The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contain both security and privacy provisions. HIPAA applies to covered entities that use certain electronic transactions—entities such as most health care providers, health plans, and health care clearinghouses. In the higher education arena, HIPAA most often applies to clinics used by both students and staff and to academic medical centers. The security regulations of HIPAA require covered entities to protect specific types of individually identifiable health information kept in electronic form, referred to as Electronic Protected Health Information (EPHI). To comply with the HIPAA security regulations, covered entities are to protect systems that store, process, and transmit EPHI. Entities must conduct periodic risk analyses to determine and implement reasonable and appropriate administrative, physical, and technical safeguards. The security regulations also require the implementation of risk-management processes, including policies and procedures and other documentation and training.

Although HIPAA does not allow individuals to sue covered entities that do not comply with the law, it does provide criminal and civil penalties for noncompliance.