{"id":8900,"date":"2024-10-11T08:17:45","date_gmt":"2024-10-11T06:17:45","guid":{"rendered":"https:\/\/stage.usercentrics.com\/?post_type=knowledge&#038;p=8900"},"modified":"2025-06-26T12:21:47","modified_gmt":"2025-06-26T10:21:47","slug":"health-insurance-portability-and-accountability-act-hipaa","status":"publish","type":"knowledge","link":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/","title":{"rendered":"Health Insurance Portability and Accountability Act (HIPAA): An overview"},"content":{"rendered":"\n<p>When the Health Insurance Portability and Accountability Act (HIPAA) came into effect in 1996, the law governed a very different information landscape than that of today. Then, individuals did far less online,&nbsp;including relating to their healthcare. We produced less data, especially digitally, so there was less need to regulate access to it and use of it.<\/p>\n\n\n\n<p>However, today the HIPAA law is more relevant and important than ever, particularly because digital footprints have proliferated, including the ways that people create and disseminate their data \u2014 often without knowing it \u2014 including for healthcare. There are also a startling variety of ways health data can be used, from diagnosis and treatment to online advertising, thus creating an ever-expanding need for clear guidelines and robust protections.&nbsp;<\/p>\n\n\n\n<p>Here, we look at what HIPAA is, why it\u2019s so relevant today in data privacy, how it\u2019s become interlinked with other regulations, and what its requirements mean for individuals and companies in healthcare and related industries.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-the-health-insurance-portability-and-accountability-act-hipaa\">What is the Health Insurance Portability and Accountability Act (HIPAA)?<\/h2>\n\n\n\n<p>The <a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/PLAW-104publ191\/pdf\/PLAW-104publ191.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Health Insurance Portability and Accountability Act (HIPAA)<\/a> is a US federal regulation that was signed into law in 1996, and is managed by the U.S. Department of Health and Human Services. Its purpose is to protect the privacy and security of American citizens\u2019 protected health information. The HIPAA law has been updated several times, most recently in 2020.<\/p>\n\n\n\n<p>The US does not have a universal healthcare system like the majority of countries in the world, and a significant portion of the regulation\u2019s contents reflect resulting requirements for managing healthcare and how it\u2019s paid for, including through insurance.<\/p>\n\n\n\n<p>The Act\u2019s main provisions are five \u201cTitles\u201d to protect healthcare data and establish responsibilities for organizations using it. Within Title sections there are also a number of Rules governing access to and use of data, plus security requirements and enforcement.&nbsp;<\/p>\n\n\n\n<p>HIPAA is designed to protect individuals\u2019 privacy and promote security for healthcare data, but also to increase efficiency in healthcare services and management, and the portability of healthcare information.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" height=\"630\" width=\"770\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_770x500_5_titles_of_hipaa_100724.svg\" alt=\"Table presenting the The 5 titles of HIPAA\" class=\"wp-image-8902\"\/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-more-about-hipaa-title-ii-privacy-rule\">More about HIPAA Title II: Privacy Rule<\/h4>\n\n\n\n<p>Within Title II, maybe the most relevant section of HIPAA for data privacy and compliance, and most connected to requirements in other data privacy laws, is the <a href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/privacysummary.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Privacy Rule<\/a>. It addresses the use and disclosure of individuals\u2019 protected health information by organizations, and provides privacy rights for individuals and requirements for them to understand and control the use of their health information. The Privacy Rule also outlines compliance requirements and enforcement.<\/p>\n\n\n\n<p>Overall, a major goal of the Privacy Rule is to ensure adequate protection of health information, while maintaining the flow of that information as needed to provide quality healthcare and promote health and well-being.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-key-definitions-in-hipaa\">Key definitions in HIPAA<\/h2>\n\n\n\n<p>Like all regulations, the terms included in the Definitions section of HIPAA provide a lot of information about the focus of the law and how it views individuals and organizations and the expectations on them.&nbsp; Below we summarize some of these key definitions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-administrative-simplification-provision\">Administrative simplification provision<\/h3>\n\n\n\n<p>This provision refers to any requirement or prohibition established by HIPAA or other relevant regulation, primarily designed to improve standardization and efficiency. It governs how providers, health plans, and clearinghouses must conduct electronic administrative transactions, and sets standards for transmitting electronic health information.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-business-associate\">Business associate<\/h3>\n\n\n\n<p>A business associate is a person who creates, receives, maintains, or transmits protected health information on behalf of a covered entity, with exceptions. Comparable to a third-party data processor under many data privacy laws.