Glossary · Frameworks & standards
What is HIPAA?
Also known as: Health Insurance Portability and Accountability Act, HIPAA compliance
HIPAA is the US federal law that sets national standards for protecting individuals' health information. Enforced by the HHS Office for Civil Rights, it governs how covered entities and their business associates safeguard protected health information (PHI) through its Privacy, Security, and Breach Notification Rules. Compliance is mandatory for organizations handling US health data.
Key takeaways
- HIPAA is US law, not a certification - there is no official HIPAA certificate.
- It protects protected health information (PHI) held by covered entities and business associates.
- Core rules: Privacy Rule, Security Rule, and Breach Notification Rule.
- The Security Rule requires administrative, physical, and technical safeguards.
- Enforced by the HHS Office for Civil Rights, with penalties for violations.
Who and what does HIPAA cover?
HIPAA applies to covered entities - health plans, healthcare clearinghouses, and most healthcare providers - and to business associates, the vendors that handle protected health information on their behalf. PHI is individually identifiable health information in any form, including the electronic form known as ePHI.
Any technology company that stores, processes, or transmits PHI for a covered entity is typically a business associate and must sign a Business Associate Agreement (BAA) committing it to HIPAA's requirements.
The core HIPAA rules
- Privacy Rule - governs how PHI may be used and disclosed and gives patients rights over their data.
- Security Rule - requires administrative, physical, and technical safeguards for ePHI.
- Breach Notification Rule - mandates notifying affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- Enforcement Rule - sets out investigations and penalties.
The Security Rule is risk-based rather than prescriptive. Organizations conduct a risk assessment, then implement safeguards such as access controls, audit logging, encryption, and workforce training proportionate to the risks they identify.
How do you achieve and prove HIPAA compliance?
Because HIPAA has no official certification, organizations demonstrate compliance through documented policies, a current risk analysis and risk-management plan, signed BAAs, workforce training, and evidence that technical safeguards operate. Many also pursue third-party attestations like HITRUST or SOC 2 to give customers external assurance.
CATAAM maps HIPAA Security Rule safeguards to continuous control monitoring and internal attack surface management, so the technical safeguards protecting ePHI are continuously verified rather than documented once a year.
Frequently asked questions
- Is there an official HIPAA certification?
- No. HHS does not certify HIPAA compliance. Vendors that claim to be HIPAA certified are referring to a third-party assessment, not an official government credential.
- What is a Business Associate Agreement?
- A BAA is a contract between a covered entity and a vendor that handles PHI. It binds the vendor to HIPAA safeguards and defines responsibilities, including breach notification.
- What is the difference between HIPAA and HITRUST?
- HIPAA is the legal requirement; HITRUST is a certifiable framework that organizations use to demonstrate, and get assessed against, controls that help meet HIPAA and other requirements.
- Does HIPAA require encryption?
- Encryption is an addressable specification under the Security Rule, meaning you must implement it where reasonable or document an equivalent alternative. In practice most organizations encrypt ePHI at rest and in transit.