HIPAA
Short for Health Insurance Portability and Accountability Act
US federal law requiring covered entities to protect patient health information through documented policies, procedures, and training.
Definition
HIPAA is a 1996 US federal law, with Privacy Rule (2003) and Security Rule (2005) regulations administered by the HHS Office for Civil Rights (OCR). It requires 'covered entities' (healthcare providers, health plans, clearinghouses) and their business associates to implement administrative, physical, and technical safeguards for Protected Health Information (PHI). The Security Rule specifically requires documented policies and procedures, including workforce training, access control, audit controls, transmission security, and incident response.
Why it matters
HIPAA violations carry penalties of up to $2 million per violation category per year, and in severe cases criminal prosecution. OCR audit findings consistently identify 'lack of documented policies and procedures' and 'inadequate workforce training documentation' as top causes of enforcement actions. Documented SOPs — with evidence that every workforce member has been trained on them — are the single most important HIPAA compliance artifact.