HIPAA

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act a US federal law enacted in 1996 that establishes national standards for protecting sensitive health information. Its primary privacy and security provisions govern how covered entities and their business associates collect, store, process, and transmit Protected Health Information (PHI), with significant penalties for violations and a breach notification framework that creates time-sensitive operational obligations.

HIPAA predates cloud computing, SaaS, and mobile health applications by decades. Its core framework has been updated and clarified through the HITECH Act of 2009 and subsequent regulatory rulemaking, but it remains the primary federal regulation governing health data security in the United States, and understanding its operational requirements is essential for any organisation that touches health data in that context.

Who HIPAA applies to

HIPAA's coverage extends beyond the healthcare providers most people associate with it. Two entity categories carry direct HIPAA obligations.

Covered entities are the organisations directly regulated under HIPAA: healthcare providers who transmit any health information electronically (hospitals, physician practices, pharmacies, labs, home health agencies), health plans (insurance companies, HMOs, employer-sponsored health benefit programmes, Medicare and Medicaid), and healthcare clearinghouses (organisations that process nonstandard health information into standard formats).

Business associates are any persons or organisations that perform functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. A cloud provider hosting electronic health records is a business associate. An analytics firm processing de-identified patient data that could be re-identified is a business associate. A billing company, coding company, claims processing firm, or IT vendor with access to PHI systems is a business associate. Business associates carry direct HIPAA obligations and must sign Business Associate Agreements (BAAs) with covered entities before accessing PHI.

That's the scope point many organisations miss. A technology company that doesn't self-identify as a healthcare organisation may be a business associate — and carry full HIPAA liability if it provides services to a hospital or health insurer that involve PHI access. SaaS platforms, data analytics services, cloud infrastructure providers, security firms, and managed service providers operating in healthcare contexts are likely business associates.

The three HIPAA rules

HIPAA's privacy and security framework operates through three primary rules with distinct scope and requirements.

The Privacy Rule establishes national standards for protecting PHI in all formats — electronic, paper, and oral. It defines what constitutes PHI, when and how covered entities may use and disclose it, what individual rights apply, and what minimum necessary standards govern PHI access. The Privacy Rule created the concept of "minimum necessary" — a requirement that covered entities make reasonable efforts to use, disclose, and request only the minimum PHI necessary to accomplish the intended purpose.

The Security Rule establishes specific safeguards for electronic PHI (ePHI). Where the Privacy Rule covers all PHI, the Security Rule focuses specifically on ePHI and requires covered entities and business associates to implement administrative, physical, and technical safeguards. The Security Rule doesn't prescribe specific technologies — it requires organisations to assess their own risks and implement safeguards appropriate to their size, capability, and risk level. This flexibility is both a feature and a compliance challenge: there's no prescriptive checklist, only a risk-based framework.

The Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases media outlets, following a breach of unsecured PHI. Notifications to affected individuals must be sent within 60 days of discovering the breach. Breaches affecting 500 or more residents of a state or jurisdiction require media notification in that jurisdiction. All breaches must be reported to HHS, with large breaches reported within 60 days and smaller breaches reported annually on a rolling basis.

HIPAA Security Rule: the three categories of safeguards

The Security Rule's technical requirements are organised around three categories of safeguards, each covering different aspects of ePHI protection.

Administrative safeguards are the policies, procedures, and management activities that govern how covered entities implement their security programme. The required implementation specifications include risk analysis and risk management — formally assessing risks to ePHI confidentiality, integrity, and availability and implementing security measures to reduce those risks to a reasonable and appropriate level. Other administrative safeguards include a sanction policy for employees who violate HIPAA, information system activity review, workforce training, access authorisation and management, and contingency planning.

The risk analysis requirement is particularly significant. It's the foundation of HIPAA Security Rule compliance, and it creates an operational dependency: you can't analyse risks to ePHI without knowing where your ePHI is. A complete, current inventory of systems that create, receive, maintain, or transmit ePHI is the prerequisite for a defensible risk analysis. Most HIPAA enforcement actions that result in significant settlements include findings related to inadequate risk analysis — and inadequate risk analysis is almost always rooted in incomplete ePHI inventory.

Physical safeguards govern the physical infrastructure where ePHI is stored or accessed: facility access controls limiting physical access to systems containing ePHI, workstation use policies defining the proper functions and physical environment of workstations with ePHI access, workstation security controls requiring that workstations with ePHI access be positioned and used to minimise inadvertent disclosure, and device and media controls governing the receipt, removal, backup, storage, reuse, and disposal of hardware and media that contain ePHI.

Technical safeguards are the security controls implemented in information systems. Access controls include unique user identification (no shared logins), emergency access procedures, automatic logoff, and encryption and decryption. Audit controls require implementing hardware, software, or procedural mechanisms that record and examine activity in information systems containing ePHI. Integrity controls protect ePHI from improper alteration or destruction. Transmission security requires protecting ePHI transmitted over electronic communications networks.

HIPAA's technical safeguards designation distinguishes between "required" and "addressable" implementation specifications. Required specifications must be implemented. Addressable specifications must be implemented if reasonable and appropriate, and if not, the covered entity must document why and implement an equivalent alternative. Encryption is an addressable specification meaning HIPAA doesn't categorically mandate encryption but requires it unless the organisation can document a reasonable alternative. In practice, the documentation burden for not encrypting typically makes encryption the practical default.

