HIPAA

HIPAA was enacted in 1996 with multiple goals — health insurance portability for workers, administrative simplification, and the Privacy and Security Rules that became the dominant ongoing regulatory framework for healthcare data in the U.S.

The HIPAA Privacy Rule (effective 2003) governs the use and disclosure of Protected Health Information by covered entities and their business associates. Patients have rights under HIPAA including the right to access their records, request corrections, and obtain an accounting of certain disclosures.

The HIPAA Security Rule (effective 2005) requires administrative, physical, and technical safeguards for electronic PHI. This includes access controls, encryption, audit logs, workforce training, and breach notification protocols.

The HITECH Act of 2009 expanded HIPAA's scope, increased penalties for violations, and required notification of affected patients in the event of certain breaches.

For telehealth and digital health platforms, HIPAA compliance is foundational. Platforms must:

- Use HIPAA-compliant infrastructure for clinical data (servers, communication tools, video platforms). - Have signed Business Associate Agreements (BAAs) with vendors handling PHI. - Implement appropriate access controls and audit logs. - Train staff on HIPAA requirements. - Have breach notification procedures in place.

State laws can establish additional or stricter requirements (notably California's CMIA and the EU's GDPR for European patients). Healthcare platforms operating in multiple jurisdictions must navigate the most stringent applicable rules.

Patients evaluating telehealth platforms can ask whether the platform is HIPAA-compliant, whether they have BAAs with their infrastructure providers, and whether they have a published privacy notice.