6.1 What HIPAA Covers

If you have ever visited a US doctor's office and been handed a several-page 'Notice of Privacy Practices,' you have already encountered HIPAA — even if you set the document aside unread. For international readers, this module offers an inside look at one of the world's most inflüntial healthcare privacy frameworks.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the US Congress in 1996. Its original purpose was to allow workers to carry health insurance between jobs — the 'portability' of the name. Privacy became a central concern only after Congress added the administrative simplification provisions and directed the Department of Health and Human Services (HHS) to issue rules. The HIPAA Privacy Rule, finalised in 2003, established national standards for the protection of individuals' medical records and other personal health information (HHS, 2003).

What is Protected Health Information (PHI)?

PHI is the core concept. It is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity — in any form, whether electronic, paper, or verbal. This includes diagnosis and treatment records, test results, prescription history, insurance information, and even the fact that someone is a patient at a particular facility. The definition is deliberately broad: 18 specific identifiers — including names, dates (other than year), ZIP codes with fewer than 20,000 residents, phone numbers, and Social Security numbers — cause health information to become PHI and trigger HIPAA protections (45 CFR § 164.514).

Who must comply? Covered Entities and Business Associates

HIPAA applies to covered entities: health plans (insurance companies, HMOs, employer-sponsored health plans), healthcare clearinghouses (entities that process health information between providers and payers), and healthcare providers that transmit health information electronically (hospitals, clinics, pharmacies, most individual physicians). Business associates are third parties that perform functions on behalf of a covered entity and receive PHI in doing so — think IT vendors, billing companies, law firms doing claims work, and cloud storage providers. Covered entities must obtain written business associate agreements obligating the associate to protect PHI (45 CFR § 164.308).

Permitted uses and disclosures — with and without authorisation

HIPAA permits certain uses without the patient's explicit authorisation: treatment, payment, and healthcare operations (TPO) form the core permitted category. A doctor sharing records with a specialist, a hospital submitting a claim to an insurer, or a quality-improvement committee reviewing treatment outcomes all fall within TPO. Beyond TPO, disclosures without authorisation are permitted in specific circumstances: public health activities, mandatory reporting of abuse, judicial proceedings, law enforcement under limited conditions, and certain research (with IRB oversight).

For anything outside these categories — including most commercial or marketing uses — a valid written patient authorisation is required.

Your takeaway

HIPAA established a floor of healthcare privacy protection in the US, built around a clearly defined class of sensitive data (PHI), a defined set of actors who must comply, and a framework distinguishing routine care-related sharing from uses that require explicit patient permission. It is the foundation on which patient rights — explored in the next lesson — are built.