Health Insurance Portability and Accountability Act (HIPAA)

What Is the Health Insurance Portability and Accountability Act (HIPAA)?

The Health Insurance Portability and Accountability Act (HIPAA) is an act created by the U.S. Congress in 1996 that amends both the Employee Retirement Income Security Act (ERISA) and the Public Health Service Act (PHSA). HIPAA was enacted in an effort to protect individuals covered by health insurance and to set standards for the storage and privacy of personal medical data.

Key Takeaways

  • HIPAA law impacts policies, technology, and record-keeping at medical facilities, health insurance companies, HMOs, and healthcare billing services. 
  • Noncompliance with HIPAA standards and best practices is against the law.
  • The HITECH Act was created in 2009 to expand HIPAA privacy and security protections for patients.

How the Health Insurance Portability and Accountability Act (HIPAA) Works

The Health Insurance Portability and Accountability Act (HIPAA) ensures that individual health-care plans are accessible, portable and renewable, and it sets the standards and the methods for how medical data is shared across the U.S. health system in order to prevent fraud. It preempts state law (unless the state's regulations are more stringent).

Since 1996, HIPAA has been modified to include processes for safely storing and sharing patient medical information electronically. It also includes administrative simplification provisions, which are aimed at increasing efficiency and reducing administrative costs by establishing national standards.

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) broadened HIPAA privacy and security protections. The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009 as a way of promoting the use of health information technology. A portion of the HITECH Act addresses privacy and security concerns.

The Future of the Health Insurance Portability and Accountability Act (HIPAA)

In 2018, Bloomberg Law reported on the privacy risks that come from digital healthcare data and the likelihood of updated federal laws in the near future. In an age of fitness-tracking apps and GPS-tracked, shareable data on everything from an individual’s daily step count to their average heart-rate, medications, allergies, and even menstrual cycles, there are new challenges for upholding standards in storing and protecting personal medical data.

In a video interview, Nan Halstead, health privacy and security attorney with Reed Smith LLP, said that future laws are unlikely to expand on HIPAA. Rather, they will use HIPAA's framework as a model to create new laws governing the digital sector. Although no such federal laws have yet been passed, states can pass laws that fill the gap in the meantime. Moreover, companies tracking consumer data are currently also subject to supervision by regulating bodies like the U.S. Food and Drug Administration (FDA) and the Federal Trade Commission (FTC).

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. Library of Congress. "H.R.3103-Health Insurance Portability and Accountability Act of 1996."

  2. Centers for Medicare & Medicaid Services. "MLH Booklet-HIPAA Basics for Providers: Privacy, Sercurity & Breach Notification Rules."

  3. U.S. Department of Health & Human Services. "HITECH Act Enforcement Interim Final Rule."

  4. Bloomberg Law. "VIDEO: Your Fitbit Steps May Not Be Protected by Federal Law."