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-covered-entity\">Covered entity<\/h3>\n\n\n\n<p>Refers to:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>a health plan<\/li>\n\n\n\n<li>a healthcare clearinghouse<\/li>\n\n\n\n<li>a healthcare provider who transmits any health information in electronic form in connection with a transaction.<\/li>\n<\/ol>\n\n\n\n<p>This definition is comparable to a data controller under many data privacy laws, but in the healthcare context.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-disclosure\">Disclosure<\/h3>\n\n\n\n<p>The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-electronic-media\">Electronic media<\/h3>\n\n\n\n<p>Electronic storage material on which data is or may be recorded digitally, including computer hard drives, external portable drives, or removable\/transportable digital memory media such as memory cards or USB keys.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-healthcare-clearinghouse\">Healthcare clearinghouse<\/h3>\n\n\n\n<p>A public or private entity that processes or facilitates processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. Includes billing services, repricing companies, community health management information systems, or community health information systems, or value-added networks and switches.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-health-information\">Health information<\/h3>\n\n\n\n<p>Any information, including genetic information, whether oral or recorded in any form or medium, that is:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>created or received by:\n<ul class=\"wp-block-list\">\n<li>a healthcare provider<\/li>\n\n\n\n<li>health plan<\/li>\n\n\n\n<li>public health authority<\/li>\n\n\n\n<li>employer<\/li>\n\n\n\n<li>life insurer<\/li>\n\n\n\n<li>school or university<\/li>\n\n\n\n<li>healthcare clearinghouse<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>and<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>relates to:\n<ul class=\"wp-block-list\">\n<li>the past, present, or future physical or mental health or condition of an individual<\/li>\n\n\n\n<li>the provision of healthcare to an individual<\/li>\n\n\n\n<li>the past, present, or future payment for the provision of healthcare to an individual<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Information can be written, on paper, spoken, or electronic data. Data size does not matter. It can be transmitted within or outside a healthcare facility. It applies to anyone or any institution involved with the use of healthcare-related data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-electronic-protected-health-information\">Electronic protected health information<\/h3>\n\n\n\n<p>Protected health information in electronic form, defined in the relevant paragraphs under the definition of protected health information per <a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2013-title45-vol1\/pdf\/CFR-2013-title45-vol1-sec160-103.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">HIPAA Definitions<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-individually-identifiable-health-information\">Individually identifiable health information<\/h3>\n\n\n\n<p>Like personally identifiable information as defined in other data privacy laws, but specific to health and healthcare. A subset of health information, including demographic information collected from an individual, that is:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>created or received by:<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a healthcare provider<\/li>\n\n\n\n<li>health plan<\/li>\n\n\n\n<li>employer<\/li>\n\n\n\n<li>healthcare clearinghouse<\/li>\n<\/ul>\n\n\n\n<p>and<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>relates to:\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the past, present, or future physical or mental health or condition of an individual<\/li>\n\n\n\n<li>the provision of healthcare to an individual<\/li>\n\n\n\n<li>the past, present, or future payment for the provision of healthcare to an individual<\/li>\n<\/ul>\n\n\n\n<p>and<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>that identifies an individual or could reasonably be used to identify an individual<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-person\">Person<\/h3>\n\n\n\n<p>A natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-protected-health-information-phi\">Protected health information (PHI)<\/h3>\n\n\n\n<p>Individually identifiable health information, except that which is maintained or transmitted via electronic medium, or in certain records, e.g. education or employment, or regarding a person who has been deceased for more than 50 years. PHI is at the core of HIPAA requirements and restrictions.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-phi-vs-pii\">PHI vs. PII<\/h4>\n\n\n\n<p>Data privacy laws often refer to personally identifiable information (PII). This is data that, using individual pieces or a combination of pieces of data, can be used to identify an individual. It can include first and last name, email addresses, credit card numbers, passport numbers, and more. Some PII is also categorized as \u201csensitive\u201d as misuse of it can cause considerable harm. Protected health information (PHI) would typically be considered sensitive PII.