The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law specific to medical data. Signed August 21, 1996, it governs how patient health information must be stored, transmitted, and disclosed by covered entities — health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically — and their business associates (cloud providers, billing services, analytics vendors, anyone handling PHI on a covered entity’s behalf). A formal Business Associate Agreement (BAA) must be in place before a covered entity shares PHI with one.
The data HIPAA protects is Protected Health Information (PHI): any individually identifiable information about a patient’s health, treatment, or payment for care. A patient’s ECG recording, MRI scan, prescription history, billing record, or even just the fact that they had an appointment on a particular date — all of these are PHI when they can be linked to the individual. HIPAA’s Safe Harbor de-identification method enumerates 18 categories of identifiers (names, geographic subdivisions smaller than a state, dates more specific than year, phone numbers, email, SSN, MRNs, biometrics, full-face photos, and others) that must all be removed before PHI is treated as de-identified.
HIPAA’s core requirements are organized into several rules, layered over time:
- The Privacy Rule (compliance required from April 14, 2003) governs how PHI may be used and disclosed, granting patients rights of access and amendment, and limiting disclosure to the minimum necessary for the stated purpose.
- The Security Rule (effective April 20, 2005) sets administrative, physical, and technical safeguards for electronic PHI — access controls, encryption, audit logging, incident response.
- The HITECH Act (2009) extended HIPAA directly to business associates, raised the penalty ceilings, and introduced breach notification.
- The Omnibus Rule (2013) implemented HITECH’s changes in final regulation.
- The Breach Notification Rule requires covered entities to notify affected individuals and the Department of Health and Human Services within 60 days of discovering a breach; breaches affecting more than 500 residents of a state also require media notice.
Violations are enforced by the U.S. Department of Health and Human Services Office for Civil Rights, under a four-tier penalty structure introduced by HITECH and finalized in the 2013 Omnibus Rule. Penalties range from $100 per violation at the lowest culpability tier to $50,000 per violation at the highest, with an annual cap (originally $1.5 million per identical-provision violation per year, subsequently adjusted for inflation and reinterpreted by HHS in 2019 to scale by culpability tier).
For engineers building medical data-science systems, HIPAA shapes essentially every architectural decision: encrypted storage and transit, role-based access controls, audit logs, de-identification before data leaves a covered entity’s perimeter, business associate agreements with cloud providers. Treating PHI like any other Metadata-rich dataset is not an option in U.S. health contexts.
HIPAA is narrower than GDPR in two important ways: it covers only health information, and only when held by covered entities or their business associates. A health-tracking app run by a consumer technology company that isn’t acting on behalf of a covered entity isn’t subject to HIPAA at all, even though it holds extremely sensitive information — the gap is filled, partially, by the FTC’s Health Breach Notification Rule and various state laws.
HIPAA is one of the three privacy laws data engineers should recognize, alongside GDPR (EU general personal data) and PIPEDA (Canadian commercial data). Informed consent is one mechanism within the broader privacy frameworks, but HIPAA permits many uses of PHI (treatment, payment, healthcare operations, public health) without patient consent — the “consent for everything” reading is wrong.