
Is HIPAA a Federal Law? Scope, Enforcement, and Implications of HIPAA
A lot of people still question the authority of the Health Information Portability and Accountability Act (HIPAA) – wondering if it is merely a set of guidelines or a legally binding federal law. In truth, HIPAA is a federal law, and healthcare professionals and third-party vendors of healthcare services have been bound legally to comply with its rules since it was enacted by the United States Congress in 1996. Understanding that HIPAA guidelines are not optional advice and learning about HIPAA’s legal status are essential to avoid harmful missteps and ensure full HIPAA compliance across all roles handling protected health information (PHI). Here’s a quick read on HIPAA’s scope, enforcement, and implications.What Is HIPAA? A Quick Overview
HIPAA was established in the 1990s to address the instability of health insurance coverage and the lack of federal law protection of patient rights. The goal was to create healthcare data privacy rules applicable to healthcare organisations and third-party vendors, outlining how to store, manage, and disclose PHI.Is HIPAA a Federal Law?
Yes. Congress, led by President Bill Clinton, signed HIPAA into a federal law to be enforced uniformly across all 50 states. And because of its federal stature, it carries precedence over state laws in cases of conflict, thanks to the Supremacy Clause. However, in cases where the state laws are more stringent and comprehensive than HIPAA, the law requires healthcare providers and individuals to follow the state law. For example, California’s CCPA/CPRA (California Consumer Privacy Act / Privacy Rights Act) gives consumers broader rights over personal data than HIPAA in some areas. Similarly, New York’s SHIELD Act enforces stronger breach notification and security requirements and holds higher authority over HIPAA in the state of New York. Nevertheless, HIPAA sets the baseline for healthcare data privacy and security, and insurance portability and comes with all the powers and authority of a federal law. HIPAA violations can lead to serious financial and even criminal penalties depending on the severity and intent. The Office for Civil Rights (OCR) actively enforces HIPAA across states, issuing settlements, penalties, and corrective action plans for non-compliant entities.HIPAA vs State Laws: A Comparison
Aspect | HIPAA (Federal Law) | CCPA/CPRA (California) | NY SHIELD Act (New York) |
Scope | Applies to organizations and individuals handling PHI and healthcare data (categorized as covered entities and business associates) | Applies to businesses that handle the personal data (not just healthcare) of residents of California | Applies to businesses that handle the personal data (not just healthcare) of residents of New York |
Type of Data Protected | PHI – medical records, billing info, etc. | Personal Information (PI) like name, SSN, geolocation etc. | Private information including PI and security codes, biometrics, financial credentials etc. |
Consent & Rights | Patient rights are limited to access, amendment, and accounting of disclosures. | Broader rights to consumers including opt-out-of sale, request for data deletion etc. | Requires reasonable safeguards and strong breach notification rules; no broad opt-out like CCPA. |
Enforcement | Enforced by HHS – OCR | Enforced by California Attorney General and California Privacy Protection Agency | Enforced by NY Attorney General |
Federal vs. State Priority | Supremacy Clause – HIPAA sets the minimum federal floor. If a state law gives stronger protections, the stricter law must be followed. | Stricter than HIPAA in some areas – applies in addition to HIPAA. | Adds additional requirements, especially for breach notification and safeguards. |
Why Federal HIPAA Compliance Still Requires Local Attention
As we can see from the above table, many states layer on additional requirements or protections to ensure patient rights and privacy. Hence, it is up to healthcare providers to reconcile overlapping frameworks and follow the rules that are more stringent and comprehensive. For organizations operating across multiple states or delivering services like telehealth, which naturally cross borders, the safest approach is to adopt the strictest applicable standard. In such scenarios, one of the best ways to reduce risk and maintain compliance is by conducting a risk analysis. A comprehensive risk analysis that includes the full inventory of where PHI has been stored or managed helps identify potential threats like ransomware, phishing, and insider misuse early on. The OCR has made risk analysis a top enforcement priority in 2025 and has launched a dedicated Risk Analysis Enforcement Initiative, already closing cases with fines for organizations that failed to properly assess vulnerabilities. Maintaining detailed documentation is also very important for organizations that need to prove their compliance.HIPAA Secure Communication in the US
HIPAA requires that PHI be kept secure throughout any communication process, including encryption in transit and at rest. That means, even after it is delivered on the other end, compliance must be maintained. Compliance isn’t a one-time checkbox; it’s an ongoing, proactive process that combines federal HIPAA rules with state-level privacy protections, underpinned by risk assessments, documentation, and secure communication tools like HIPAA-compliant email. Standard email (like Gmail and Yahoo) does not and cannot sufficiently protect PHI. Without encryption, access control, and auditability, you risk breaches and HIPAA penalties. Here are the core requirements for a secure email that can be used for sharing PHI. By ensuring that your organization uses a secure email provider that offers these protections, you not only remain HIPAA compliant but also ensure compliance with most state-level privacy rules.- Encryption: Your email service must offer encryption both in transit and at rest. This reduces the risk of PHI being intercepted by cybercriminals and hackers..
- Access Controls and Authentication: Must allow for strong access control and authentication methods like Multi-Factor Authentication and Role-Based Access Controls (RBAC)..
- Audit Logs and Monitoring: Must allow features like capture sender, recipient, timestamps, and alterations; retain logs for at least six years and ensure accessibility for audits. You must be able to identify which users accessed which information.
- Secure Archiving: Must offer secure email retention, archiving, and deletion policies to support compliance