<\/p>\n\n\n<div class=\"uc-notice\">\n    <div class=\"uc-notice__icon\">\n        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M10.8177 17.0093H12.8177V11.0093H10.8177V17.0093ZM11.8177 9.00928C12.1011 9.00928 12.3386 8.91344 12.5302 8.72178C12.7219 8.53011 12.8177 8.29261 12.8177 8.00928C12.8177 7.72594 12.7219 7.48844 12.5302 7.29678C12.3386 7.10511 12.1011 7.00928 11.8177 7.00928C11.5344 7.00928 11.2969 7.10511 11.1052 7.29678C10.9136 7.48844 10.8177 7.72594 10.8177 8.00928C10.8177 8.29261 10.9136 8.53011 11.1052 8.72178C11.2969 8.91344 11.5344 9.00928 11.8177 9.00928ZM11.8177 22.0093C10.4344 22.0093 9.13442 21.7468 7.91775 21.2218C6.70108 20.6968 5.64275 19.9843 4.74275 19.0843C3.84275 18.1843 3.13025 17.1259 2.60525 15.9093C2.08025 14.6926 1.81775 13.3926 1.81775 12.0093C1.81775 10.6259 2.08025 9.32594 2.60525 8.10928C3.13025 6.89261 3.84275 5.83428 4.74275 4.93428C5.64275 4.03428 6.70108 3.32178 7.91775 2.79678C9.13442 2.27178 10.4344 2.00928 11.8177 2.00928C13.2011 2.00928 14.5011 2.27178 15.7177 2.79678C16.9344 3.32178 17.9928 4.03428 18.8927 4.93428C19.7927 5.83428 20.5052 6.89261 21.0302 8.10928C21.5552 9.32594 21.8177 10.6259 21.8177 12.0093C21.8177 13.3926 21.5552 14.6926 21.0302 15.9093C20.5052 17.1259 19.7927 18.1843 18.8927 19.0843C17.9928 19.9843 16.9344 20.6968 15.7177 21.2218C14.5011 21.7468 13.2011 22.0093 11.8177 22.0093Z\" fill=\"black\"\/>\n<\/svg>\n    <\/div>\n    <div class=\"uc-notice__content\">\n                <p><strong>Learn more: <\/strong><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/personally-identifiable-information-vs-personal-data\/\">PII vs. PI vs. sensitive data: The differences you need to know<\/a><\/p>\n            <\/div>\n<\/div>\n\n\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-respondent\">Respondent\u00a0<\/h3>\n\n\n\n<p>A covered entity or business associate upon which a civil monetary penalty has been imposed, or proposed to be imposed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-trading-partner-agreement\">Trading partner agreement<\/h3>\n\n\n\n<p>An agreement related to the exchange of information in electronic transactions, whether the agreement is distinct or part of a larger agreement, between each party to the agreement. May specify, among other things, the duties and responsibilities of each party to the agreement in conducting a standard transaction.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-transaction\">Transaction<\/h3>\n\n\n\n<p>The transmission of information between two parties to carry out financial or administrative activities related to healthcare.&nbsp;<\/p>\n\n\n\n<p>Includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>healthcare claims or equivalent encounter information<\/li>\n\n\n\n<li>healthcare payment and remittance advice<\/li>\n\n\n\n<li>coordination of benefits<\/li>\n\n\n\n<li>healthcare claim status<\/li>\n\n\n\n<li>enrollment and disenrollment in a health plan<\/li>\n\n\n\n<li>eligibility for a health plan<\/li>\n\n\n\n<li>health plan premium payments<\/li>\n\n\n\n<li>referral certification and authorization<\/li>\n\n\n\n<li>first report of injury<\/li>\n\n\n\n<li>health claims attachments<\/li>\n\n\n\n<li>healthcare electronic funds transfers (EFT) and remittance advice<\/li>\n\n\n\n<li>other transactions prescribed by regulation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-use\">Use<\/h3>\n\n\n\n<p>With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-to-what-organizations-does-the-hipaa-law-apply\">To what organizations does the HIPAA law apply?<\/h2>\n\n\n\n<p>Generally, HIPAA applies to organizations that deal with healthcare data in digital or analog form, ranging from healthcare providers to insurance companies, and their business associates. The entities that typically handle PHI include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>healthcare providers, e.g. hospitals, doctors, dentists, pharmacies<\/li>\n\n\n\n<li>health plans, e.g. health insurance companies, employee-sponsored health plans, government programs like Medicare and Medicaid<\/li>\n\n\n\n<li>healthcare clearinghouses, e.g. organizations that perform administrative functions for healthcare providers or plans, or that process or facilitate processing of healthcare information, like from paper to electronic format<\/li>\n\n\n\n<li>business associates that provide services to covered entities involving use or disclosure of PHI, e.g. third-party service providers like those doing billing, data storage, or legal consulting<\/li>\n\n\n\n<li>consultants, like experts providing advice or analysis relating to health information or healthcare operations that requires handling of PHI<\/li>\n\n\n\n<li>contractors or subcontractors, like vendors providing services such as claims processing or data analysis involving PHI<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-does-hipaa-protect\">Who does HIPAA protect?<\/h2>\n\n\n\n<p>HIPAA protects individuals, their privacy, and their healthcare information as it is created, received, maintained, or transmitted with regards to use of healthcare services or payment for healthcare services.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-protections-does-hipaa-provide\">What protections does HIPAA provide?<\/h2>\n\n\n\n<p>HIPAA requires that healthcare information be protected from the time it\u2019s generated to when it\u2019s destroyed. It must also be protected and access to it limited when it\u2019s used or transmitted for healthcare purposes. This helps to prevent identity theft and fraud that victimizes individuals, and also helps prevent fraud and abuse of health plans, including private health plans and Medicare.<\/p>\n\n\n\n<p>The HIPAA law helps to prevent discrimination against individuals or denial of care based on health status or use of healthcare services. Additionally, the law helps individuals take control of their healthcare data, which can also significantly help people advocate for themselves, find care or access additional services, or negotiate with insurers.