HIPAA breach notification: the operational clock

HIPAA's Breach Notification Rule creates one of the most operationally demanding aspects of compliance. The definition of "breach" and the notification timelines create pressure that reveals data security programme maturity.

A breach under HIPAA is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. "Unsecured" specifically means PHI that has not been rendered unusable, unreadable, or indecipherable primarily through encryption meeting NIST standards. Encrypted PHI that is breached does not trigger notification obligations under the Safe Harbor provision, which is one of the strongest arguments for encrypting PHI at rest and in transit.

The 60-day notification window to affected individuals starts from the date a covered entity or business associate discovers the breach. Discovery is defined as when the breach is known, or when an employee or agent should reasonably have known. The clock doesn't wait for investigation completion.

For breaches affecting 500 or more individuals, notification to HHS must also occur within 60 days. Large breaches appear on the HHS "Wall of Shame" a publicly searchable database of significant HIPAA breaches creating reputational consequences beyond the regulatory.

What does defensible breach response actually require? Knowing what ePHI was involved at the record level, not just the system level. Understanding how far the breached data propagated to which downstream systems, which business associates, which individuals. Producing evidence of what access controls were in place, when the breach was discovered, and what remediation steps were taken. None of that is possible without continuous data discovery, classification, lineage tracking, and audit logging operating before the breach occurs.

HIPAA enforcement and penalties

HIPAA enforcement is administered by the Office for Civil Rights (OCR) within HHS, which investigates complaints and conducts compliance reviews. Penalties are tiered based on culpability.

Violations without knowledge of the violation carry minimum penalties of $100 per violation, with a cap of $25,000 per identical violation category per year. At the other end, violations due to wilful neglect not corrected within 30 days carry minimum penalties of $50,000 per violation, with an annual cap of $1.9 million per category.

Significant enforcement actions include: Advocate Health Care Network settled for $5.55 million after three laptop breaches; Triple-S Management Corporation settled for $3.5 million; Premera Blue Cross settled for $6.85 million following a breach affecting 10.4 million individuals. The scale of settlements in major cases reflects both the penalty structure and the leverage OCR has when a large-scale breach reveals systemic compliance failures.

Beyond federal enforcement, state attorneys general can also bring HIPAA enforcement actions, and HIPAA violations can expose organisations to reputational damage, contract termination by covered entity partners, and state privacy law liability.

What HIPAA compliance operationally requires for data security

The Security Rule's requirements translate into specific data security programme needs.

A complete, current ePHI inventory is the prerequisite. The risk analysis can't be performed without it. Access control can't be scoped without it. Breach scope can't be determined without it. An inventory built from periodic scanning degrades immediately as new systems are provisioned and new integrations are created. Continuous automated discovery that maintains a current ePHI map is the operational foundation.

Accurate PHI classification across structured and unstructured environments catches the EHR database and the clinical notes document and the patient discharge letter in the shared drive. Rule-based classification working only against structured fields misses significant portions of the ePHI estate.

Audit logging and access monitoring satisfy the audit controls and activity review requirements and provide the evidence base for breach investigation. Logs must be tamper-resistant, sufficiently detailed to support forensic investigation, and retained for the period required by HIPAA's record retention standards.

Minimum necessary access controls require knowing who currently has access to ePHI systems, whether that access is appropriate to their role, and whether access has been revoked when no longer needed. Access reviews against a continuously maintained ePHI inventory surface over-privileged access before it becomes an enforcement finding.

Frequently asked questions

What does HIPAA stand for?

HIPAA stands for the Health Insurance Portability and Accountability Act, a US federal law enacted in 1996. Its privacy and security provisions, along with subsequent rulemaking, establish national standards for protecting Protected Health Information held by covered entities and their business associates.

Who must comply with HIPAA?

Covered entities like healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses must comply with HIPAA. Business associates, organisations that perform functions for covered entities involving PHI use or disclosure, have direct HIPAA obligations and must sign Business Associate Agreements. Business associates' subcontractors have equivalent obligations when they handle PHI.

What are the three HIPAA rules?

The Privacy Rule governs PHI use and disclosure in all formats, establishes minimum necessary standards, and defines individual rights. The Security Rule establishes administrative, physical, and technical safeguards for electronic PHI. The Breach Notification Rule requires notification to affected individuals, HHS, and sometimes media following a breach of unsecured PHI.

What are HIPAA's technical safeguards?

The Security Rule's technical safeguards include access controls (unique user identification, automatic logoff, encryption), audit controls (mechanisms recording and examining system activity), integrity controls protecting ePHI from improper alteration, and transmission security protecting ePHI in electronic communications. Encryption is an addressable specification — required unless documented alternatives are implemented.

What triggers a HIPAA breach notification?

A HIPAA breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. Unsecured means not encrypted to NIST standards. When a breach of unsecured PHI occurs, covered entities must notify affected individuals within 60 days of discovery. Breaches affecting 500 or more residents of a state require media notification. All breaches must be reported to HHS.