← Glossary·Frameworks

HIPAA

Also known as: Health Insurance Portability and Accountability Act · 45 CFR Parts 160 & 164
HIPAA

US law protecting PHI; Privacy, Security, and Breach Notification Rules apply to covered entities and business associates.

HIPAA is the US Health Insurance Portability and Accountability Act, implemented through 45 CFR Parts 160 & 164. It comprises the Privacy Rule (use/disclosure of PHI), the Security Rule (administrative, physical, technical safeguards for ePHI), and the Breach Notification Rule (notice to individuals, HHS, and media within 60 days).

Why it matters
Any vendor touching protected health information (PHI) needs a signed Business Associate Agreement (BAA) and demonstrable Security Rule safeguards — otherwise hospitals and payers cannot legally engage them.
Example
Anthem's $16M OCR settlement (2018) followed a breach exposing 79M records — at the time the largest HIPAA penalty.

Related terms

PHI (Protected Health Information)
Individually identifiable health information held or transmitted by a HIPAA covered entity or business associate.
BAA (Business Associate Agreement)
HIPAA contract between a covered entity and a business associate handling PHI; mandatory under 45 CFR §164.504(e).
ePHI
PHI in electronic form — the scope of the HIPAA Security Rule (45 CFR §164.302–318).
Minimum Necessary Standard
HIPAA principle (45 CFR §164.502(b)) requiring use/disclosure of only the minimum PHI needed for the purpose.
Breach Notification
Legal duty to notify regulators and affected individuals after a security incident affecting personal data.

Does your program actually cover HIPAA?

Run a free ComplianceIQ audit against HIPAA and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free HIPAA auditBack to glossary