eastbaycyber

What Is HIPAA?

Glossary 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

HIPAA, short for the Health Insurance Portability and Accountability Act, is a U.S. law that sets rules for protecting certain health information. In security and compliance terms, HIPAA matters because it defines how covered organizations and their partners must handle patient data, especially protected health information (PHI) and electronic protected health information (ePHI).

If you are building a broader compliance or security program, it also helps to understand related topics like what is incident response plan and what is dlp, since both often come up in HIPAA discussions.

HIPAA definition

HIPAA is a legal and regulatory framework, not a product or security tool. It establishes requirements for privacy, security, and breach notification involving health data handled by certain organizations.

At a high level, HIPAA is designed to:

  • Protect patient information
  • Limit inappropriate use and disclosure
  • Require safeguards for sensitive health data
  • Define responsibilities after a breach

Who HIPAA applies to

HIPAA generally applies to two main groups.

Covered entities

Covered entities include organizations such as:

  • Healthcare providers
  • Health plans
  • Healthcare clearinghouses

These are the organizations most people think of first when HIPAA is mentioned.

Business associates

Business associates are third parties that create, receive, maintain, or transmit PHI on behalf of a covered entity.

Examples may include:

  • Cloud service providers
  • Billing vendors
  • Managed IT providers
  • Software platforms
  • Data hosting providers
  • Security service providers

This is important because HIPAA often reaches beyond hospitals and clinics. A vendor supporting a healthcare customer may also take on HIPAA obligations depending on its role and the data it handles.

What HIPAA protects

HIPAA focuses on PHI, which means individually identifiable health information held or transmitted by a covered entity or business associate.

In practical terms, PHI may include:

  • Patient names linked to care records
  • Treatment information
  • Billing details
  • Insurance data
  • Test results
  • Appointment records
  • Other information connecting identity to health status or care

When that information is handled electronically, it is often referred to as ePHI.

Main HIPAA rules

In most security and IT conversations, three HIPAA components matter most.

Privacy Rule

The Privacy Rule governs how PHI may be used and disclosed. It focuses on patient rights and on when organizations can access, share, or process health information.

Security Rule

The Security Rule is the part most security teams work with directly. It requires covered entities and business associates to protect ePHI using administrative, physical, and technical safeguards.

Examples include:

  • Access controls
  • Audit logging
  • Workforce training
  • Risk analysis
  • Device and media controls
  • Authentication and authorization
  • Transmission security

HIPAA does not require one exact technology stack. Instead, it expects organizations to assess risk and implement safeguards that are reasonable and appropriate for their environment.

Breach Notification Rule

The Breach Notification Rule defines when affected individuals, regulators, and sometimes the media must be notified after a breach involving unsecured PHI.

For security teams, this makes incident classification, investigation quality, documentation, and communication timing especially important.

How HIPAA works in practice

HIPAA compliance is usually a mix of governance, process, and technical controls rather than a single checkbox.

In practice, organizations often need to:

  • Identify where PHI and ePHI exist
  • Limit access to authorized users
  • Log and monitor access to sensitive systems
  • Conduct periodic risk assessments
  • Train staff on privacy and security obligations
  • Manage vendors through contracts and oversight
  • Prepare for incident response and breach notification
  • Review safeguards regularly as systems change

A password manager like 1Password can help support stronger credential hygiene for staff handling sensitive systems, and endpoint protection such as Malwarebytes may help reduce common malware-related risk on devices that access regulated data.

What HIPAA does not mean

A common mistake is assuming HIPAA compliance automatically means strong security. It does not.

HIPAA compliance does not guarantee that:

  • Systems are well configured
  • Attackers cannot access the environment
  • Users are following least privilege
  • Detection and response are mature
  • Data loss is impossible

An organization can have HIPAA policies and still be vulnerable if controls are weak, poorly implemented, or not maintained.

When you will encounter HIPAA

You are most likely to encounter HIPAA in environments that store, transmit, or process regulated health information.

Healthcare and insurance operations

Hospitals, clinics, dental offices, insurers, and healthcare administrators deal with HIPAA regularly in security, legal, IT, and compliance work.

Vendor assessments

If your company provides software, hosting, cloud services, IT support, or cybersecurity services to healthcare customers, HIPAA may appear in questionnaires, contract reviews, and due diligence.

Security incidents

HIPAA becomes especially visible during a breach or suspected exposure involving PHI. Teams must assess what data was affected, whether it was secured, and whether notification requirements apply.

Access control and monitoring projects

Security and IT teams often encounter HIPAA when designing role-based access, audit trails, logging, retention practices, and privileged access controls for systems containing health information.

Compliance programs and audits

Organizations entering healthcare markets or maturing their governance programs often encounter HIPAA as a major legal and operational requirement.

Common security controls linked to HIPAA

While HIPAA is broader than technology, several technical controls commonly support HIPAA-aligned programs.

Access control

Users should have access only to the systems and information necessary for their role.

Audit logging

Organizations need enough visibility to review access, investigate incidents, and support compliance reviews.

Encryption

Encryption helps protect PHI in transit and, depending on the environment, at rest as well.

Endpoint security

Devices that access regulated data need protection against malware, unauthorized software, and compromise.

Data handling controls

DLP, classification, and controlled sharing practices can help reduce accidental or improper exposure of sensitive information.

Bottom line

HIPAA is the U.S. regulatory framework that governs how certain healthcare organizations and their partners protect patient information. For security teams, HIPAA matters because it connects privacy obligations to real operational controls around access, monitoring, risk management, vendor oversight, and breach response.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.