Foundational Guide

What Is HIPAA? A Plain-English Explanation (2026)

Q: What does HIPAA stand for?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal law that established national standards for protecting sensitive patient health information from being disclosed without the patient's consent or knowledge.

Q: Who does HIPAA apply to?

HIPAA applies to covered entities — healthcare providers (doctors, hospitals, clinics, dentists, therapists), health plans (insurance companies, HMOs, employer-sponsored health plans), and healthcare clearinghouses. It also applies to business associates: any vendor or contractor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity.

Q: What are the five HIPAA rules?

HIPAA comprises five rules: the Privacy Rule (45 CFR Part 164, Subpart E) governing use and disclosure of PHI; the Security Rule (45 CFR Part 164, Subparts A and C) governing electronic PHI safeguards; the Breach Notification Rule (45 CFR Part 164, Subpart D) governing breach reporting; the Enforcement Rule establishing civil money penalties; and the Omnibus Rule (2013) implementing HITECH Act amendments.

Q: Is HIPAA federal or state law?

HIPAA is a federal law. However, HIPAA sets a floor — states can and do enact stricter health privacy laws. When state law is more protective of patient privacy than HIPAA, the state law generally applies. California, New York, Washington, and several other states have enacted health privacy laws that exceed HIPAA's requirements in some areas.

Q: What is PHI under HIPAA?

Protected health information (PHI) is any individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media. HIPAA identifies 18 categories of information that, when combined with health data, constitute PHI — including names, dates, geographic data, phone numbers, email addresses, Social Security numbers, and medical record numbers.

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Quick answer: HIPAA (Health Insurance Portability and Accountability Act) is a federal law requiring healthcare organizations and their vendors to protect patients' health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and business associates (any vendor handling PHI on a covered entity's behalf). The two most commonly required documents it mandates are a Business Associate Agreement (BAA) for vendor relationships and a Notice of Privacy Practices (NPP) for patients.

The Health Insurance Portability and Accountability Act — enacted by Congress in 1996 and significantly strengthened by the HITECH Act in 2009 — is the primary federal law governing the privacy and security of protected health information (PHI) in the United States. Despite its name, HIPAA's most impactful provisions are not about portability or insurance — they are about privacy and security.

For healthcare providers, health plans, and the technology companies that serve them, understanding what HIPAA requires is not optional. Violations can result in civil penalties up to $1.9 million per year per provision category and, in cases of willful neglect, criminal referral to the Department of Justice.

Who Does HIPAA Apply To?

HIPAA applies to two categories of organizations:

Covered Entities

Under 45 CFR § 160.103, a covered entity is any of the following:

Healthcare providers that conduct certain transactions electronically — including hospitals, physician practices, dental offices, chiropractors, physical therapists, mental health counselors, and pharmacies
Health plans — insurance companies, HMOs, Medicare and Medicaid programs, and employer-sponsored health plans with 50 or more participants
Healthcare clearinghouses — entities that translate nonstandard health information into standard formats for billing

Business Associates

A business associate is any person or entity that performs functions involving access to PHI on behalf of a covered entity. Following HITECH, business associates are directly subject to HIPAA's Security Rule and many Privacy Rule provisions. Common business associates include EHR vendors, medical billing companies, cloud storage providers, and IT support firms. See our dedicated guide on HIPAA business associates for a full breakdown.

What Are the Five HIPAA Rules?

HIPAA is not a single rule — it is a set of five related regulations:

Rule	CFR Location	What It Governs
Privacy Rule	45 CFR Part 164, Subpart E	Permitted uses and disclosures of PHI; patients' rights to access their records
Security Rule	45 CFR Part 164, Subparts A & C	Administrative, physical, and technical safeguards for electronic PHI (ePHI)
Breach Notification Rule	45 CFR Part 164, Subpart D	Notification requirements when unsecured PHI is breached
Enforcement Rule	45 CFR Part 160, Subpart C–E	Civil money penalties; investigation procedures; OCR enforcement authority
Omnibus Rule	Amends all above (2013)	HITECH Act implementation; expands BA liability; strengthens breach definition

What Is Protected Health Information (PHI)?

Protected health information is any individually identifiable health information held or transmitted by a covered entity or business associate — in any form (electronic, paper, or oral). HIPAA identifies 18 categories of identifiers that, when combined with health data, create PHI. These include names, dates (other than year), geographic subdivisions smaller than state, phone numbers, email addresses, Social Security numbers, medical record numbers, and biometric identifiers. See our full guide on PHI and the 18 identifiers.

What Does HIPAA Actually Require?

