What is HIPAA Law in USA?


The Health Insurance Portability and Accountability Act (HIPAA) is a law in the USA that requires healthcare organizations to ensure the privacy and security of patient information. But, HIPAA law doesn’t only apply to healthcare organizations located in the USA. It applies to any organization that handles the patient data of USA citizens. What is HIPAA law in USA, and how does it apply to international businesses?


HIPAA law in USA is made up of three main rules. These include the HIPAA Privacy, Security, and Breach Notification Rules.

HIPAA Privacy Rule

The HIPAA Privacy Rule dictates the proper uses and disclosures of protected health information (PHI). Under this Rule, PHI access to be limited to the minimum necessary to perform a job function. 

HIPAA Security Rule

The HIPAA Security Rule requires organizations to implement safeguards to secure PHI. These safeguards (administrative, technical, physical) must ensure the confidentiality, integrity, and availability of PHI.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires breaches affecting PHI to be reported. These incidents must be reported to affected patients and the Office for Civil Rights (OCR). Breaches affecting 500 or more patients must also be reported to the media.

How Does HIPAA Law in USA Apply Internationally?

So how does all of this apply to you if your business is not in the USA? Well, healthcare providers often rely on the services of international companies to run their practices efficiently. Businesses such as yours are known as business associates

But how do you know if your business qualifies as a business associate?

Well, if you have the potential to access your client’s data over the course of the work you provide for them, you are a business associate. Common examples of business associates include software providers, cloud service providers, web hosting services, website developers, and managed service providers.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Implementing an Effective HIPAA Compliance Program

To ensure that your organization is handling PHI appropriately, it is crucial to implement an effective HIPAA compliance program following HIPAA law in USA requirements.

Security Risk Assessments, Gap Identification, and Remediation

To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, organizations must conduct annual self-audits. These self-audits uncover weaknesses and vulnerabilities in your security practices. To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

HIPAA Policies and Procedures

To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.

HIPAA Training

HIPAA training must be provided to each employee that has the potential to access PHI. Training must be provided annually, in which employees must legally attest that they understand and agr