Back to Glossary
Health Insurance Portability and Accountability Act
What is the Health Insurance Portability and Accountability Act?
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is the definitive regulation in the US protecting personal health information. Under HIPAA, “covered entities” – meaning providers, health plans, and “clearinghouses” that process data – and their service providers cannot use or share individually identifiable data (known as “protected health information” or PHI) outside of permitted uses without explicit authorization by the patient. Examples of permitted uses include treatment, payment, operations, research, or in the interests of the patient or public. HIPAA doesn’t provide patients any control over what covered entities can do with data once it has been de-identified. It also generally does not apply to a non-covered 3rd-party player – such as a tech firm or app developer – that a patient has authorized to access their data, nor does it apply to patient-generated data from wearables and other IoT devices.