A hospital receptionist in Texas emails a patient's lab results to the wrong address. Within 48 hours, that patient's HIV status is circulating through a small town. The hospital ends up paying $4.3 million to settle with the Office for Civil Rights. That's HIPAA in action — or more accurately, that's what happens when HIPAA fails.
If you've ever typed "what's the HIPAA law" into a search bar, you're probably looking for something more useful than a Wikipedia summary. You want to know what this law actually requires, who it applies to, and what happens when someone violates it. I've spent years helping organizations navigate this, and I'm going to give you the version I wish someone had given me when I started.
What's the HIPAA Law in 60 Seconds
HIPAA stands for the Health Insurance Portability and Accountability Act. Congress passed it in 1996. At its core, HIPAA does two things: it protects the privacy and security of your health information, and it sets national standards for how healthcare organizations handle that information electronically.
The law applies to covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically. It also applies to their business associates, which are vendors and contractors who touch protected health information (PHI) on their behalf.
That's the elevator pitch. Now let's get into what actually matters.
The Four Rules That Make Up HIPAA
People talk about "HIPAA" like it's a single rule. It's not. The law created a framework, and the Department of Health and Human Services (HHS) fleshed it out through four major rules over the years.
The Privacy Rule
Finalized in 2003, the Privacy Rule establishes who can access PHI and under what conditions. It gives patients rights — the right to see their records, request corrections, and know who's been accessing their information. It also limits how covered entities use and disclose PHI without patient authorization.
I've seen organizations trip over the Privacy Rule more than any other. The mistake is almost always the same: staff sharing PHI casually because they didn't realize the rules applied to that specific situation.
The Security Rule
The Security Rule focuses specifically on electronic PHI (ePHI). It requires covered entities to implement administrative, physical, and technical safeguards. Think access controls, encryption, audit logs, and contingency plans.
This rule is intentionally flexible. HHS didn't mandate specific technologies. Instead, it requires you to assess your own risks and implement "reasonable and appropriate" protections. That flexibility is a gift and a trap — because "we thought it was reasonable" doesn't hold up well in an OCR investigation.
The Breach Notification Rule
When a breach of unsecured PHI occurs, the Breach Notification Rule dictates what happens next. Covered entities must notify affected individuals, HHS, and in some cases, the media. The timelines are strict: individual notifications within 60 days of discovery, and annual reporting to HHS for breaches affecting fewer than 500 people.
If your organization doesn't have a documented incident response plan, you're already behind. Our First 60 Minutes: Incident Response training walks through exactly what your team should do the moment a breach is discovered.
The Enforcement Rule
This rule gives OCR its teeth. It outlines investigation procedures, penalty tiers, and hearing processes. Penalties range from $100 per violation for unknowing infractions up to $50,000 per violation for willful neglect — with annual maximums reaching $1.5 million per violation category.
Who Actually Has to Follow HIPAA?
This is where confusion runs rampant. Your gym tracking your heart rate on a wearable? Not covered by HIPAA. Your employer asking for a doctor's note? Probably not HIPAA either — at least not for the employer.
HIPAA applies to three types of covered entities:
- Healthcare providers who conduct electronic transactions (billing, claims, eligibility checks)
- Health plans — insurance companies, HMOs, employer-sponsored plans, Medicare, Medicaid
- Healthcare clearinghouses that process nonstandard health information into standard formats
It also applies to business associates — any person or company that performs functions involving PHI on behalf of a covered entity. That includes your IT vendor, your billing company, your shredding service, even your cloud storage provider.
If you're unsure where your organization falls, starting with foundational knowledge helps. The HIPAA Introduction Training 2026 course covers entity classification, rule structure, and core obligations in a format designed for busy professionals.
The $16 Million Wake-Up Call
Want to know how seriously OCR takes enforcement? In 2018, Anthem Inc. paid $16 million to settle HIPAA violations following a massive data breach that exposed the ePHI of nearly 79 million people. The investigation revealed that Anthem had failed to conduct an enterprise-wide risk analysis — one of the most basic Security Rule requirements.
That wasn't an isolated case. In 2023, Banner Health paid $1.25 million after a 2016 breach that affected nearly 3 million individuals. OCR found insufficient monitoring of its health information systems and a lack of proper access controls.
These aren't theoretical risks. OCR publishes every resolution agreement on its enforcement page. I recommend bookmarking it. Reading real cases is the fastest way to understand what compliance failures actually look like.
What PHI Actually Means (and Why It's Broader Than You Think)
Protected health information isn't just medical records. PHI is any individually identifiable health information held or transmitted by a covered entity or business associate. That includes:
- Names, addresses, dates of birth, Social Security numbers
- Medical record numbers and health plan beneficiary numbers
- Diagnoses, treatment plans, lab results
- Billing records and payment histories
- Even IP addresses and device identifiers if linked to health data
The "individually identifiable" part is key. If you strip all 18 identifiers defined under the Privacy Rule, the data is considered de-identified and no longer subject to HIPAA. But de-identification is harder than most people assume, and getting it wrong creates liability.
What HIPAA Doesn't Do
Here's where I see the most misunderstanding. HIPAA does not:
- Prevent a doctor from sharing your information with another doctor for treatment purposes
- Apply to most health and fitness apps (unless they're provided by a covered entity)
- Give you a private right to sue — you can't file a HIPAA lawsuit as a patient
- Override state laws that provide stronger privacy protections
That last point matters a lot. Texas, for example, has HB 300 — the Texas Medical Records Privacy Act — which imposes stricter requirements and harsher penalties than HIPAA in several areas. If your organization operates in Texas, you need to comply with both. Our Texas Medical Records Privacy Act (HB 300) Training covers the differences and overlaps in detail.
Workforce Training: The Requirement Everyone Underestimates
HIPAA's Privacy Rule at 45 CFR § 164.530(b) requires covered entities to train all workforce members on policies and procedures related to PHI. The Security Rule adds requirements for security awareness training. "Workforce" isn't limited to employees — it includes volunteers, trainees, and anyone under the direct control of the covered entity.
I've seen organizations with brilliant technical safeguards get hit with penalties because a single untrained employee made a mistake. Technology can't fix a knowledge gap. Ongoing, documented training is the most cost-effective risk reduction measure you have.
Where to Start If You're New to All This
If you're asking "what's the HIPAA law" for the first time — or if you're revisiting it because your organization is growing — here's my practical advice:
- Conduct a risk analysis. Not optional. Not aspirational. Required. Document it thoroughly.
- Map your PHI. Know where it lives, who touches it, and how it moves through your organization.
- Train your workforce. Everyone. Annually. With documentation that proves it happened.
- Get your business associate agreements in writing. Every vendor, every contractor, no exceptions.
- Build an incident response plan. Test it before you need it.
HIPAA isn't a one-time project. It's an ongoing program. The organizations that avoid seven-figure penalties aren't the ones with the biggest budgets — they're the ones that treat compliance as a daily practice rather than an annual checkbox.
Start with the fundamentals, build your documentation, train your people, and revisit everything when something changes. That's how you stay on the right side of this law.