<\/p>\n\n\n<div id=\"uc-cta_69db68c7d1721\" class=\"uc-cta uc-cta--button uc-cta--size-7 uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Data privacy vs. data security<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Do you know the differences between data privacy and data security and what your company\u2019s responsibilities are?<\/p>\n                <\/div>\n                                                                    <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"452241d2-fcd3-437f-b898-fcb9f34f8e47\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"\/knowledge-hub\/data-privacy-and-security\/\" target=\"\"><span>Learn more<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69db68c7d1721\"));\n    <\/script>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-notification-and-consent-requirements-under-hipaa\">Notification and consent requirements under HIPAA<\/h2>\n\n\n\n<p>Typically prior consent is not required for use or disclosure of PHI for routine treatments, payments, or other healthcare operations, per the Privacy Rule. Individuals\u2019 authorization is required for special uses and disclosures, however. Authorization (e.g. consent forms) must be clear for the user to understand, and include specific information about the use and\/or disclosure of PHI. Individuals have the right to revoke authorization, and must be enabled to do so.<\/p>\n\n\n\n<p>A HIPAA consent form is a legal document that authorizes covered entities to disclose PHI that is not otherwise permitted under the Privacy Rule. The consent form must be signed and retained as proof of authorization.<\/p>\n\n\n\n<p>For example, a covered entity must obtain a signed HIPAA authorization before they can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sell or share PHI<\/li>\n\n\n\n<li>use or disclose PHI for marketing or fundraising purposes (e.g. patient email addresses)<\/li>\n\n\n\n<li>disclose psychotherapy notes<\/li>\n\n\n\n<li>disclose PHI to a research organization<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-hipaa-notification-requirements\">HIPAA notification requirements<\/h3>\n\n\n\n<p>Like notification requirements of all data privacy laws, HIPAA requires consent forms to clearly and accessibly provide important information to individuals. A copy of the signed form also must be provided to the individual. Consent form information includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>description of the information to be used or disclosed<\/li>\n\n\n\n<li>purpose for which the information will be disclosed<\/li>\n\n\n\n<li>name of the person or entity to whom the information will be disclosed<\/li>\n\n\n\n<li>name of any third parties to whom the covered entity may make the requested use or disclosure<\/li>\n\n\n\n<li>expiration date or expiration that relates to the individual or the purpose of the use or disclosure<\/li>\n\n\n\n<li>date and signature of the individual<\/li>\n\n\n\n<li>Information about the individual\u2019s right to revoke the authorization in writing<\/li>\n\n\n\n<li>any exceptions to the individual\u2019s right to revoke the authorization<\/li>\n\n\n\n<li>details of how the authorization can be revoked<\/li>\n\n\n\n<li>that the covered entity may not make treatment, payment, enrolment or eligibility for benefits conditional on whether the individual signs the authorization<\/li>\n\n\n\n<li>the potential for information disclosed under the terms of the authorization to be re-disclosed by the recipient and no longer protected by the HIPAA Privacy Rule<\/li>\n<\/ul>\n\n\n<div id=\"uc-cta_69db68c7d260e\" class=\"uc-cta uc-cta--button uc-cta--size-7 uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Clarity is critical for legal compliance<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Privacy laws require data subjects to be clearly informed about data use, sharing, protection, and more. Find out how to create a clear and compliant privacy policy.<\/p>\n                <\/div>\n                                                                    <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"87540a35-da1e-4c00-bfa6-c672aa536af2\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"\/knowledge-hub\/how-to-write-a-privacy-policy\/\" target=\"\"><span>Learn more<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69db68c7d260e\"));\n    <\/script>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-exceptions-to-hipaa-consent-requirements\">Exceptions to HIPAA consent requirements<\/h3>\n\n\n\n<p>Covered entities are permitted to use or disclose PHI without an individual\u2019s authorization in the following situations or for the following purposes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>if the PHI is to be used by or disclosed to the individual it was collected from or is about (with exceptions)<\/li>\n\n\n\n<li>for routine treatment, payment, or healthcare operations<\/li>\n\n\n\n<li>to provide the opportunity to agree or object<\/li>\n\n\n\n<li>incident to an otherwise permitted use and\/or disclosure<\/li>\n\n\n\n<li>for public interest and benefit activities<\/li>\n\n\n\n<li>as part of a limited data set for the purposes of research, public health, or healthcare operations<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Companies\u2019 responsibilities under HIPAA<\/h2>\n\n\n\n<p>For the most part, the companies that are required to comply with HIPAA\u2019s requirements will be those categorized as covered entities or business associates. HIPAA is referenced in many of the state-level data privacy laws in the US, but mainly regarding exceptions to compliance with them, as HIPAA has its own set of requirements. Alternatively, where relevant to companies\u2019 operations, HIPAA requirements may supersede those of state-level or other laws. Broadly, companies have the following responsibilities under HIPAA.