What is HIPAA? A plain-English explainer

HIPAA, the Health Insurance Portability and Accountability Act, is a 1996 U.S. federal law that sets national standards for protecting patient health information and requires healthcare organizations and their vendors to safeguard it. Most people assume HIPAA only governs hospitals and doctors. The law actually reaches billing companies, IT vendors, cloud providers, and the fax service that transmits a referral.

President Bill Clinton signed HIPAA on August 21, 1996 as Public Law 104-191. Congress and HHS have modernized it four times: the Privacy Rule (2003), the Security Rule (2005), the Breach Notification Rule (2009), and the Omnibus Rule (2013). A fifth update, the largest Security Rule rewrite in 20 years, is on OCR's regulatory agenda for May 2026.

This guide covers what HIPAA means, the four Rules, what counts as PHI, who has to comply, the penalties for getting it wrong, how HIPAA applies to fax, email, SMS, and Slack, and an eight-step starter checklist. Read it once and you will know whether HIPAA applies to your organization and what to do next.

HIPAA definition and a brief history (1996 to today)

HIPAA was originally written to help workers keep health insurance when they changed jobs. The privacy and security rules everyone associates with it today were added later.

What HIPAA stands for

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. President Bill Clinton signed it on August 21, 1996 as Public Law 104-191. The statute had four original goals: make health insurance portable between jobs, reduce healthcare fraud and abuse, standardize electronic health transactions, and protect health information.

The protection-of-health-information piece was the smallest part of the original law. Congress directed the Department of Health and Human Services (HHS) to issue the actual privacy and security regulations later. Those regulations are what most people now mean when they say "HIPAA."

How HIPAA evolved: the four major updates

• Privacy Rule (2003) set the first national standards for who can use and disclose PHI and gave patients rights over their records.
• Security Rule (2005) added administrative, physical, and technical safeguards for electronic PHI.
• HITECH Act and Breach Notification Rule (2009) raised the maximum penalty from $25,000 per year to $1.5 million per year, introduced mandatory breach notification, and drove EHR adoption with $25 billion in incentives. HITECH also gave state attorneys general HIPAA enforcement authority.
• Omnibus Rule (2013) made business associates directly liable for HIPAA violations and reversed the breach-notification burden of proof.

Where HIPAA stands in 2025–2026

HHS proposed a major Security Rule update in January 2025. It would make multi-factor authentication and encryption mandatory and eliminate the distinction between "required" and "addressable" specifications. Industry cost estimates run to $34 billion. The Office for Civil Rights kept finalization on its regulatory agenda for May 2026. Treat MFA and encryption as required now to avoid scrambling later.

The four HIPAA rules explained

People say "HIPAA" as if it were one thing. It is actually four interlocking Rules, and most violations happen at the seams between them.

Privacy Rule (2003)

The Privacy Rule defines PHI and who can access it under what conditions. Patients get rights to access their records, request corrections, get an accounting of disclosures, and request restrictions on how their information is used. Providers must respond to access requests within 30 days, with one 30-day extension allowed.

The Rule permits PHI use without patient authorization for treatment, payment, and healthcare operations (the "TPO" exception). Everything else is subject to the minimum-necessary standard: disclose only what is needed to accomplish the purpose. Treatment is the one carve-out where full records can move between providers.

A classic Privacy Rule failure: a doctor's office faxes a patient's HIV status to what staff think is the patient's primary-care physician but turns out to be the patient's employer. Wrong number, no minimum-necessary controls, no verification.

Security Rule (2005)

The Security Rule applies only to electronic PHI (ePHI). It defines three categories of safeguards:

• Administrative: risk analysis, workforce training, sanction policy, access management
• Physical: facility access controls, workstation security, device disposal
• Technical: access controls, audit logs, integrity controls, transmission encryption

The current distinction between "required" and "addressable" specifications is on track to disappear under the 2025 proposed update. Risk-analysis failures dominate enforcement. They appeared in 13 of the 22 OCR resolutions closed in 2024.

Breach Notification Rule (2009, via HITECH)

If unsecured PHI is breached, covered entities must notify three audiences:

• Affected individuals within 60 days
• HHS (immediately for breaches affecting 500 or more, within 60 days of year-end for smaller breaches)
• Prominent media outlets if 500 or more residents of a single state are affected

Encryption creates a safe harbor. Properly encrypted data that is lost or stolen does not trigger notification. Warby Parker's $1.5 million 2025 settlement combined Security Rule and Breach Notification Rule failures after a credential-stuffing attack exposed customer eyewear-prescription data.

