HIPAA - Health Insurance Portability and Accountability Act
In force since 14 April 2003
Agent Navigation: For section discovery, use /regulations/us/hipaa/llms.txt
Quick Reference
HIPAA is the primary US federal law protecting the privacy and security of health information. It establishes national standards for the protection of Protected Health Information (PHI) by covered entities and their business associates.
Applies to: Covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates
Key rules:
- Must obtain authorization before using or disclosing PHI except for treatment/payment/operations [45 CFR 164.508]
- Must implement administrative, physical, and technical safeguards for ePHI [45 CFR 164.302-318]
- Must notify affected individuals within 60 days of discovering a breach [45 CFR 164.404]
- Must apply minimum necessary standard to PHI uses and disclosures [45 CFR 164.502(b)]
- Must have Business Associate Agreements with all vendors accessing PHI [45 CFR 164.502(e)]
| Question | Answer | Citation |
|---|---|---|
| Who’s covered? | Covered entities + business associates | 45 CFR 160.103 |
| What’s PHI? | Individually identifiable health information | 45 CFR 160.103 |
| Breach notification deadline? | 60 days from discovery | 45 CFR 164.404 |
| Is encryption required? | Addressable (must assess) | 45 CFR 164.312(a)(2)(iv) |
| Can patients access records? | Yes, within 30 days | 45 CFR 164.524 |
| Maximum penalty? | $1.9M per violation category/year | 45 CFR 160.404 |
Regulation Map (All Chunks)
Every section of HIPAA coverage is listed here for full-text lookup and agent navigation.
Definitions
Requirements
- HIPAA: Administrative Requirements
- HIPAA: Breach Notification
- HIPAA: Business Associates
- HIPAA: De-identification and Minimum Necessary
- HIPAA: Notice of Privacy Practices
- HIPAA: Patient Rights
- HIPAA: Permitted Uses and Disclosures
- HIPAA: Privacy Rule
- HIPAA: Security Rule
- HIPAA: Transaction and Code Set Standards