The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law adopted in 1996 that requires Covered Entities (doctors, hospitals, insurance companies, etc.) and Business Associates (covered entities’ vendors) to implement administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of Protected Health Information (PHI). The regulation also established breach notification requirements and penalties for non-compliance.
HIPAA consists of a Security Rule and a Privacy Rule. The Privacy Rule establishes requirements around legal uses and disclosures of PHI, and the Security Rule outlines requirements for protecting PHI.
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was adopted and further strengthened HIPAA by implementing steeper fines for non-compliance and stricter Breach Notification requirements. Also, Business Associates became directly responsible and accountable for complying with the regulation.
In 2013, the HIPAA Omnibus Final Rule was adopted. This regulation combined HIPAA and HITECH, provided further restrictions on the sale of PHI and expanded patients’ rights to access their data.