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" height=\"550\" width=\"770\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_body_770x550_hipaa_100724_a.svg\" alt=\"Table showing the Privacy Rule responsibilities\" class=\"wp-image-8904\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" height=\"550\" width=\"770\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_body_770x550_hipaa_100724_b.svg\" alt=\"List showing the Security Rule responsibilities \" class=\"wp-image-8905\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" height=\"375\" width=\"770\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_body_770x550_hipaa_100724_c.svg\" alt=\"List presenting the Breach Notification Rule responsibilities\" class=\"wp-image-8906\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" height=\"450\" width=\"770\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_body_770x550_hipaa_100724_d.svg\" alt=\"List showing the Enforcement Rule responsibilities\" class=\"wp-image-8908\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Contracts and documentation responsibilities<\/h3>\n\n\n\n<p>Covered entities under HIPAA need to ensure they have Business Associate Agreements (BAA) with any entities categorized as business associates under HIPAA, and which handle PHI on the company\u2019s behalf.&nbsp;<\/p>\n\n\n\n<p>Such agreements must specify the business associate\u2019s responsibilities for processing PHI, as well as safeguarding it and complying with other HIPAA requirements. There are templates available to assist companies in getting started drafting such agreements, but consulting qualified legal counsel is also strongly recommended.<\/p>\n\n\n\n<p>Companies need to keep detailed records of individuals\u2019 requests and resulting actions, as well as documenting any breaches and efforts for mitigation. They also need to document and keep their PHI handling policies and processes up to date, maintain records of employee training, and other efforts. Auditors or investigators may require this information.<\/p>\n\n\n<div id=\"uc-cta_69db68c7d7ef3\" class=\"uc-cta uc-cta--button uc-cta--size-7 uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Privacy-Led Marketing is the future. Are you ready?<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Join us for our insightful on-demand webinar on Privacy-Led Marketing and relevant data privacy laws in the US, so you can achieve compliance and growth.<\/p>\n                <\/div>\n                                                                    <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"a8f82bda-11b9-475c-a19c-f28a89e9fb7a\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"\/webinar\/privacy-led-marketing-in-the-us-steps-you-need-to-take-now-due-to-new-laws\/\" target=\"\"><span>Watch now<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69db68c7d7ef3\"));\n    <\/script>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-hipaa-enforcement\">HIPAA enforcement<\/h2>\n\n\n\n<p>HIPAA\u2019s Enforcement Rule covers requirements for compliance, as well as investigations, procedures for hearings, and the potential imposition of penalties. The Enforcement Rule has been amended and updated a number of times since the law came into effect.<\/p>\n\n\n\n<p>The HHS Office for Civil Rights (OCR) is primarily responsible for enforcing HIPAA\u2019s Privacy and Security Rules. While it is less common for them to wield authority under HIPAA, state attorneys general and the Centers for Medicare and Medicaid Services (CMS) can also take enforcement action.<\/p>\n\n\n\n<p>The OCR investigates complaints and breaches, conducts compliance reviews, and handles education about compliance for organizations required to comply. It can also levy penalties and\/or pursue legal action against noncompliant organizations and\/or refer them to the Department of Justice, though voluntary compliance is the preferred resolution.<\/p>\n\n\n\n<p>Priority is given to investigations of data breaches affecting more than 500 people, but smaller breaches have been subject to investigation.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" height=\"1000\" width=\"770\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_770x1000_hipaa_100724_e.svg\" alt=\"List presenting the HIPAA enforcement mechanisms\" class=\"wp-image-8910\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" height=\"550\" width=\"770\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_770x500_hipaa_100724_f.svg\" alt=\"Table presenting the Penalties and fines for HIPAA violations\" class=\"wp-image-8912\"\/><\/figure>\n\n\n\n<p>Maximum fines for HIPAA violations are USD 1.5 million per violation, per year. The OCR takes the following factors into account when determining specific fines:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>size of the covered entity<\/li>\n\n\n\n<li>type of PHI exposed<\/li>\n\n\n\n<li>duration of the violation<\/li>\n\n\n\n<li>number of individuals affected<\/li>\n\n\n\n<li>severity and extent of damage due to the violation<\/li>\n\n\n\n<li>the covered entity\u2019s cooperation during the investigation<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-data-management-requirements-under-hipaa\">Data management requirements under HIPAA<\/h2>\n\n\n\n<p>Though HIPAA is a federal-level law in the US, it does not always supersede state-level laws. We look at compliance requirements \u2014 and variances \u2014 for PHI regarding data retention and destruction.