What is the Purpose of HIPAA?

Congress introduced the Health Insurance Portability and Accountability Act (HIPAA) 1996, and since then HIPAA has changed the landscape of data protection in the healthcare industry. Initially, HIPAA’s primary function was to address the issue of health insurance coverage for individuals between jobs. Before HIPAA, individuals in this situation could find themselves without healthcare coverage, and therefore potentially unable to access crucial medical treatment. HIPAA’s purpose was to allow individuals to access healthcare coverage even if they were out of work.

It is HIPAA’s secondary purpose that has made it such a significant piece of healthcare legislation: the introduction of industry-wide standards of patient data protection in the United States healthcare industry. HIPAA enforces strict stipulations regarding the safeguarding of protected healthcare information (PHI). Hackers and others with criminal intent may attempt to access PHI to use it for nefarious purposes such as identity theft. Fraud can have long-lasting and devastating effects for its victims. One of HIPAA’s primary purposes is to require organisations to improve the level of security placed on sensitive data.

If the regulatory authority finds an organisation in violation of HIPAA’s rules, they are authorised to levy hefty financial penalties against the organisation. These penalties act as significant deterrents to organisations who may otherwise ignore HIPAA’s Rules.

HIPAA is a comprehensive legislative act incorporating the requirements of several other legislative acts, including the Public Health Service Act, Employee Retirement Income Security Act, and more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA comprises of a set of Rules, each with a particular function. The purpose of each rule is outlined below.

The Privacy Rule of 2000

The purpose of the HIPAA Privacy Rule was to introduce restrictions on the allowable uses and disclosures of protected health information. The Rule stipulates when, with whom, and under what circumstances health information could be shared. Only authorised individuals may access PHI; access by an unauthorised individual, whether by accident or through a deliberate hacking attempt, may incur financial penalties if the organisation did not have adequate safeguards in place.

The HIPAA Privacy Rule also gives patients some control over their data. For example, patients also can authorise who can see their medical information. Furthermore, patients can request an organisation to give them access to their health data. An organisation must securely deliver the individual’s data and within 30 days of the request.

The Security Rule of 2003

The HIPAA Security Rule requires organisations to use administrative, technical, and physical safeguards to protect electronic health data. Covered entities must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit. An auditable trail of PHI activity must be maintained, with access to any PHI carefully recorded and controlled. Furthermore, covered entities must ensure that they protect against “reasonably anticipated threats” to the security of PHI.

The Breach Notification Rule of 2009

The purpose of the Breach Notification Rule of 2009 is to inform organisations of their responsibilities in the event of a data breach. The Breach Notification Rule states that covered entities must provide notification of the breach to affected individuals, the Secretary, and, if the breach is of a significant scale, to the media. The Rule also covers business associates, who must notify covered entities if a breach occurs at or by the business associate. The Breach Notification Rule requires organisations to notify those affected by the breach that their PHI has been compromised without “reasonable delay”, and no later than 60 days after the breach has occurred.

Other Purposes of HIPAA

Some of HIPAA’s other purposes surround introducing several reforms to improve bureaucracy in the healthcare industry. HIPAA legislation requires compliant healthcare organisations to adopt new standards and practices to increase efficiency in the healthcare system. HIPAA requires healthcare professionals to use code sets along with patient identifiers, which helped pave the way for the efficient transfer of healthcare data between healthcare organisations and insurers. This streamlined process allows for efficient eligibility checks, billing, payments, and other healthcare operations, thus improving a patient’s experience in the healthcare system.

HIPAA also prohibits the tax-deduction of interest on life insurance loans, enforces group health insurance requirements, and standardises the amount that individuals may place in a pre-tax medical savings account.


HIPAA has a wide range of purposes across all areas of the healthcare industry. It seeks to improve efficiency in the healthcare industry, to improve the portability of health insurance, to protect the privacy of patients and health plan members, and to ensure health information is kept secure and patients are notified of breaches of their health data.