{"id":99896,"date":"2025-01-08T12:21:20","date_gmt":"2025-01-08T10:21:20","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=glossary&p=99896"},"modified":"2025-12-17T15:28:39","modified_gmt":"2025-12-17T13:28:39","slug":"what-is-hipaa","status":"publish","type":"glossary","link":"https:\/\/checkmarx.com\/glossary\/what-is-hipaa\/","title":{"rendered":"What is HIPAA?"},"content":{"rendered":"

HIPAA, short for the Health Insurance Portability and Accountability Act, is a U.S. federal law designed to protect sensitive healthcare data. Although the law does not mandate specific cybersecurity practices or tools related to how software systems collect, store, process or transmit healthcare data, it does define security and privacy goals and outcomes that businesses must uphold to remain HIPAA-compliant.<\/p>\n\n\n\n

Healthcare systems often store highly sensitive data \u2013 including not just personally identifiable information (PII) about patients, but also private patient medical data such as health histories. What\u2019s more, healthcare data has a tendency to move around frequently. To deliver effective care, healthcare providers often need to correlate a patient\u2019s health data from across multiple systems, or share it with one other.<\/p>\n\n\n\n

\"NIST<\/figure>\n\n\n\n

For these reasons, healthcare data creates something of a perfect storm when it comes to data privacy: It involves data that is highly sensitive, and that can easily fall into the wrong hands during the process of moving from one system to another.<\/p>\n\n\n\n

HIPAA aims to address these challenges by mandating consistent, efficient and secure modes of storing and transmitting healthcare data. To comply with U.S. federal law, most businesses that manage healthcare data for U.S. residents \u2013 including companies not based in the U.S. \u2013 must adhere to HIPAA\u2019s requirements.<\/p>\n\n\n\n

The purpose of HIPAA<\/h2>\n\n\n\n

Enacted in 1996, HIPAA establishes a number of requirements and regulations that businesses must follow when working with protected healthcare information. The purpose of the law is to provide a standardized and secure way of storing and sharing healthcare data.<\/p>\n\n\n\n

HIPAA emerged out of a recognition that the healthcare industry in the United States lacked an efficient and secure approach to managing health data because different healthcare providers, insurance companies and other entities managed the data in varying ways. By standardizing the process and imposing security rules, HIPAA aimed to reduce risk and add efficiency \u2013 hence the references to \u201cportability\u201d and \u201caccountability\u201d for healthcare data within the law\u2019s name.<\/p>\n\n\n\n

Who must comply with HIPAA?<\/h2>\n\n\n\n

Any business that operates in the U.S. and is defined under HIPAA law as a \u201ccovered entity\u201d must comply with the regulation.<\/p>\n\n\n\n

In general, any business that engages in storing, processing or transmitting healthcare data is a covered entity and therefore subject to HIPAA. This includes organizations that manage analog healthcare data as well as healthcare data stored digitally (which HIPAA refers to as \u201celectronic protected health information,\u201d or e-PHI).<\/p>\n\n\n\n

Note as well that companies do not need to be based in the U.S., or even have a physical presence there, to be subject to HIPAA compliance. International organizations that store, process or otherwise have access to e-PHI associated with U.S. residents are typically subject to the HIPAA mandates.<\/p>\n\n\n\n

What does HIPAA require?<\/h2>\n\n\n\n

HIPAA includes five main rules (which are defined in detail on the HIPAA website<\/a>):<\/p>\n\n\n\n