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-data-retention-requirements\"><a href=\"https:\/\/www.hipaajournal.com\/hipaa-retention-requirements\/\" target=\"_blank\" rel=\"noreferrer noopener\">Data retention requirements<\/a><\/h3>\n\n\n\n<p>Data retention under HIPAA applies to both medical records containing PHI and other records related to HIPAA compliance, e.g. authorization forms. Covered entities need to be aware of other data retention requirements beyond HIPAA, like those governing medical records at a state level, which may require longer retention.&nbsp;<\/p>\n\n\n\n<p>The type of documentation may determine which requirements take precedence. It\u2019s important to consult qualified legal counsel for clarity.<\/p>\n\n\n\n<p>HIPAA requires some types of documents be retained for six years from the date they were created or the date when they were last in effect, whichever is later. This applies to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Privacy Rule and Security Rule documentation<\/strong>: policies, procedures, compliance documentation, etc.<\/li>\n\n\n\n<li><strong>Business Associate Agreements: <\/strong>copies signed and shared with business associates, including any amendments or other updates<\/li>\n\n\n\n<li><strong>Notices of Privacy Practices<\/strong>: copies provided to individuals and records of acknowledgements<\/li>\n\n\n\n<li><strong>Breach notification records<\/strong>: including notifications to the Secretary of HHS, affected individuals, and the media<\/li>\n\n\n\n<li><strong>Authorization forms:<\/strong> copies of individuals\u2019 authorizations and consent forms for use\/disclosure of PHI<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-hipaa-privacy-rule-and-lack-of-medical-records-retention-stipulations\">HIPAA Privacy Rule and lack of medical records retention stipulations<\/h4>\n\n\n\n<p>One might expect that HIPAA would explicitly include requirements for how long medical records should be retained. However, this is not the case, because each state has its own laws covering this, and on the topic of data retention, HIPAA does not preempt state-level laws.<\/p>\n\n\n\n<p>As a result, covered entities and business associates must comply with relevant state-level data retention laws with regards to medical records. These retention periods can vary quite a bit state by state.&nbsp;<\/p>\n\n\n\n<p>For example, a doctor in Florida must retain records for five years after the last patient contact, but a Florida hospital must retain the records for seven years. In Arkansas hospitals, medical records of adult patients must be retained for ten years after discharge, but master patient index data \u2014 information stored in a central database that organizes and links and patient data across healthcare systems and facilities \u2014 must be retained permanently. In North Carolina, hospitals must retain minors\u2019 medical records until those individuals reach the age of 30.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-records-destruction\">Records destruction<\/h3>\n\n\n\n<p>As with many data privacy laws, the principles of data minimization and storage limitation are important, so only the least amount of necessary data is obtained and processed, and it is only kept as long as it is needed for the specific, communicated purpose(s).<\/p>\n\n\n\n<p>When the legally required retention period ends, or when covered entities otherwise no longer need PHI, it must be securely destroyed, whether the data is in physical or digital format. Physical destruction methods include shredding or incineration, and electronic destruction methods can include secure wiping, overwriting, and\/or destruction of the storage medium.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-hipaa-and-other-us-data-privacy-laws\">HIPAA and other US data privacy laws<\/h2>\n\n\n\n<p>The <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/us-data-privacy-laws-by-state\/\">US continues to pass state-level data privacy laws<\/a>, as there is not yet a comprehensive federal law to manage data privacy and protection, consumers\u2019 rights, and other relevant factors. The lack of a federal data privacy law makes the US somewhat unusual, and in other countries with comprehensive federal or regional data privacy laws, health and healthcare is usually covered in those without need for additional regulations covering those areas.<\/p>\n\n\n\n<p>The existing state-level data privacy laws do tend to reference HIPAA, most commonly in the exemptions to requirements. This is primarily because in some areas, HIPAA supersedes these state-level laws. However, as noted, for some requirements, like data retention, state-level law can supersede HIPAA.<\/p>\n\n\n\n<p>There is some movement regarding healthcare-specific laws at the state level as well. A good example is the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/washington-my-health-my-data-act-guide\/\">Washington My Health My Data Act<\/a>. Though interestingly, Washington state does not have a general data privacy law yet, as of late 2024.<\/p>\n\n\n\n<p>It is quite common in the US, especially for certain industries \u2014 like healthcare or the financial sector \u2014&nbsp;for there to be a number of regulations and guidelines specific to that industry, the work done there, and the data required for it. Because of this, state-level privacy laws often defer to industry-specific regulations, at least in some areas.<\/p>\n\n\n\n<p>The <a href=\"\/knowledge-hub\/childrens-online-privacy-protection-act-coppa\/\">Children\u2019s Online Privacy Protection Act (COPPA)<\/a>, for example, is another federal US law that is referenced by and relevant to a variety of other regulations and to a variety of industries.