The **Health Insurance Portability and Accountability Act** (**HIPAA**) is a [[United States federal law|United States federal law]] enacted in 1996 that establishes national standards for the protection of sensitive patient health information and regulates the portability of [[Health insurance|health insurance]] coverage. Signed into law by President [[Bill Clinton]] on August 21, 1996, HIPAA was originally enacted to address gaps in health insurance coverage for workers changing employment, but has since become primarily associated with its [[Privacy law|privacy]] and [[Information security|security]] provisions governing the handling of [[Protected health information|protected health information]] (PHI). The law is administered and enforced by the [[United States Department of Health and Human Services|U.S. Department of Health and Human Services]] (HHS) through its [[Office for Civil Rights (HHS)|Office for Civil Rights]] (OCR). HIPAA is organized into several titles, of which Title I addresses health insurance portability by restricting the ability of health plans to deny coverage based on [[Pre-existing condition|pre-existing conditions]], and Title II, known as the Administrative Simplification provisions, establishes the privacy and security requirements for which the law is most widely known. The [[HIPAA Privacy Rule|Privacy Rule]], finalized in 2000, sets standards for the use and disclosure of PHI by [[Covered entity|covered entities]]—including [[Health care provider|healthcare providers]], [[Health plan|health plans]], and [[Healthcare clearinghouse|healthcare clearinghouses]]—and grants patients rights over their own health information, including rights of access and correction. The [[HIPAA Security Rule|Security Rule]], finalized in 2003, establishes specific safeguards for [[Electronic health record|electronic]] PHI (ePHI), requiring covered entities to implement administrative, physical, and technical controls to protect data confidentiality, integrity, and availability. Subsequent legislation has extended and strengthened HIPAA's provisions. The [[Health Information Technology for Economic and Clinical Health Act|Health Information Technology for Economic and Clinical Health (HITECH) Act]] of 2009 expanded HIPAA's reach to [[Business associate|business associates]]—third-party vendors that handle PHI on behalf of covered entities—and significantly increased civil and criminal [[Sanctions (law)|penalties]] for violations. HIPAA compliance has become a significant operational and legal concern for organizations across the [[Healthcare industry|healthcare industry]] and related sectors, driving substantial investment in [[Data governance|data governance]], [[Access control|access control]], [[Encryption|encryption]], and [[Breach notification|breach notification]] capabilities. Violations can result in civil penalties ranging from modest fines to millions of dollars per violation category, and criminal penalties for willful misconduct.