HIPAA applies within the United States and to entities covered by the law.

It sets standards to ensure the privacy, security, and confidentiality of individuals' health information while allowing for appropriate and necessary uses and disclosures for healthcare purposes, payment activities, and other specified purposes.

HIPAA’s scope can be defined as follows:

Covered entities: HIPAA applies to certain entities that handle or transmit PHI. These entities are categorized as "covered entities" and include healthcare providers (such as doctors, hospitals, clinics, and pharmacies), health plans (such as insurance companies and government programs like Medicare and Medicaid), and healthcare clearinghouses (entities that process and convert healthcare transactions into standardized formats).

Business associates: In addition to covered entities, HIPAA also extends its requirements to "business associates." Business associates are individuals or organizations that perform certain functions or services on behalf of covered entities, and in doing so, have access to PHI. Examples of business associates can include billing companies, third-party administrators, software vendors, and certain contractors.

Protected health information (PHI): The scope of HIPAA revolves around the protection of PHI, which refers to individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate. PHI includes various data elements, such as patient names, addresses, Social Security numbers, medical records, and any information related to an individual's past, present, or future physical or mental health conditions, treatment, or payments.

The HIPAA privacy rule: HIPAA's Privacy Rule establishes standards for the use and disclosure of PHI by covered entities and their business associates. It outlines patients' rights regarding their health information, including the right to access and request amendments to their records, and requires covered entities to obtain patient consent or authorization for certain uses and disclosures of PHI.

To comply with the HIPAA Security Rule, all parties must:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information
  • Detect and safeguard against anticipated threats to the security of the information
  • Protect against anticipated impermissible uses or disclosures

The HIPAA security rule: HIPAA's Security Rule focuses on the safeguarding of electronic PHI (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect ePHI from unauthorized access, use, or disclosure. This includes measures like access controls, encryption, audit controls, and contingency plans for data breaches.

The HIPAA breach notification rule: HIPAA's Breach Notification Rule requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media, in the event of a breach of unsecured PHI. The rule specifies the timeline and content requirements for breach notifications.

For further information, see cdc.gov


Speak to an expert.