What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 federal law that sets national standards for protecting sensitive patient health information from being disclosed without the patient's consent or knowledge.
Updated February 2026
HIPAA Explained
HIPAA includes several key components: the Privacy Rule (governs use and disclosure of Protected Health Information), the Security Rule (sets standards for electronic PHI protection), the Breach Notification Rule (requires notification when PHI is exposed), and the Enforcement Rule (establishes investigation and penalty procedures).
HIPAA applies to covered entities (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their business associates (vendors who handle PHI on behalf of covered entities).
For healthcare B2B data companies, HIPAA is often misunderstood in context. Provider business data (NPI numbers, practice addresses, specialty classifications, business phone numbers) is NOT Protected Health Information. HIPAA protects patient data, not provider business data. A provider's NPI number, office address, and professional credentials are public information published by CMS. However, if you handle any patient-level data (patient lists, claims data, treatment records), HIPAA applies fully.
Why HIPAA Matters for Healthcare Data
HIPAA confusion creates unnecessary friction in healthcare data sales. Some buyers worry that purchasing provider contact data violates HIPAA. It doesn't. Provider business data is public information, not protected health information. Understanding this distinction helps you address buyer objections and close deals faster.
Real-World Example
A healthcare SaaS company's legal team initially blocks the purchase of provider contact data, citing HIPAA concerns. The data vendor clarifies that the dataset contains only provider business information (NPI numbers, practice addresses, professional credentials) sourced from the public NPPES registry and business listings. No patient data is involved. The legal team approves the purchase after reviewing the data dictionary.
Frequently Asked Questions
Is provider contact data covered by HIPAA?
No. HIPAA protects patient health information (PHI), not provider business data. Provider names, NPI numbers, practice addresses, specialty information, and business contact details are public information. Purchasing or using provider business data does not implicate HIPAA.
What data is considered PHI under HIPAA?
PHI includes any individually identifiable health information: patient names, addresses, dates (birth, admission, discharge), Social Security numbers, medical record numbers, health plan IDs, and any data that links to a patient's health condition, treatment, or payment for care.
Do I need a BAA to buy provider contact data?
No. A Business Associate Agreement (BAA) is required when a vendor handles Protected Health Information on your behalf. Provider business data does not contain PHI, so no BAA is needed for purchasing provider contact lists, practice data, or professional directories.
Sources and References
Related Resources
Get the Provider Data You Need
Tell us what you're looking for. We'll build a custom list matched to your target market.
Trusted by healthcare sales teams, medical device companies, and health IT vendors across the US.