<\/p>\n\n\n\n<p>Increasingly, HIPAA and compliance with it could become more relevant to companies in and outside the United States as the generation and flow of personal data continues to proliferate on digital platforms, like apps. People increasingly use their phones to track health and activities, and some of the data generated can be quite sensitive. Insurance companies also increasingly provide apps to enable customers to manage their coverage, claims, and other functions.&nbsp;<\/p>\n\n\n\n<p>All of these and more could require HIPAA compliance. PHI and financial information could also further intersect and involve laws like the Gramm-Leach-Bliley Act (GLBA) where health-related financial information is processed, for example, like in insurance claims, payment for services, etc.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-laws-like-hipaa-around-the-world\">Laws like HIPAA around the world<\/h3>\n\n\n\n<p>In other countries, comprehensive data privacy regulations often include healthcare information, so separate PHI-specific laws have not been passed. PHI is typically categorized as \u201csensitive\u201d information, alongside data types such as sexual orientation, religious beliefs, or financial information, which requires greater restrictions in collecting and using it, and stronger measures for storing and protecting it.<\/p>\n\n\n\n<p>Some of the data privacy laws in other countries relevant to PHI management include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/the-eu-general-data-protection-regulation\/\">General Data Protection Regulation (GDPR)<\/a> in the European Union<\/li>\n\n\n\n<li><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/canada-personal-information-protection-and-electronic-documents-act-pipeda\/\">Personal Information Protection and Electronic Documents Act (PIPEDA)<\/a> in Canada<\/li>\n\n\n\n<li><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/brazil-lgpd-general-data-protection-law-overview\/\">Lei Geral de Prote\u00e7\u00e3o de Dados (LGPD)<\/a> in Brazil<\/li>\n\n\n\n<li><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/south-africa-popia-protection-of-personal-information-act-overview\/\">Protection of Personal Information Act (POPIA)<\/a> in South Africa<\/li>\n\n\n\n<li><a href=\"https:\/\/www.cookiebot.com\/en\/australia-privacy-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\">Australian Privacy Act<\/a> in Australia<\/li>\n\n\n\n<li><a href=\"https:\/\/privacy.org.nz\/privacy-act-2020\/codes-of-practice\/hipc2020\/\" target=\"_blank\" rel=\"noreferrer noopener\">Health Information Privacy Code<\/a> in New Zealand<\/li>\n\n\n\n<li><a href=\"https:\/\/www.cookiebot.com\/en\/data-protection-act-2018\/\" target=\"_blank\" rel=\"noreferrer noopener\">Data Protection Act<\/a> in the United Kingdom<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-achieving-hipaa-compliance\">Achieving HIPAA compliance<\/h2>\n\n\n\n<p>As with any other data privacy laws, noncompliance can be expensive, time- and resource-consuming, and devastating to consumers\u2019 trust and brand reputation in the case of a breach or other violation. Healthcare information is among the most sensitive types of information that people share, and needs to be protected and respected accordingly.<\/p>\n\n\n\n<p>HIPAA applies to a narrower subset of companies, but still applies to more than many might think, given the size of the ecosystem involved in managing delivery, recordkeeping, and payment for healthcare in the United States.<\/p>\n\n\n\n<p>The Privacy and Security Rules, particularly, provide the best blueprint for HIPAA compliance. In addition, these actions are also important.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" height=\"500\" width=\"770\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_770x550_hipaa_100724_g.svg\" alt=\"Infographic presenting the actions to take in order to achieve HIPAA compliance\" class=\"wp-image-8914\"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that came into effect in 1996. It covers collection, use, and security requirements for protected health information in healthcare and healthcare insurance industries.<\/p>\n","protected":false},"featured_media":8949,"template":"","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"tags":[],"magazine_issue":[],"magazine_tag":[],"resource_tag":[],"class_list":["post-8900","knowledge","type-knowledge","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"<title>Health Insurance Portability and Accountability Act (HIPAA)<\/title>\n<meta name=\"description\" content=\"What is HIPAA? The US Health Insurance Portability and Accountability Act, HIPAA, compliance, and impacts on businesses that use protected health information.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Health Insurance Portability and Accountability Act (HIPAA)\" \/>\n<meta property=\"og:description\" content=\"What is HIPAA? The US Health Insurance Portability and Accountability Act, HIPAA, compliance, and impacts on businesses that use protected health information.