The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a large regulatory burden on organizations that deal with certain types of health-related information.

There are two specific regulations of interest to database professionals: the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule protects all individually identifiable protected health information (PHI) maintained by the Covered Entity. PHI includes data that relates to:

• the individual’s past, present or future physical or mental health or condition or
• the provision of health care to the individual or
• the past, present, or future payment for the provision of health care to the individual

The Security Rule covers the security of electronic protected health information (ePHI). It prescribes a number of required policies, procedures and reporting mechanisms that must be in place for all information systems that process ePHI within the Covered Entity. It also prescribes a number of required and addressable implementation specifications designed to protect the confidentiality, integrity and availability of ePHI within the enterprise. These specifications fall into five categories:

• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Organizational Requirements
• Policies and Procedures