HIPAA
HIPAA
Stub notice: This article is incomplete. The sections below cover the overview and definitions only. The following topics are not yet written: access control requirements, encryption requirements, Business Associate Agreements, breach notification, minimum necessary standard (engineering implications), risk analysis, and technical safeguards checklist. Do not treat this page as a complete HIPAA engineering reference.
Overview
HIPAA (Health Insurance Portability and Accountability Act) is a US legal framework that governs how protected health information (PHI) is used, disclosed, and safeguarded.
For health IT builders, HIPAA is less about “a single checklist” and more about operating controls:
- Who is regulated: covered entities (providers, health plans, clearinghouses) and business associates that handle PHI on their behalf.
- What is regulated: PHI (and “ePHI” when electronic), plus the privacy/security obligations around it.
- How compliance is demonstrated: policies + technical safeguards + auditability + incident response + vendor governance (BAAs).
This page is a practical overview for engineering and architecture conversations, not legal advice.
Quick definitions (engineering-relevant)
| Term | Meaning (practical) |
|---|---|
| PHI | Individually identifiable health information held or transmitted by a covered entity/business associate. |
| ePHI | PHI in electronic systems (databases, object storage, logs, SaaS tools). |
| Covered entity | The regulated organization (e.g., provider, payer) responsible for HIPAA compliance. |
| Business associate (BA) | A vendor/partner that creates/receives/maintains/transmits PHI for a covered entity (often needs a BAA). |
| Minimum necessary | Use/disclose only what is needed for the task (not “everything we have”). |
Privacy vs security
HIPAA is commonly discussed as “Privacy vs Security”, but they work together:
| Area | Focus | Typical engineering artifacts |
|---|---|---|
| Privacy | When PHI may be used/disclosed; patient rights; workforce policies | data access policies, consent/authorization workflows, disclosure controls, training |
| Security | Safeguards for ePHI (confidentiality, integrity, availability) | access control, encryption, logging, backups, incident response, risk analysis |
If your system stores or transmits PHI, you should expect both privacy requirements (appropriate use) and security requirements (appropriate protection).
Engineering implications
HIPAA doesn’t prescribe a single “approved architecture”. It expects risk-based safeguards appropriate to your system, your threats, and your operations.
The most useful way to translate HIPAA into engineering work is: access control + minimization + auditability + encryption + incident readiness.