Definition · Plain-language
HIPAA
HIPAA is the Health Insurance Portability and Accountability Act of 1996, a United States federal law that establishes national security and privacy standards for safeguarding sensitive patient health data. The legislation regulates how covered entities and their business associates handle, transmit, and protect patient health information.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
The Core Rules of HIPAA Legislation
HIPAA comprises several distinct administrative rules that establish national standards for healthcare transactions. The Privacy Rule governs the use and disclosure of Protected Health Information (PHI) and establishes patient rights over their medical records, including the right to inspect, copy, and request corrections. The Security Rule complements this by setting national standards for securing electronic PHI (ePHI), outlining specific administrative safeguards (such as risk analysis and staff training), physical safeguards (such as workstation security and access controls), and technical safeguards (such as encryption and audit controls). Finally, the Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media in the event of a data breach.
Understanding Protected Health Information and De-Identification
Protected Health Information (PHI) includes any health-related data—such as medical history, diagnosis, treatment plans, or billing records—that is created or collected by a covered entity and can be linked to a specific patient. HIPAA identifies 18 distinct categories of identifiers (such as names, geographic data below state level, specific dates, email addresses, and social security numbers) that must be removed for data to be considered de-identified. The law outlines two methods for achieving de-identification: the Safe Harbor method, which requires the removal of all 18 identifiers, and the Expert Determination method, where a qualified statistician certifies that the risk of re-identification is very small. Once de-identified, the data is no longer subject to HIPAA regulations.
Academic Research and HIPAA Compliance Standards
Academic researchers and students handling clinical data must navigate HIPAA requirements carefully. When research involves patient records from a covered entity, the data must be treated as PHI. Researchers must obtain written patient authorization or secure a waiver of authorization from an Institutional Review Board (IRB) or Privacy Board. When collaborating with healthcare providers, academic institutions often must sign Business Associate Agreements (BAAs), which legally bind them to maintain the same security standards as the covered entity. Failing to maintain these standards can result in severe financial penalties and institutional sanctions, making HIPAA training an essential component of clinical research education.
Key facts
At a glance
- Enacted as United States federal law by President Bill Clinton in August 1996.
- Applies strictly to 'covered entities' (providers, health plans, clearinghouses) and their 'business associates'.
- Protects Protected Health Information (PHI) in all formats: oral, paper, and electronic (ePHI).
- Mandates specific administrative, physical, and technical safeguards to secure patient data.
- Imposes substantial civil and criminal penalties for non-compliance and unauthorized disclosures.
Common misconceptions
What people often get wrong
Often heard: Any software application or website that handles health or fitness data must comply with HIPAA regulations.
Actually: HIPAA only applies to covered entities and their business associates. Direct-to-consumer health applications, fitness trackers, and smartwatches generally do not fall under HIPAA unless they share data directly with a medical provider.
Often heard: Researchers and writers are completely banned from using patient case studies or clinical data under HIPAA.
Actually: Researchers can utilize clinical data legally if they obtain explicit patient authorization, secure an IRB waiver, or fully de-identify the records by removing the 18 HIPAA-specified identifiers.
Often heard: Sharing any healthcare information is a violation of HIPAA, regardless of who shares it.
Actually: HIPAA only restricts covered entities and business associates. Private individuals sharing their own health status, or employers asking for sick notes, are not bound by HIPAA regulations.
Going deeper
