HIPAA governs "Protected Health Information" (PHI). This includes names, addresses, Social Security numbers, and medical conditions. It applies to "Covered Entities" (Hospitals, Doctors) and "Business Associates" (IT providers, Cloud Hosts).
Required vs Addressable
HIPAA is unique because some rules are "Addressable".
- Required: You MUST do it. (e.g., Risk Analysis).
- Addressable: You must do it UNLESS you have a valid reason not to, and implement an equivalent alternative.
Example: "Encryption at Rest" is addressable. You can argue it slows down the system, BUT you better have insane physical security to compensate. (Best practice: Just encrypt it).
1. The Minimum Necessary Rule
Employees should only access the data they need to do their job.
A receptionist should see the patient's appointment time, but NOT their detailed surgical notes.
2. Audit Controls
You must log WHO looked at WHAT record and WHEN.
If a celebrity enters the hospital, staff unauthorizedly viewing their file is a major violation.