HIPAA (Health Insurance Portability and Accountability Act of 1996) is the US federal law governing the privacy and security of protected health information (PHI). It applies to “Covered Entities” (healthcare providers, health plans, healthcare clearinghouses) and their “Business Associates” (vendors who handle PHI on the Covered Entity’s behalf — including portal vendors).
HIPAA defines three rules: the Privacy Rule (how PHI is used and disclosed), the Security Rule (technical and administrative safeguards), and the Breach Notification Rule. Penalties range from $100 to $1.5M per violation per year.
For portals, HIPAA compliance requires encryption, access controls, audit logging, identity verification, and a signed BAA with every vendor handling PHI. See our HIPAA compliance guide and HIPAA-compliant patient portal article.