What Is the HIPAA Law and Privacy Rule?

The HIPAA Law and Privacy Rule Explained

medical technology concept, human body and vital sign
••• chombosan / Getty Images

The Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy Rule set the standard for protecting sensitive patient data. They do this by creating the standards for the electronic exchange, privacy, and security of patient medical information by those in the health care field.

If you wonder what your doctor is doing to protect your private information, it helps to know about the HIPAA Law and Privacy Rule. Here's how to know who you can trust with your personal data and what HIPAA means for you.

What Is the HIPAA Law and Privacy Rule?

The HIPAA Law and Privacy Rule was designed to protect patient confidentiality. It allows for medically necessary data to be shared but still respects your right to privacy.

Most health care providers and health insurers are required to comply with the privacy rules of the HIPAA law. This includes protecting any personal health information (PHI) and individually identifiable health information.

How the HIPAA Law and Privacy Rule Works

HIPAA Privacy and Security Rules have been in place to protect your private health care data since 1996. As technology has changed and information has become easier to access, there have been many changes to the original compact. All of these regulations have been put in place to help keep your private details secure.

With so much information changing hands between doctors, health insurers, and other parties in the field of health care, the HIPAA law is focused on making things simple. It streamlines the health care system and ensures secure data. The law also aims to reduce health care fraud and improve data systems.

Here's one example of the HIPAA law in action: When a patient visits the doctor, they are usually asked to sign a privacy form, which is a HIPAA notice. The notice explains that the patient's authorization is needed before their health information is shared. This applies even when the doctor is speaking with a spouse or other close family member.


HIPAA isn't the only law that protects patient confidentiality and health records. As a federal law, HIPAA is the baseline standard. Each state may add to it with its own standards.

What Are the Four Rules of HIPAA?

Under the HIPAA law, there are four rules that health care providers must follow:

  • HIPAA Privacy Rule: Protects the type of data that is communicated
  • HIPAA Security Rule: Protects the security of databases
  • HIPAA Enforcement Rule: Explains how to enforce the rule and about hearings and penalties
  • HIPAA Breach Notification Rule: Requires health care providers to notify people when there has been a breach of protected health data

What Is the Purpose of the HIPAA Security Rule?

The HIPAA Security Rule explains how health care providers must comply with rules that keep your data secure. It gives standards for how to secure data and describes what physical and technical safeguards should be used. These guidelines ensure your data is kept private and safe.

What Is Protected Health Information (PHI)?

Protected Health Information, or PHI, includes any data that may be transmitted or kept that contains individually identifiable health information.

Individually identifiable health information is data that can be used to identify the patient. For instance, it can mean details such as name, address, date of birth, or Social Security number. It also includes any data related to the patient's physical or mental health, health care that has been provided, or payment details. Under the HIPAA Privacy Rule, this data is protected.

What Is De-Identified Health Information?

De-identified health information cannot be tied back to a single person. It has been stripped of all identifying details. As such, this data provides no risk. There are no restrictions on de-identified health information.

Does HIPAA Apply to Everyone?

Health plans, health care clearinghouses, health care providers who transmit health information, and other health care entities have standards that they must abide by. But there are also companies that do not have to follow these rules. Here are some examples:

  • Direct-to-consumer (DTC) genetic testing companies
  • Mobile apps used for health and fitness purposes
  • Alternative medicine practitioners
  • State agencies, such as child protective services
  • Law enforcement agencies
  • Life insurance companies
  • Schools
  • Your employer

How Do Providers Apply HIPAA?

Some health care providers have taken steps to secure data. For instance, they may control access to offices that contain medical files by using key card systems. They may also limit employee access to only the minimum amount of health care data needed to perform a task. Many medical groups and insurers also use special services to secure electronic transactions.

If you have concerns about what your doctor or health care group is doing to comply with the HIPAA law, ask them what steps they have taken to keep your data private.


If your health insurance is from a small, self-administered health organization, they may not have to comply with the HIPAA regulations. Check with them to see whether they will comply. If not, ask what steps are they taking on their own to ensure your privacy.

Are There Any Privacy Exceptions to the HIPAA Law?

HIPAA's privacy laws do provide some exceptions. In some cases, your doctor or insurer may not have to follow the rules exactly. This might be the case, for instance, if a patient is unable to make their own decisions, or when there is a serious threat to health or safety.

Key Takeaways

  • The HIPAA Privacy Rule sets standards for how the health care industry must protect patient data.
  • Most providers that use, store, maintain, or transmit patient health care data must comply with HIPAA rules.
  • Protected health information (PHI) and individually identifiable health information are types of protected data that can't be shared without your say-so.
  • There are a few cases in which some health entities do not have to follow HIPAA law.