Three breach exceptions exist: unintentional access by an authorized employee, inadvertent disclosure between two authorized persons, and disclosure to a party who could not reasonably retain the information.

Omnibus Rule (2013)

The Omnibus Rule made business associates and their subcontractors directly liable for HIPAA. Before 2013, only covered entities faced fines.

Omnibus also reversed the burden of proof on breaches. A use or disclosure not permitted by the Privacy Rule is now presumed a breach unless the covered entity can demonstrate a low probability that PHI was compromised, using a four-factor risk assessment.

What is PHI? The 18 identifiers that trigger HIPAA

PHI is any of 18 specific identifiers combined with a connection to a person's health, healthcare, or payment for healthcare. Strip all 18 identifiers correctly and the data is de-identified, which means it stops being PHI.

The 18 HIPAA identifiers

1. Names
2. Geographic data smaller than a state
3. All dates except year related to an individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate or license numbers
12. Vehicle identifiers including license plates
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers including fingerprints and voiceprints
17. Full-face photos and comparable images
18. Any other unique identifying number, characteristic, or code

When the same data is NOT PHI

Identifiers without a health context are not PHI. A customer's name on a retailer's mailing list is just a name. A health context without identifiers is also not PHI. Aggregated, properly de-identified hospital statistics fall outside HIPAA. Both elements must be present at the same time to trigger the law. A patient's name plus a diagnosis is PHI. A diagnosis without any identifier is not.

Who must comply with HIPAA (and who doesn't)

Your Fitbit data is not protected by HIPAA. Your employer's wellness program probably isn't either. HIPAA covers a specific list of organizations, and that list is narrower than most people assume.

Covered entities (CEs)

A HIPAA covered entity falls into one of three categories:

1. Health plans: insurers, HMOs, Medicare, Medicaid, and employer group health plans. Most employer group health plans are covered regardless of size. The narrow exception is a self-administered group health plan with fewer than 50 participants - those plans sit outside HIPAA. If an insurer or third-party administrator runs the plan, it's covered.
2. Healthcare clearinghouses: entities that translate non-standard data into standard electronic transactions.
3. Healthcare providers that transmit any health information electronically in connection with a covered transaction (claims, eligibility checks, referrals).

The electronic-transaction trigger is why almost every modern provider is covered. Once you bill insurance electronically or send an electronic referral, you are in.

Business associates (BAs)

A business associate is any person or organization that performs a function on behalf of a covered entity that involves PHI. Common examples: billing companies, IT vendors, cloud storage providers, shredding services, law firms with PHI access, transcription services, and HIPAA-compliant fax providers.

Since the 2013 Omnibus Rule, business associates are directly liable to OCR. Sign a Business Associate Agreement (BAA) before PHI changes hands. Gulf Coast Pain Consultants paid $1.19 million after a contractor retained system access after termination and filed fraudulent Medicare claims, showing what happens when BA access controls fail.

Who is NOT covered by HIPAA

• Employers handling employee health information outside a group health plan (the ADA and FMLA govern instead)
• Consumer fitness apps that don't sell to providers, including Fitbit, Apple Health, and MyFitnessPal (the FTC Health Breach Notification Rule governs instead)
• Schools and universities (FERPA governs student records)
• Life insurers, workers' compensation carriers, and most disability insurers
• Law enforcement agencies
• Marketing analytics firms with no PHI access

HIPAA and communication channels: fax, email, SMS, Slack, video

A Texas dental practice paid $10,000 because an employee responded to a one-star Yelp review with patient details. HIPAA travels with the message, not the medium. Every channel your staff uses to move PHI needs its own answer.

The compliance matrix

‍

Fax: still the healthcare workhorse

Under the conduit exception, the phone carrier is not a business associate when it transmits a fax because the carrier never inspects or stores the content. That keeps traditional fax inside HIPAA's allowed channels.

Analog fax has two practical problems. There is no audit trail, and one wrong digit can expose PHI (the HIV-status-to-employer incident). A HIPAA-compliant cloud fax service like Fax.Plus signs a BAA on its Enterprise plan, encrypts traffic in transit and at rest, logs every send and receive, and lets staff send from email or a web browser. Staff can send faxes directly from email without leaving the workflow they already use.

Email and messaging

Free consumer email is the most common silent HIPAA violation. Gmail, Outlook.com, Yahoo, and iCloud will not sign a BAA on free tiers. Paid Google Workspace and Microsoft 365 are HIPAA-capable, but only after you execute the BAA and lock down configuration (disable third-party app access, turn on audit logging, enforce MFA).

