HIPAA requires healthcare organizations and their partners to protect the privacy and security of patient health information, give patients specific rights over their records, and report data breaches within strict timelines. The law applies through several interconnected rules, each with its own set of obligations. Here’s what those rules actually demand in practice.
Who Has to Follow HIPAA
HIPAA doesn’t apply to every organization that handles health-related data. It covers three types of entities: healthcare providers (doctors, clinics, pharmacies, nursing homes, dentists, psychologists) who transmit information electronically, health plans (insurance companies, HMOs, employer-sponsored plans, Medicare, Medicaid, and military health programs), and healthcare clearinghouses that convert health data between standard and nonstandard formats.
Beyond these “covered entities,” any outside company or contractor they hire to handle patient data is considered a business associate. Think billing services, cloud storage providers, IT consultants, or law firms that access patient records. Covered entities must have a written contract with each business associate spelling out exactly how that partner will protect health information. Business associates are also directly liable for following certain parts of the law, not just contractually bound.
If an organization doesn’t fall into one of these categories, HIPAA simply doesn’t apply to it. This is why fitness apps, most employers (outside their role as health plan sponsors), and many health-adjacent tech companies operate outside HIPAA’s reach.
Protecting Patient Privacy
The Privacy Rule governs how protected health information (PHI) can be used and shared. At its core sits the “minimum necessary” standard: covered entities must take reasonable steps to limit any use or disclosure of health information to the smallest amount needed to get the job done. If a billing department only needs a diagnosis code and a patient ID, they shouldn’t have access to the full medical record.
Organizations are required to create policies identifying which employees or roles need access to which categories of information. For routine, recurring disclosures, standard protocols can be set up in advance. For unusual one-off requests, each disclosure must be individually reviewed against criteria the organization has established.
There are important exceptions to the minimum necessary standard. It does not apply when a provider shares information for treatment purposes, when a patient requests their own records, when the patient has signed an authorization, or when disclosure is required by another law. It also doesn’t apply to disclosures required by HHS for enforcement purposes.
What Patients Have the Right to Do
HIPAA gives patients concrete rights over their health information. The most frequently used is the right of access: you can request a copy of your medical records, and the covered entity must respond within 30 calendar days. If the organization can’t meet that deadline, it can take an additional 30 days, but only if it notifies you in writing during the first 30 days explaining the reason for the delay and the expected completion date.
Patients also have the right to request corrections to their records, ask for restrictions on how their information is used or shared, receive an accounting of certain disclosures, and request confidential communications (for example, asking that appointment reminders be sent to a specific phone number rather than a shared one). Every covered entity must provide a Notice of Privacy Practices explaining how it uses patient information and what rights patients have.
Security Safeguards for Electronic Records
The Security Rule focuses specifically on electronic protected health information (ePHI) and requires three categories of safeguards: administrative, physical, and technical.
Administrative Safeguards
These are the policies, people, and processes behind the scenes. Every covered entity must conduct a risk assessment to identify vulnerabilities in how it handles electronic health data, then implement measures to reduce those risks to a reasonable level. A designated security official must be responsible for developing and carrying out security policies. The organization needs workforce security policies ensuring employees only access data appropriate for their role, incident response procedures for handling security events, and a contingency plan covering data backups, disaster recovery, and emergency operations.
Workforce training is also required. Every person who might encounter PHI, including employees, volunteers, students, and contractors, must receive privacy and security training. New hires should be trained before being placed in a position where they could access patient data. While the law doesn’t mandate a fixed number of training hours or require annual refreshers by statute, retraining is required whenever organizational policies or HIPAA regulations change significantly. Most compliance experts recommend annual training as a baseline.
Physical Safeguards
Organizations must control who can physically enter facilities that house electronic health data. This includes policies for workstation use and security, so that screens displaying patient information aren’t visible to unauthorized people. It also covers device and media controls: rules for receiving, moving, and disposing of hard drives, laptops, USB drives, and other hardware that may contain ePHI, including wiping data before any media is reused or discarded.
Technical Safeguards
On the technology side, covered entities must implement access controls so only authorized users can reach ePHI, audit controls that log and allow review of system activity, integrity measures that detect whether data has been improperly altered or destroyed, authentication procedures that verify users are who they claim to be, and transmission security to protect data sent over networks.
The Security Rule is designed to be flexible. It doesn’t prescribe specific technologies. A small rural clinic and a large hospital system will implement these safeguards very differently, but both must address every requirement and document their decisions.
Breach Notification Requirements
When a breach of unsecured PHI occurs, HIPAA imposes firm notification deadlines. Covered entities must notify affected individuals no later than 60 days after discovering the breach. If 500 or more people are affected, the organization must also notify HHS and prominent media outlets in the state or region within that same 60-day window. HHS publishes these large breaches on its public “Wall of Shame” portal.
For smaller breaches affecting fewer than 500 individuals, organizations can batch their reports and submit them to HHS annually, no later than 60 days after the end of the calendar year in which they were discovered. Business associates that experience a breach must notify the covered entity within 60 days of discovery so the covered entity can then handle individual and regulatory notifications.
The notification to affected individuals must include a description of what happened, the types of information involved, steps they should take to protect themselves, what the organization is doing in response, and contact information for follow-up questions.
Penalties for Noncompliance
HIPAA violations carry a tiered penalty structure based on the level of negligence involved. Civil penalties range from $100 per violation for cases where the entity didn’t know and couldn’t reasonably have known about the violation, up to $50,000 or more per violation for willful neglect. Annual caps can reach into the millions. Criminal penalties, enforced by the Department of Justice, can include fines up to $250,000 and imprisonment for up to 10 years in cases involving intent to sell or misuse health information.
HHS’s Office for Civil Rights investigates complaints and conducts compliance reviews. Many enforcement actions result in settlement agreements that include corrective action plans, which often require years of monitoring and organizational changes on top of the financial penalty.
The Reproductive Health Care Rule
In April 2024, HHS finalized a rule adding protections for reproductive health care information. The rule prohibits covered entities and business associates from disclosing PHI to support criminal, civil, or administrative investigations into someone for seeking, obtaining, providing, or facilitating lawful reproductive health care. It also bars disclosing PHI to identify a person for the purpose of such an investigation.
However, in June 2025, a federal court in Texas vacated most of this rule. Some modifications to the Notice of Privacy Practices requirements survived and remain in effect, with a compliance deadline of February 16, 2026, but the core prohibitions on disclosure were struck down. The legal landscape here is still in flux.