In 2023 alone, the HHS Office for Civil Rights (OCR) settled or imposed penalties in dozens of enforcement actions totaling tens of millions of dollars — many against organizations that fundamentally misunderstood what HIPAA requires of them. If your workforce cannot clearly articulate what is the function of HIPAA, your organization is already operating at risk. The law does far more than protect patient privacy. It establishes an entire regulatory framework that governs how protected health information (PHI) is created, stored, transmitted, and disclosed across the healthcare ecosystem.

What Is the Function of HIPAA in Today's Healthcare Environment?

HIPAA — the Health Insurance Portability and Accountability Act of 1996 — was originally designed to solve two problems: ensuring health insurance portability for workers changing jobs, and reducing healthcare fraud. Over time, its function has expanded dramatically through subsequent rulemaking.

Today, the core function of HIPAA is to establish national standards that protect individuals' medical records and personal health information. It accomplishes this through four interlocking regulatory components:

  • The Privacy Rule (45 CFR Part 164, Subpart E) — Sets standards for who may access and disclose PHI, establishes patients' rights over their health information, and requires every covered entity to distribute a Notice of Privacy Practices.
  • The Security Rule (45 CFR Part 164, Subpart C) — Requires administrative, physical, and technical safeguards specifically for electronic PHI (ePHI), including access controls, encryption, and audit logging.
  • The Breach Notification Rule (45 CFR Part 164, Subpart D) — Mandates that covered entities and business associates notify affected individuals, HHS, and in some cases the media, following an unauthorized disclosure of unsecured PHI.
  • The Enforcement Rule — Gives OCR the authority to investigate complaints, conduct compliance reviews, and impose civil monetary penalties ranging from $100 to over $2 million per violation category, per year.

Together, these rules create a comprehensive system that balances the flow of health information needed for quality care with the privacy protections patients expect and deserve.

How HIPAA Functions to Protect PHI Across Organizations

One of the most misunderstood aspects of HIPAA is its reach. The law doesn't just apply to hospitals and doctors' offices. It applies to every covered entity — health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically — and to every business associate that handles PHI on their behalf.

In my work with covered entities, I consistently see organizations that assume HIPAA compliance is a one-time checkbox exercise. It isn't. HIPAA functions as an ongoing regulatory obligation that requires continuous action:

  • Risk analysis: The Security Rule requires your organization to conduct a thorough and accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. OCR has cited failure to perform an adequate risk analysis as the single most common finding in enforcement actions.
  • Minimum necessary standard: The Privacy Rule mandates that when your workforce uses or discloses PHI, the information shared must be limited to the minimum necessary to accomplish the intended purpose. This requires documented role-based access policies — not just good intentions.
  • Business associate agreements: Every vendor, contractor, or subcontractor that creates, receives, maintains, or transmits PHI on your behalf must have a signed business associate agreement in place before they touch any patient data.

The Workforce Training Requirement Most Organizations Underestimate

HIPAA's function extends beyond technical controls and policy documents. Under 45 CFR § 164.530(b), covered entities must train all workforce members on the policies and procedures necessary to carry out their job functions as they relate to PHI. The Omnibus Rule of 2013 reinforced that business associates carry similar obligations.

OCR has made clear through settlement agreements — including the $4.8 million settlement with New York-Presbyterian Hospital and Columbia University in 2014 — that inadequate workforce training is not a defensible position. When your staff doesn't understand how HIPAA functions in their daily workflows, breaches happen.

Effective training isn't a generic annual video. It must be role-specific, documented, and updated when regulations or your organization's practices change. If your organization needs a structured approach, HIPAA training and certification programs can provide the foundational and advanced education your workforce requires to meet these regulatory expectations.

HIPAA's Role in Patient Rights and Organizational Accountability

Beyond safeguarding data, a critical function of HIPAA is empowering patients with rights over their own health information. Under the Privacy Rule, individuals have the right to:

  • Access and obtain a copy of their medical records
  • Request corrections to inaccurate information
  • Receive an accounting of disclosures made by the covered entity
  • Request restrictions on certain uses and disclosures of their PHI
  • File a complaint with OCR if they believe their rights have been violated

These rights are not optional courtesies. They are enforceable legal requirements. OCR's Right of Access Initiative, launched in 2019, has resulted in more than 45 enforcement actions against providers who failed to provide patients timely access to their records — with penalties ranging from $3,500 to $240,000.

Your organization's Notice of Privacy Practices must clearly explain these rights. More importantly, your frontline staff must know how to honor access requests within the 30-day timeframe the rule requires.

Building a Compliance Program That Reflects HIPAA's Full Function

Understanding what is the function of HIPAA means recognizing that compliance isn't housed in a single department. It's an organization-wide responsibility that touches IT, human resources, legal, clinical operations, and executive leadership.

A compliant program requires:

  • A designated Privacy Officer and Security Officer (which can be the same person in smaller organizations)
  • Written policies and procedures that are regularly reviewed and updated
  • An ongoing risk analysis and risk management process — not a one-time audit
  • Documented workforce training with evidence of completion
  • Incident response and breach notification procedures that can be activated immediately

If your organization is building or strengthening its compliance infrastructure, HIPAA Certify's workforce compliance platform provides the tools and training to operationalize these requirements across your entire team.

The Cost of Misunderstanding HIPAA's Function

OCR enforcement data tells a consistent story: organizations that treat HIPAA as a vague privacy guideline rather than a structured regulatory framework pay the price. Between 2003 and 2024, OCR has imposed or settled more than $137 million in penalties. The vast majority of these cases involved failures in basic compliance obligations — risk analysis, workforce training, access controls, and business associate oversight.

A HIPAA violation doesn't just carry financial consequences. It damages patient trust, triggers state attorney general investigations, and can result in exclusion from federal healthcare programs. Understanding the full function of HIPAA and embedding it into your organization's operations isn't just good compliance — it's the foundation of sustainable healthcare practice.