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/\" \/>\n<meta property=\"og:site_name\" content=\"Usercentrics - US\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/usercentrics\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-26T10:21:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/10\/oc_some_1200x630_hippa_091224_2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Health Insurance Portability and Accountability Act (HIPAA): An overview\" \/>\n<meta name=\"twitter:site\" content=\"@usercentrics\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/\",\"url\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/\",\"name\":\"Health Insurance Portability and Accountability Act (HIPAA)\",\"isPartOf\":{\"@id\":\"https:\/\/usercentrics.com\/us\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_hero_1000x1000_hipaa_b.jpg\",\"datePublished\":\"2024-10-11T06:17:45+00:00\",\"dateModified\":\"2025-06-26T10:21:47+00:00\",\"description\":\"What is HIPAA? The US Health Insurance Portability and Accountability Act, HIPAA, compliance, and impacts on businesses that use protected health information.\",\"breadcrumb\":{\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/\"}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/#primaryimage\",\"url\":\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_hero_1000x1000_hipaa_b.jpg\",\"contentUrl\":\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_hero_1000x1000_hipaa_b.jpg\",\"width\":1000,\"height\":1000,\"caption\":\"Doctor holding a tablet\",\"copyrightNotice\":\"\u00a9 Copyright 2026 Usercentrics GmbH\",\"creator\":{\"@type\":\"Organization\",\"name\":\"Usercentrics GmbH\"},\"creditText\":\"Image: Usercentrics GmbH\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Resources\",\"item\":\"https:\/\/usercentrics.com\/us\/resources\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Health Insurance Portability and Accountability Act (HIPAA): An overview\",\"item\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/usercentrics.com\/us\/#website\",\"url\":\"https:\/\/usercentrics.com\/us\/\",\"name\":\"Usercentrics - US\",\"description\":\"Consent Management Platform (CMP) Usercentrics\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/usercentrics.com\/us\/?s={search_term_string}\"}}],\"inLanguage\":\"en-US\"}]}<\/script>","yoast_head_json":{"title":"Health Insurance Portability and Accountability Act (HIPAA)","description":"What is HIPAA? The US Health Insurance Portability and Accountability Act, HIPAA, compliance, and impacts on businesses that use protected health information.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Health Insurance Portability and Accountability Act (HIPAA)","og_description":"What is HIPAA? The US Health Insurance Portability and Accountability Act, HIPAA, compliance, and impacts on businesses that use protected health information.","og_url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/","og_site_name":"Usercentrics - US","article_publisher":"https:\/\/www.facebook.com\/usercentrics","article_modified_time":"2025-06-26T10:21:47+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/10\/oc_some_1200x630_hippa_091224_2.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_title":"Health Insurance Portability and Accountability Act (HIPAA): An overview","twitter_site":"@usercentrics","twitter_misc":{"Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/","url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/","name":"Health Insurance Portability and Accountability Act (HIPAA)","isPartOf":{"@id":"https:\/\/usercentrics.com\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/#primaryimage"},"image":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/#primaryimage"},"thumbnailUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_hero_1000x1000_hipaa_b.jpg","datePublished":"2024-10-11T06:17:45+00:00","dateModified":"2025-06-26T10:21:47+00:00","description":"What is HIPAA? The US Health Insurance Portability and Accountability Act, HIPAA, compliance, and impacts on businesses that use protected health information.","breadcrumb":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/"}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/#primaryimage","url":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_hero_1000x1000_hipaa_b.jpg","contentUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/10\/uc_blog_hero_1000x1000_hipaa_b.jpg","width":1000,"height":1000,"caption":"Doctor holding a tablet","copyrightNotice":"\u00a9 Copyright 2026 Usercentrics GmbH","creator":{"@type":"Organization","name":"Usercentrics GmbH"},"creditText":"Image: Usercentrics GmbH"},{"@type":"BreadcrumbList","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Resources","item":"https:\/\/usercentrics.com\/us\/resources\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/"},{"@type":"ListItem","position":3,"name":"Health Insurance Portability and Accountability Act (HIPAA): An overview","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/"}]},{"@type":"WebSite","@id":"https:\/\/usercentrics.com\/us\/#website","url":"https:\/\/usercentrics.com\/us\/","name":"Usercentrics - US","description":"Consent Management Platform (CMP) Usercentrics","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/usercentrics.com\/us\/?s={search_term_string}"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/8900","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge"}],"about":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/types\/knowledge"}],"version-history":[{"count":0,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/8900\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media\/8949"}],"wp:attachment":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media?parent=8900"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/tags?post=8900"},{"taxonomy":"magazine_issue","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_issue?post=8900"},{"taxonomy":"magazine_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_tag?post=8900"},{"taxonomy":"resource_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/resource_tag?post=8900"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}