HIPAA — the US Health Insurance Portability and Accountability Act of 1996 — is the federal framework for the privacy and security of health data. It is implemented through three operational rules: the Privacy Rule (who may use and disclose health information), the Security Rule (how electronic health information must be safeguarded), and the Breach Notification Rule (what must happen when protected data is compromised). These rules live in the Code of Federal Regulations at 45 CFR Parts 160 and 164.
A defining feature is that HIPAA follows the data, not the product's marketing label. It applies to covered entities (providers, health plans, clearinghouses) and to their business associates — the vendors that handle Protected Health Information (PHI) on their behalf. Most telemedicine software companies are business associates and carry direct HIPAA liability. You do not get to opt out by calling yourself a "wellness" or "tech" company if you are in fact handling PHI in a covered relationship.
Critically, HIPAA names duties, not technologies. It does not say "use AES-256" or "require this specific login method"; it requires outcomes — access control, audit controls, integrity, transmission security — and expects you to justify your specific choices through a documented risk analysis. For a product team that means compliance is an engineering and documentation discipline, not a checkbox: you decide the controls and you keep the written reasoning. The common pitfall is hunting for a "HIPAA-certified" stamp; there is no such official certification, only your demonstrable adherence to the rules, evidenced by your risk analysis and the safeguards you can show.