Standard SMS is not compliant. Carriers do not sign BAAs and messages are stored unencrypted on devices and in carrier systems. Use a HIPAA-secure messaging app instead.

Video and collaboration

FaceTime and personal Zoom accounts are out. Zoom for Healthcare, Doxy.me, and Microsoft Teams (with BAA) are in. Slack requires Enterprise Grid before Slack will sign a BAA. Standard Slack workspaces, no matter how well-configured, are not HIPAA-compliant.

HIPAA violations and penalties: what non-compliance costs

In 2024 the HHS Office for Civil Rights closed 22 enforcement actions worth $9.9 million. The same root cause "failure to conduct a proper risk analysis" appeared in 13 of them.

Civil penalty tiers (2026)

• Tier 1 (lack of knowledge): $145 to $73,011 per violation, up to $2,190,294 per year
• Tier 2 (reasonable cause): $1,461 to $73,011 per violation
• Tier 3 (willful neglect, corrected within 30 days): $14,618 to $73,011 per violation
• Tier 4 (willful neglect, not corrected): $73,011 to $2,190,294 per violation

Criminal penalties

OCR refers criminal cases to the Department of Justice, which prosecutes them. Knowingly obtaining or disclosing PHI: up to $50,000 and 1 year. Under false pretenses: up to $100,000 and 5 years. With intent to sell, transfer, or use for commercial advantage or malicious harm: up to $250,000 and 10 years.

Real 2024–2025 enforcement cases

• Warby Parker $1.5M (2025): credential-stuffing attack; eyewear retailer was a covered entity
• Montefiore Medical Center $4.75M: insider stole 12,000+ records; weak audit controls
• Enzo Biochem $4.5M: ransomware exposure traced to shared credentials and a decade-old password
• Gulf Coast Pain Consultants $1.19M: terminated contractor retained system access and filed fraudulent Medicare claims
• Texas dental practice $10,000: owner responded to a Yelp review with patient details

OCR's Right of Access Initiative has produced 54 enforcement actions since 2019, with fines from $3,500 to $160,000 for providers who failed to deliver records on time.

Who enforces HIPAA

The HHS Office for Civil Rights handles civil enforcement. State attorneys general can also bring HIPAA actions (HITECH granted that authority in 2009). The Department of Justice prosecutes criminal cases. The FTC enforces the Health Breach Notification Rule for non-HIPAA health apps such as fitness trackers.

State laws that go beyond HIPAA

HIPAA is the federal floor. A handful of states built taller buildings on top of it, and the state law wins when it is stricter.

• California CMIA: broader definition of medical information, applies to more types of entities, gives patients a private right of action to sue directly, and requires records access within 5 days versus HIPAA's 30.
• Texas HB 300: expands "covered entity" to essentially anyone handling PHI in Texas, mandates biennial workforce training within 90 days of hire, and authorizes AG fines up to $1.5 million per year.
• Washington MHMDA: the broadest U.S. consumer health-privacy law. It covers fitness-tracker data, period-tracking apps, and wellness app information that HIPAA exempts, and it grants a private right of action.

New York's SHIELD Act and Illinois's Genetic Information Privacy Act add layers in their respective states.

When state law is stricter than HIPAA, follow state law. When HIPAA is stricter, HIPAA wins. Map both for every state where you handle PHI.

How to get started with HIPAA compliance: a practical checklist

You cannot "finish" HIPAA compliance. It is an ongoing program. You can stand up a credible one in eight steps.

The 8-step HIPAA starter checklist

1. Determine your status. Are you a covered entity, a business associate, or neither? The answer drives every other step.
2. Conduct a Security Risk Analysis (SRA). This is the single most-cited OCR deficiency (13 of 22 in 2024). Inventory every place PHI lives, every system that touches it, and every threat.
3. Appoint a Privacy Officer and Security Officer. At small organizations, this can be the same person. Name the role in writing.
4. Write the required policies. Privacy policies, security policies, a breach response plan, a sanction policy, and a device policy. Generic templates are a starting point, not the finish line.
5. Sign BAAs with every vendor touching PHI. Email provider, cloud storage, fax service (Fax.Plus Enterprise includes a BAA), billing company, IT support, transcription service. No BAA, no PHI.
6. Train your workforce. Initial training at hire, periodic refreshers, role-specific training for clinical and IT staff. Document attendance.
7. Implement technical safeguards. Role-based access controls, audit logs, encryption in transit and at rest, MFA on every account that touches PHI.
8. Build a breach response playbook. Four-factor risk assessment process, 60-day notification timeline, contact list for OCR and state AGs, and a tabletop exercise at least annually.

‍