIPAA safeguards when serving a covered entity. | Vendors can have HIPAA duties when handling protected information for covered entities. |
Employer as employer | Usually not a covered entity just because it sponsors a health plan. | Employment files are not automatically HIPAA records. |
Consumer health app | May fall outside HIPAA if it is not acting for a covered entity or business associate. | App privacy may depend on other laws or the app's own policies. |
Privacy, Security, and Breach Rules
HIPAA's Privacy Rule governs how protected health information may be used and disclosed. The Security Rule requires safeguards for electronic protected health information. The Breach Notification Rule requires notice after certain breaches of unsecured protected health information.
These rules matter financially because health information is tied to claims, billing, appeals, coverage decisions, medical identity risk, and access to care. A billing dispute, denied claim, or duplicate medical account can be harder to resolve if the consumer does not know where records are held or who is responsible for protecting them.
What HIPAA Does Not Cover
HIPAA is narrower than many people assume. It generally does not cover every wellness app, wearable device, school record, life insurer, employer conversation, or family member who learns health information outside a covered entity relationship. Other federal or state privacy laws may apply, but HIPAA is not a blanket rule for every health-related fact.
That distinction matters when sharing sensitive information with apps, employers, insurers, or online services. A health plan portal and a direct-to-consumer wellness app may handle similar information under very different privacy frameworks.
The Bottom Line
HIPAA is a health privacy and health system rules framework, not a universal privacy shield. It protects certain information in covered settings, gives consumers important record-access rights, and shapes how health plans, providers, and vendors handle sensitive data.