In This Guide
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 to protect sensitive patient health information. While originally focused on insurance portability, its privacy and security provisions have become the cornerstone of healthcare data protection in the United States.
Enacted: 1996 (Security Rule effective 2005)
Enforced by: HHS Office for Civil Rights (OCR)
Protects: Protected Health Information (PHI)
Applies to: Covered Entities and Business Associates
Penalties: Up to $1.5M per violation category annually
Who Must Comply with HIPAA?
HIPAA applies to two categories of organizations: Covered Entities and Business Associates.
Covered Entities
Organizations that are directly regulated by HIPAA:
| Type | Examples |
|---|---|
| Healthcare Providers | Hospitals, clinics, doctors, dentists, pharmacies, nursing homes, any provider transmitting health information electronically |
| Health Plans | Health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid, military/veterans' health programs |
| Healthcare Clearinghouses | Organizations that process healthcare transactions, convert data between formats |
Business Associates
Organizations that perform functions involving PHI on behalf of covered entities:
- Technology Vendors: EHR systems, cloud hosting providers, SaaS platforms
- Service Providers: Billing companies, claims processors, transcription services
- Consultants: IT consultants, accountants, lawyers with PHI access
- Data Analytics: Companies analyzing health data
- Shredding/Destruction: Document destruction services
Are You a Business Associate?
Ask yourself:
- Do you create, receive, maintain, or transmit PHI?
- Do you perform functions or activities on behalf of a covered entity?
- Do you provide services to a covered entity involving PHI disclosure?
If yes to any of these, you're likely a Business Associate and must comply with HIPAA.
Understanding Protected Health Information (PHI)
PHI is any information that can identify an individual and relates to their health, healthcare, or payment for healthcare.
The 18 HIPAA Identifiers
Information is considered PHI if it includes any of these identifiers:
- Names
- Geographic data smaller than state
- Dates (except year) related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers
- Full-face photographs
- Any other unique identifying number or code
ePHI (Electronic PHI)
PHI in electronic form—stored on computers, transmitted electronically, or on portable media. The Security Rule specifically addresses ePHI protection.
The Four HIPAA Rules
1. Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164)
Establishes standards for protecting PHI in any form (paper, electronic, verbal).
Key requirements:
- Limit PHI use and disclosure to minimum necessary
- Provide patients with Notice of Privacy Practices
- Grant patients access to their health records
- Allow patients to request corrections
- Track PHI disclosures
- Obtain authorization for non-standard uses
2. Security Rule (45 CFR Part 160 and Subparts A and C of Part 164)
Establishes standards for protecting ePHI through administrative, physical, and technical safeguards.
Key requirements:
- Conduct risk analysis
- Implement administrative safeguards (policies, training, access management)
- Implement physical safeguards (facility access, workstation security)
- Implement technical safeguards (access controls, encryption, audit controls)
3. Breach Notification Rule (45 CFR §§ 164.400-414)
Requires notification following a breach of unsecured PHI.
Key requirements:
- Notify affected individuals within 60 days of discovery
- Notify HHS (immediately for breaches affecting 500+ individuals)
- Notify media for breaches affecting 500+ in a state/jurisdiction
- Document breach investigations and responses
4. Enforcement Rule (45 CFR Part 160, Subparts C, D, and E)
Establishes investigation procedures and penalties for HIPAA violations.
Key Implementation Requirements
Administrative Requirements
- Designate a Privacy Officer
- Designate a Security Officer
- Develop and implement privacy policies
- Develop and implement security policies
- Conduct workforce training
- Execute Business Associate Agreements
- Conduct regular risk assessments
- Implement sanction policies for violations
- Document compliance activities
Technical Requirements
- Unique user identification
- Automatic logoff
- Encryption of ePHI at rest and in transit
- Audit controls and logging
- Access controls (role-based)
- Integrity controls
- Transmission security
Physical Requirements
- Facility access controls
- Workstation use policies
- Workstation security
- Device and media controls
HIPAA Implementation Roadmap
- Determine your role (Covered Entity or Business Associate)
- Inventory all PHI and ePHI
- Map data flows
- Conduct initial risk assessment
- Identify gaps against requirements
- Designate Privacy and Security Officers
- Develop Privacy Policies
- Develop Security Policies
- Create Notice of Privacy Practices
- Draft Business Associate Agreement templates
- Develop incident response procedures
- Create training materials
- Implement access controls
- Deploy encryption solutions
- Configure audit logging
- Implement backup and recovery
- Secure physical facilities
- Configure workstation security
- Train all workforce members
- Execute BAAs with business associates
- Implement ongoing monitoring
- Establish audit schedule
- Test incident response procedures
Penalties & Enforcement
HIPAA penalties have increased significantly under the HITECH Act. OCR actively investigates complaints and conducts audits.
Civil Penalties (Per Violation)
| Violation Category | Min Per Violation | Max Per Violation | Annual Cap |
|---|---|---|---|
| Did Not Know | $100 | $50,000 | $25,000 |
| Reasonable Cause | $1,000 | $50,000 | $100,000 |
| Willful Neglect (Corrected) | $10,000 | $50,000 | $250,000 |
| Willful Neglect (Not Corrected) | $50,000 | $50,000 | $1,500,000 |
Criminal Penalties
- Knowingly obtaining/disclosing PHI: Up to $50,000 and 1 year imprisonment
- Under false pretenses: Up to $100,000 and 5 years imprisonment
- With intent to sell/harm: Up to $250,000 and 10 years imprisonment
HIPAA compliance isn't optional. OCR has issued hundreds of millions in penalties and conducts regular audits. Even if you're a small Business Associate, a breach can result in significant financial and reputational damage.