25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

What is the Purpose of HIPAA?

Posted By on Jan 8, 2026

The purpose of HIPAA was originally to ensure more employees could continue to receive health insurance coverage when they were between jobs and would not be discriminated against for pre-existing conditions. Due to the costs that would be incurred by health plans – and concerns these may be passed on to plan members and employers – Congress added a second Title to the Act to combat fraud and abuse of the healthcare insurance system. 

Title II also instructed the Secretary for Health and Human Services to adopts standards to simplify the administration of healthcare transactions between healthcare providers and health plans. Because – prior to HIPAA – health plans had developed their own transaction code structures, more than four hundred sets of codes existed. Determining which code applied to which payer, and translating one code to another, often delayed transactions such as eligibility checks, treatment authorizations, and payment remittances.

In additional to adopting standards for healthcare transactions, the Secretary was also instructed to develop standards for the security of Protected Health Information transmitted electronically and maintained electronically by providers and payers. As a follow on from this instruction, the Secretary was asked make recommendations with regard to the confidentiality of health information maintained in all formats. This led to the publication of the first proposed HIPAA Security Rule in 1998 and the HIPAA Privacy Rule in 2000.

Health Data Privacy and Secuity

HIPAA is now best known for protecting the privacy of patients and ensuring patient data is appropriately secured, with those requirements added by the HIPAA Privacy Rule and the HIPAA Security Rule. The requirement for notifying individuals of a breach of their health information was introduced in the HIPAA Breach Notification Rule in 2009.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The purpose of the HIPAA Privacy Rule was to introduce restrictions on the allowable uses and disclosures of protected health information, stipulating when, with whom, and under what circumstances, health information could be shared. Another important purpose of the HIPAA Privacy Rule was to give patients access to their health data on request. The purpose of the HIPAA Security Rule is mainly to ensure electronic health data is appropriately secured, access to electronic health data is controlled, and an auditable trail of PHI activity is maintained.

So, in summary, what is the purpose of HIPAA? To improve efficiency in the healthcare industry, to improve the portability of health insurance, to protect the privacy of patients and health plan members, and to ensure health information is kept secure and patients are notified of breaches of their health data. By including the purpose of HIPAA as a module of HIPAA training, members of the workforce with no previous healthcare experience will have a better understanding of why certain policies and procedures exist.

The Purpose of HIPAA FAQs

Why did it take so long between the passage of HIPAA and the publication of the Privacy Rule?

When HIPAA was passed in 1996, the Secretary of Health and Human Services was tasked with recommending standards for the privacy of individually identifiable health information. The recommendations had to be presented to Congress within a year; and, if Congress did not enact privacy legislation within three years, the Secretary was to promulgate a Final Rule. This became known as the HIPAA Privacy Rule.

The HIPAA Privacy Rule was originally published on schedule in December 2000. However, due to the volume of comments expressing confusion, misunderstanding, and concern over the complexity of the HIPAA Privacy Rule, it was revised to prevent “unanticipated consequences that might harm patients’ access to health care or quality of health care” (see 67 FR 14775-14815). A significantly modified HIPAA Privacy Rule was published in August 2002.

Why are there separate HIPAA Privacy and Security Rules?

The HIPAA Security Rule is a sub-set of the HIPAA Privacy Rule inasmuch as the HIPAA Privacy Rule stipulates the circumstances in which it is allowable to disclose PHI and the HIPAA Security Rule stipulates the protocols required to safeguard electronic PHI from unauthorized uses, modifications, and disclosures. It is also important to note that the General Provisions of the HIPAA Security Rule stipulate that covered entities and business associates must implement measures that prevent uses and disclosures of PHI not permitted or required by the HIPAA Privacy Rule.

Why might patients want to access their health data?

Healthcare professionals have exceptional workloads – due to which mistakes can be made when updating patient notes. By enabling patients to access their health data – and requesting amendments when data are inaccurate or incomplete – patients can take responsibility for their health; and, if they wish, take their records to an alternate provider in order to avoid the necessity of repeating tests to establish diagnoses that already exist.

How else does HIPAA benefit patients?

Prior to HIPAA, there were few controls to safeguard PHI. Data was often stolen to commit identity theft and insurance fraud – affecting patients financially in terms of personal loss, increased insurance premiums, and higher taxes. In the late 1980s and early 1990s, healthcare spending per capita increased by more than 10% per year. Now – partly due to the controls implemented to comply with HIPAA – increases in healthcare spending per capita are less than 5% per year.

What did the Breach Notification Rule change in 2009?

The Breach Notification Rule made it a legal requirement for covered entities to notify patients if unsecured PHI is accessed – or potentially accessed – without authorization. The covered entity has to provide details of what PHI is involved and what measure the patient should take to prevent harm (i.e., cancelling credit cards). By providing this information in a timely manner (the maximum time allowed is 60 days), patients can protect themselves from becoming the victims of medical identity theft and fraud.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist