HIPAA Definition: What HIPAA Stands For

HIPAA stands for the Health Insurance Portability and Accountability Act. Congress enacted it in 1996 (Public Law 104-191) with two original purposes: protect health insurance coverage for workers who change or lose jobs, and establish national standards for electronic healthcare transactions.

The second purpose — the privacy and security standards — is what most clinic staff mean when they say “HIPAA.”

The key rules

HIPAA has five titles, but small clinics operate primarily under three implementing rules published by HHS:

Privacy Rule (45 CFR Parts 160 and 164, Subparts A and E) Sets national standards for how protected health information (PHI) may be used and disclosed. It gives patients rights to access their records, request corrections, and receive a Notice of Privacy Practices.

Security Rule (45 CFR Parts 160 and 164, Subparts A and C) Requires covered entities and business associates to protect electronic PHI (ePHI) through administrative, physical, and technical safeguards. The rule covers access controls, audit logging, encryption, device management, and workforce training.

Breach Notification Rule (45 CFR Part 164, Subpart D) Requires notification to affected individuals, HHS, and — in breaches affecting 500 or more people — the media when unsecured PHI is compromised. Small clinics have 60 days after discovery to notify individuals and HHS.

Who HIPAA applies to

The law distinguishes two categories:

• Covered entities — health plans, healthcare clearinghouses, and healthcare providers who conduct standard electronic transactions (billing, eligibility, claims)
• Business associates — vendors, contractors, and service providers that create, receive, maintain, or transmit PHI on behalf of a covered entity

A covered entity must have a signed Business Associate Agreement (BAA) with every business associate before sharing PHI with them. No BAA means no compliant data sharing. See When a Vendor Needs a BAA for a practical screening process.

Enforcement

The HHS Office for Civil Rights (OCR) enforces HIPAA. Investigations are triggered by breach reports, complaints, and OCR-initiated audits. Penalties are tiered by culpability:

Tier	Description	Per-violation range	Annual cap per category
1	Unknowing violation	$100–$50,000	$1.9M (inflation-adjusted)
2	Reasonable cause	$1,000–$50,000	$1.9M (inflation-adjusted)
3	Willful neglect, corrected	$10,000–$50,000	$1.9M (inflation-adjusted)
4	Willful neglect, not corrected	$50,000+	$1.9M (inflation-adjusted)

Penalty amounts are adjusted annually under the Federal Civil Penalties Inflation Adjustment Act. The base statutory cap per violation category is $1.9 million (45 CFR § 160.404). State attorneys general may also bring civil actions under HITECH.

HITECH and the 2013 Omnibus Rule

The HITECH Act (2009) strengthened HIPAA by extending Security Rule obligations directly to business associates, increasing penalties, and incentivizing adoption of electronic health records. The 2013 Omnibus Rule finalized those changes and updated the Breach Notification Rule. For a full overview, see HITECH Act Explained.

What HIPAA means for a small clinic

A clinic with 3–50 staff still carries the same Privacy Rule, Security Rule, and Breach Notification Rule obligations as a large hospital system. The difference is that small clinics typically lack a dedicated compliance officer. That makes it easier for PHI to appear in unreviewed tools, unsigned BAAs, and informal processes.

For a practical starting point, review the HIPAA Compliance Checklist for Small Clinics. For how PHI flows through daily operations, see What Counts as PHI in a Small Clinic.

PHIGuard includes a BAA at every pricing tier — $99, $249, or $499 per clinic — so compliance tooling does not require an enterprise contract.