HIPAA

HIPAA is a U.S. federal law that governs how covered entities and their business associates handle protected health information (PHI). Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates are third parties that access PHI on their behalf.

The law includes two main rules relevant to identity and security. The Privacy Rule establishes who may access PHI and under what conditions. The Security Rule sets technical safeguards for electronic PHI, including access controls, audit trails, encryption, and integrity mechanisms. Together, they require that only authorized individuals can view or modify health data, and that every access is logged.

HIPAA does not prescribe specific technologies, but the Security Rule’s requirements for unique user identification, automatic logoff, and audit controls map directly to identity management capabilities.

For CIAM, HIPAA applies when a customer-facing application in healthcare handles patient identity or health data. The identity platform must enforce the access controls and audit requirements that the law demands.

Sources

• U.S. Department of Health and Human Services, HIPAA: https://www.hhs.gov/hipaa/index.html