What Is the HIPAA Law and Privacy Rule?

A doctor gives greets a child patient and the patient's mother.

The Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy Rule set the standard for protecting sensitive patient data. They do this by creating the standards for the electronic exchange, privacy, and security of patient medical information by those in the health care field.

Key Takeaways

  • The HIPAA Privacy Rule sets standards for how the health care industry must protect patient data.
  • Most providers that use, store, maintain, or transmit patient health care data must comply with HIPAA rules.
  • Protected health information (PHI) and individually identifiable health information are types of protected data that can't be shared without your say-so.
  • There are a few cases in which some health entities do not have to follow HIPAA law.

Definition and Example of the HIPAA Law and Privacy Rule

The HIPAA Law and Privacy Rule created national standards for preserving medical information privacy. It was designed to protect patient confidentiality. It allows for medically necessary data to be shared but still respects your right to privacy.

For example, while you can sign a paper to have specific medical information released to other entities, your information can't be released without your express written consent. Most health care providers and health insurers are required to comply with the privacy rules of the HIPAA law. This includes protecting any personal health information (PHI) and individually identifiable health information.


HIPAA isn't the only law that protects patient confidentiality and health records. As a federal law, HIPAA is the baseline standard. Each state may add to it with its own standards.

How the HIPAA Law and Privacy Rule Works

HIPAA Privacy and Security Rules have been in place to protect your private health care data since 1996. As technology has changed and information has become easier to access, there have been many changes to the original compact. All of these regulations have been put in place to help keep your private details secure.

With so much information changing hands between doctors, health insurers, and other parties in the field of health care, the HIPAA law is focused on making things simple. It streamlines the health care system and ensures secure data. The law also aims to reduce health care fraud and improve data systems.

Some health care providers have taken steps to secure data. For instance, they may control access to offices that contain medical files by using key card systems. They may also limit employee access to only the minimum amount of health care data needed to perform a task. Many medical groups and insurers also use special services to secure electronic transactions.

Here's one example of the HIPAA law in action: When a patient visits the doctor, they are usually asked to sign a privacy form, which is a HIPAA notice. The notice explains that the patient's authorization is needed before their health information is shared. This applies even when the doctor is speaking with a spouse or other close family member.

HIPAA's privacy laws do provide some exceptions. In some cases, your doctor or insurer may not have to follow the rules exactly. This might be the case, for instance, if a patient is unable to make their own decisions, or when there is a serious threat to health or safety.


De-identified health information cannot be tied back to a single person. It has been stripped of all identifying details. As such, this data provides no risk. There are no HIPAA restrictions on de-identified health information.

Types of HIPAA Privacy Rules

Under the HIPAA law, there are four rules that health care providers must follow:

  • HIPAA Privacy Rule: Protects the type of data that is communicated
  • HIPAA Security Rule: Protects the security of databases
  • HIPAA Enforcement Rule: Explains how to enforce the rule and about hearings and penalties
  • HIPAA Breach Notification Rule: Requires health care providers to notify people when there has been a breach of protected health data

The HIPAA Security Rule explains how health care providers must comply with rules that keep your data secure. It gives standards for how to secure data and describes what physical and technical safeguards should be used. These guidelines ensure that your data is kept private and safe.

What Do the HIPAA Law and Privacy Rules Cover?

HIPAA guards your protected health information, or "PHI," which includes any data that may be transmitted or kept that contains individually identifiable health information.

Individually identifiable health information is data that can be used to identify the patient. For instance, it can mean details such as name, address, date of birth, or Social Security number. It also includes any data related to the patient's physical or mental health, health care that has been provided, or payment details. Under the HIPAA Privacy Rule, this data is protected.


If your health insurance is from a small, self-administered health organization, they may not have to comply with the HIPAA regulations. Check with them to see whether they will comply. If not, ask what steps are they taking on their own to ensure your privacy.

Who Do the HIPAA Law and Privacy Rules Apply to?

Health plans, health care clearinghouses, health care providers who transmit health information, and other health care entities have standards that they must abide by. But there are also companies that do not have to follow these rules. Here are some examples:

  • Direct-to-consumer (DTC) genetic testing companies
  • Mobile apps used for health and fitness purposes
  • Alternative medicine practitioners
  • State agencies, such as child protective services
  • Law enforcement agencies
  • Life insurance companies
  • Schools
  • Your employer
Was this page helpful?
The Balance uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read our editorial process to learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.
  1. U.S. Department of Health & Human Services. "Notice of Privacy Practices." Accessed Dec. 19, 2021.

Related Articles