The practical requirements of HIPAA fall into several areas:

Privacy Rule — what you can and cannot do with PHI

The Privacy Rule (45 CFR §§ 164.500–164.534) limits when and how covered entities may use or disclose PHI. In general, a covered entity may only use or disclose PHI: (1) for treatment, payment, or healthcare operations; (2) to the individual; (3) with a valid written authorization; or (4) under one of the specific permitted disclosures listed in § 164.512 (public health, law enforcement, required by law, etc.).

The Privacy Rule also grants patients affirmative rights: the right to access and obtain copies of their health records (§ 164.524), the right to request amendments (§ 164.526), the right to an accounting of disclosures (§ 164.528), and the right to receive a Notice of Privacy Practices (§ 164.520). The NPP is a patient-facing document covered entities are required to provide — and it must reflect the HHS February 2026 model language.

Security Rule — safeguards for electronic PHI

The Security Rule (45 CFR §§ 164.302–164.318) applies only to electronic PHI (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards. The rule is deliberately flexible — it specifies "required" and "addressable" implementation specifications rather than mandating specific technologies. The one non-negotiable: a documented Security Risk Analysis under § 164.308(a)(1), which assesses vulnerabilities to ePHI confidentiality, integrity, and availability. For a walkthrough, see our guide on HIPAA risk assessments.

Breach Notification Rule — what to do when things go wrong

Under 45 CFR § 164.400 et seq., when unsecured PHI is breached, covered entities must notify affected individuals within 60 days, notify HHS, and (for breaches affecting 500+ individuals in a state) notify prominent media outlets. Business associates must notify covered entities within 60 days of discovering a breach. The definition of "breach" is presumptive: if PHI is impermissibly accessed, used, or disclosed, it is a breach unless the covered entity can demonstrate a low probability that PHI was compromised.

Business Associate Agreements — mandatory vendor contracts

Any covered entity that shares PHI with a business associate must have a signed Business Associate Agreement (BAA) in place before the sharing begins. The BAA must contain the provisions specified in 45 CFR § 164.504(e), including permitted uses, safeguard obligations, and breach notification timelines. Operating without a required BAA is an independent HIPAA violation regardless of whether a breach occurs.

How HITECH Changed HIPAA

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 — and the implementing Omnibus Rule of 2013 — made three major changes: it extended direct HIPAA liability to business associates (previously they were only indirectly regulated through BAAs); it significantly raised the civil penalty ceiling; and it changed the standard for "harm threshold" in breach notification to a stricter low-probability standard. See our guide on the HITECH Act for a full explanation.

HIPAA and State Law

HIPAA preempts state law — except where state law is more protective of individual privacy. Many states have enacted health privacy statutes that exceed HIPAA in specific areas: California's Confidentiality of Medical Information Act (CMIA), the Washington My Health My Data Act, and Texas Health & Safety Code Chapter 181 are prominent examples. If your organization operates across multiple states, you must track the strictest applicable standard. See our guide on HIPAA vs. state privacy laws.

Frequently Asked Questions

What does HIPAA stand for?

Health Insurance Portability and Accountability Act. Enacted in 1996 primarily to improve insurance portability; the privacy and security rules were promulgated by HHS in 2000 and 2003 under HIPAA's Administrative Simplification provisions.

Who does HIPAA apply to?

Covered entities (healthcare providers, health plans, and clearinghouses) and business associates (vendors that handle PHI on behalf of covered entities). General employers, life insurers, workers' compensation carriers, and most mobile health apps that don't work with covered entities are generally not subject to HIPAA.

What are the five HIPAA rules?

Privacy Rule, Security Rule, Breach Notification Rule, Enforcement Rule, and the Omnibus Rule (which implemented HITECH amendments in 2013). The Privacy and Security Rules are the operational core for most organizations.

Is HIPAA federal or state law?

Federal. HIPAA preempts state law except where state law is more protective of patient privacy. Several states — California, Washington, Texas, New York — have enacted stricter health privacy statutes. Organizations must comply with whichever standard is more protective.

What is PHI under HIPAA?

Protected health information — any individually identifiable health information held or transmitted by a covered entity or its business associate. HIPAA identifies 18 specific identifiers that, when combined with health data, constitute PHI. Data can be "de-identified" and removed from HIPAA's scope using the Safe Harbor method (removing all 18 identifiers) or the Expert Determination method.

What to do next

Depending on your role under HIPAA, your next steps differ.

If you need a BAA

Generate a HIPAA BAA →

Signable PDF + Word, $49, no subscription. Built on HHS model provisions (45 CFR § 164.504(e)).

If you need an NPP

Create a Notice of Privacy Practices →

HHS Feb 2026 model, Part 2 compliant, $49, no subscription.

Not sure which applies to you? Take the free self-assessment quiz →