The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. HIPAA ensures that individuals' health information is properly protected while allowing the flow of health data needed to provide quality healthcare.
HIPAA consists of several key rules:
Did You Know?
In 2024, over 720 healthcare data breaches were reported to HHS, affecting more than 133 million individuals. Most breaches result from employee negligence and noncompliance, not external hacking.
HIPAA applies to "Covered Entities" and their "Business Associates" who handle protected health information.
Doctors, clinics, hospitals, dentists, chiropractors, nursing homes, pharmacies
Health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid
Entities that process health information between providers and payers
IT vendors, billing companies, cloud providers, consultants handling PHI
Important: Since the 2013 HIPAA Omnibus Rule, business associates carry the same compliance burden and liability as covered entities. Vendors can be directly fined and prosecuted for violations, making HIPAA compliance essential for any company serving the healthcare industry.
The Privacy Rule establishes national standards for protecting individually identifiable health information. It addresses the use and disclosure of PHI by covered entities and gives patients specific rights over their health information.
Patients can request and receive copies of their health records within 30 days.
Patients can request corrections to inaccurate or incomplete health information.
Patients can request a list of disclosures made of their PHI.
Patients can request restrictions on how their PHI is used or disclosed.
Patients can request to receive communications through alternative means.
Patients must receive a Notice of Privacy Practices explaining their rights.
The Security Rule establishes national standards for protecting electronic protected health information (ePHI). It requires three types of safeguards: administrative, physical, and technical.
Policies and procedures that manage the selection, development, and maintenance of security measures.
Physical measures to protect electronic systems, buildings, and equipment from unauthorized access.
Technology and procedures that protect ePHI and control access to it.
The Security Rule contains both "required" and "addressable" implementation specifications. Addressable does not mean optional. Organizations must implement addressable specifications unless they can document that the specification is not reasonable or appropriate in their environment AND implement an equivalent alternative measure. In most cases, covered entities have no option but to implement addressable specifications to provide adequate protection.
When a breach of unsecured PHI occurs, covered entities must follow specific notification procedures. A breach is presumed unless you can demonstrate a low probability that the PHI was compromised.
Evaluate the nature of PHI involved, who accessed it, whether it was acquired or viewed, and mitigation efforts.
Send written notification within 60 days describing what happened, types of PHI involved, and protective steps.
Report breaches of 500+ individuals within 60 days. Smaller breaches must be logged and reported annually.
Breaches affecting 500+ residents of a state require notification to prominent local media outlets.
Maintain records of the breach, investigation, notifications, and remediation for at least 6 years.
Prevention Tip
HIPAA only requires breach notification for unsecured PHI. Using proper encryption renders PHI unusable to unauthorized individuals. Encrypt ePHI both at rest and in transit to minimize breach notification requirements.
HIPAA enforcement uses a four-tier penalty system based on the level of culpability. Penalties are adjusted annually for inflation.
| Tier | Culpability | Per Violation | Annual Cap |
|---|---|---|---|
| Tier 1 | Lack of Knowledge Organization was unaware and could not have reasonably known of the violation. | $137 - $68,928 | $35,581 |
| Tier 2 | Reasonable Cause Organization should have known about the violation but it was not due to willful neglect. | $1,379 - $68,928 | $142,355 |
| Tier 3 | Willful Neglect (Corrected) Violation due to willful neglect but corrected within 30 days. | $13,785 - $68,928 | $355,808 |
| Tier 4 | Willful Neglect (Not Corrected) Violation due to willful neglect and not corrected within 30 days. | $68,928 - $2,067,813 | $2,067,813 |
Tier 1: Wrongful disclosure
Up to 1 year in jail + $50,000 fine
Tier 2: False pretenses
Up to 5 years in jail + $100,000 fine
Tier 3: Commercial/malicious intent
Up to 10 years in jail + $250,000 fine
In December 2024, HHS proposed the first major update to the HIPAA Security Rule since its inception. These changes significantly strengthen cybersecurity requirements for healthcare organizations.
Mandatory MFA
Multi-factor authentication required for all ePHI access
Enhanced Encryption
Stricter encryption requirements for data at rest and in transit
72-Hour Notification
Faster breach reporting timeline to HHS
Annual Security Audits
Required yearly compliance assessments
Network Segmentation
Isolate systems containing ePHI from general networks
Vulnerability Scanning
Regular automated security scanning requirements
Anti-Malware Protection
Enhanced malware detection and prevention
Documentation Updates
More rigorous risk analysis documentation
Start preparing now. Take our assessment to identify gaps in your current compliance program.