Skip to content
ABA Ops Compass

1.1 · HIPAA Basics

HIPAA in Plain English

More actions

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal law from 1996. People talk about it as if it were one thing, but it is really four rules stacked together. Knowing the four rules makes everything else about compliance easier to understand, because every technical or legal decision you make eventually traces back to one of them.

The four rules

1. The Privacy Rule

The Privacy Rule answers the question who is allowed to see Protected Health Information, and under what conditions. It establishes the concept of Protected Health Information, defines what counts as identifying, and sets the baseline that you cannot use or share it without a permitted reason. It also gives patients rights: to see their own records, to ask for corrections, and to know who has accessed their information.

2. The Security Rule

The Security Rule answers the question how must Protected Health Information be protected technically and administratively. It lists the safeguards every system that handles regulated data must have in place: encryption, access controls, audit logs, training, risk assessments, and so on. This is the rule that drives almost every technical decision in the architecture of this software. The full safeguard list is on its own page in this section.

3. The Breach Notification Rule

The Breach Notification Rule answers the question what must you do when something goes wrong. If Protected Health Information is exposed, you have to tell affected patients within 60 days, you have to tell the U.S. Department of Health and Human Services, and if the breach affects more than 500 people you have to tell the media. Florida adds its own breach law on top, with a faster 30-day clock for Florida residents.

4. The Enforcement Rule

The Enforcement Rule answers the question what happens if you break the other rules. Penalties are tiered by how aware you were and how much you tried to prevent the violation. Fines start at about $137 per violation and reach roughly $2 million per category per calendar year. Willful neglect can be charged criminally. The financial scale alone is reason enough to take the other three rules seriously.

Why all four matter for our platform

We are a software platform that ABA clinics use to run their operations and that will eventually hold Protected Health Information about their clients. That puts us inside the scope of HIPAA, which means we have obligations under all four rules. We have to know who can see what (Privacy). We have to protect it correctly (Security). We have to respond properly if something leaks (Breach Notification). And we have to do all of this consistently, because if we get sloppy we get penalized (Enforcement).

Everything else in this Compliance section is essentially the practical answer to: how do we satisfy these four rules in code, in vendor choices, in our day-to-day operations, and in our paperwork.

A note on what HIPAA is not

HIPAA is not a checkbox certification. There is no "HIPAA certified" stamp you can earn and then forget about. It is an ongoing legal obligation. Vendors who say they are "HIPAA compliant" really mean they are willing to sign a Business Associate Agreement and have implemented the Security Rule safeguards in their service. The compliance lives in the contracts and the practices, not in a badge.

HIPAA is also a federal floor, not a ceiling. States can add their own stricter rules on top. Florida does, and those additions are covered on the Florida Specifics page.