HIPAA vs HIPPA: The Common Misspelling and What the Law Actually Covers

Search for “HIPPA” or “HIPAA” and you will find both spellings everywhere — in news articles, HR policy documents, patient intake forms, and even in regulatory filings. One is the real law. One is a misspelling. If you searched for “hipaa hippa” and landed here, you are in good company. Let’s cover what the law is actually called, what it covers, and what it requires.

The correct spelling is HIPAA, not HIPPA

HIPAA stands for the Health Insurance Portability and Accountability Act. Congress enacted it in 1996. The acronym breaks down as:

• H — Health
• I — Insurance
• P — Portability
• A — and
• A — Accountability Act

HIPPA, with a double P and single A, is simply a misspelling. It does not stand for anything because it is not a real law. The confusion is understandable — “portability” has two Ps, and the final “and Accountability Act” collapses into a single A that looks wrong to many readers.

The misspelling appears in physician office notices, compliance training slides, insurance denial letters, and news coverage. Google processes millions of searches per month for both spellings. HHS itself acknowledges the misspelling is pervasive.

None of this matters operationally. If you are subject to HIPAA — and most healthcare providers are — the spelling has no bearing on your obligations.

What HIPAA actually covers

The original 1996 statute had two main goals. The portability provisions protected health insurance coverage for workers who changed or lost jobs. The accountability provisions directed HHS to develop standards protecting health information.

Over time, HHS implemented those accountability provisions through a series of rules. Three rules do most of the day-to-day compliance work.

The Privacy Rule

The Privacy Rule (45 CFR Part 164, Subpart E) sets standards for how covered entities may use and disclose Protected Health Information (PHI). PHI is broadly defined as individually identifiable health information that is created, received, maintained, or transmitted by a covered entity.

The Privacy Rule requires that covered entities:

• Use or disclose PHI only as the rule permits
• Give patients notice of their privacy practices
• Provide patients the right to access, inspect, and copy their records
• Apply the minimum necessary standard — using only the amount of PHI needed to accomplish the purpose

Permitted disclosures include treatment, payment, and healthcare operations without patient authorization. Most other disclosures require written patient authorization.

The Security Rule

The Security Rule (45 CFR Part 164, Subpart C) applies specifically to electronic PHI (ePHI). It requires covered entities to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.

Administrative safeguards include risk analysis, risk management, and workforce training. Physical safeguards cover facility access controls and workstation security. Technical safeguards cover access controls, audit controls, and transmission security.

The Security Rule uses “required” and “addressable” to categorize specific implementation specifications. Required specifications must be implemented. Addressable specifications must be implemented if reasonable and appropriate — if not, the covered entity must document why and implement an equivalent alternative.

The Breach Notification Rule

The Breach Notification Rule (45 CFR Part 164, Subpart D) requires covered entities to notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs. A breach is defined as an impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy.

• Breaches affecting 500 or more individuals in a state must be reported to HHS and local media within 60 days of discovery.
• Breaches affecting fewer than 500 individuals must be reported to HHS annually.
• All breaches must be reported to affected patients within 60 days of discovery.

Breaches affecting 500 or more individuals are posted publicly on the HHS breach notification portal — often called the “wall of shame” within the industry.

Who HIPAA applies to

HIPAA applies to covered entities, defined in 45 CFR §160.103 as:

1. Health plans — individual and group plans that provide or pay for medical care, including health insurance issuers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans
2. Healthcare clearinghouses — entities that process nonstandard health information into standard formats, or vice versa
3. Healthcare providers who transmit any health information in electronic form in connection with a transaction covered by HIPAA

That third category covers most clinics. If your practice submits claims electronically, checks eligibility electronically, or exchanges other standard electronic transactions with payers, you are a covered entity.

HIPAA also reaches business associates — vendors and service providers who create, receive, maintain, or transmit PHI on a covered entity’s behalf. A business associate can be a billing company, a cloud software vendor, a transcription service, a shredding company, or any other third party with access to PHI. Business associates must sign a Business Associate Agreement (BAA) with the covered entity.

What covered entities must do

The obligations break into five broad categories:

Designate privacy and security officers. The Privacy Rule requires covered entities to designate a privacy official responsible for developing and implementing privacy policies (45 CFR §164.530(a)). The Security Rule requires a security official responsible for security policies and procedures (45 CFR §164.308(a)(2)). In a small clinic, one person may hold both roles.

Conduct a risk analysis. The Security Rule requires a thorough assessment of potential risks and vulnerabilities to ePHI (45 CFR §164.308(a)(1)(ii)(A)). This is not a one-time exercise — it must be reviewed and updated periodically and when operational changes occur.

Train the workforce. Both rules require workforce training on privacy and security policies. Employees must understand what counts as PHI, what they are and are not permitted to do with it, and how to report suspected incidents.

Execute BAAs. Before sharing PHI with any business associate, a covered entity must have a signed BAA in place. Operating without a BAA when one is required is a reportable violation.

Implement technical, physical, and administrative safeguards. The Security Rule’s three categories of safeguards apply to all covered entities regardless of size. The specific implementation may vary based on the covered entity’s size, complexity, and technical capabilities, but the obligation to implement reasonable safeguards does not.

Why the misspelling is so common

“Health Insurance Portability and Accountability Act” is a long name with an unusual acronym structure. The word “portability” has two Ps, which pulls the eye toward a double-P spelling. The “and” becomes a standalone A in the acronym, which feels redundant. Many people encounter HIPAA only through informal references — a training slide, a hallway conversation, a poster in the break room — and never see the full statutory name spelled out.

The misspelling travels because written records perpetuate it. A staff member types “HIPPA policy” in an email. The email becomes the template for a policy document. The policy document gets quoted in a training. Three years later, every internal reference in a 20-person clinic says HIPPA.

None of this creates legal risk on its own. An OCR auditor will not penalize a clinic for spelling the law’s name wrong in an internal document. The penalty exposure comes from failing to meet the actual requirements of the law — regardless of how the clinic spells it.

The operational bottom line

Whether your staff says HIPAA or HIPPA, the compliance obligations are identical. Small clinics that handle patient health information electronically are covered entities subject to the Privacy Rule, the Security Rule, and the Breach Notification Rule. Those rules require real operational work: documented policies, trained staff, signed vendor agreements, periodic risk assessments, and breach response plans.

The spelling is a trivia question. The compliance program is not.