🇺🇸
Health Insurance Portability and Accountability Act
Public Law 104-191 — Enacted August 21, 1996
The primary US federal law governing the privacy and security of protected health information (PHI). HIPAA sets national standards for electronic healthcare transactions, requires safeguards for PHI, and grants patients rights over their health data. It applies to covered entities and their business associates.
$2.13M
max per violation category per year
+ criminal penalties up to $250K & 10 years
+ criminal penalties up to $250K & 10 years
Who Must Comply?
Covered Entities
Health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.Business Associates
Any person or entity that performs functions involving PHI on behalf of a covered entity (IT vendors, billing companies, cloud providers, etc.).Banking Relevance
Banks managing health savings accounts (HSAs), processing healthcare payments, or providing insurance products may qualify as business associates under HIPAA.The 3 HIPAA Rules
Privacy Rule 45 CFR Part 160 & 164
- Sets standards for when PHI may be used or disclosed
- Establishes patient rights (access, amendment, accounting of disclosures)
- Requires minimum necessary standard — only use/disclose the minimum PHI needed
- Mandates Notice of Privacy Practices (NPP)
- Requires written authorization for most non-TPO uses
Security Rule 45 CFR Part 164.302-318
- Applies specifically to electronic PHI (ePHI)
- Requires administrative, physical, and technical safeguards
- Risk analysis and risk management are required
- Must implement access controls, audit controls, integrity controls, transmission security
- Workforce training mandatory
Breach Notification Rule 45 CFR 164.400-414
- Notify affected individuals without unreasonable delay (max 60 days)
- Notify HHS for all breaches
- Breaches affecting 500+ individuals: notify prominent media outlet
- Annual log submission for breaches affecting <500 individuals
- Business associates must notify covered entities of breaches
What is Protected Health Information (PHI)?
PHI is any individually identifiable health information held or transmitted by a covered entity or its business associate. The 18 HIPAA identifiers are:
1. Names
2. Geographic data (smaller than state)
3. Dates (except year) related to individual
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers & serial numbers
13. Device identifiers & serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers
17. Full-face photographs
18. Any other unique identifying number
De-identification:
Data can be de-identified (and thus no longer PHI) by removing all 18 identifiers (Safe Harbor method) or through expert statistical determination (Expert Determination method).
Security Rule Safeguards 45 CFR 164.308-312
Administrative Safeguards
- Security management process & risk analysis
- Assigned security responsibility (Security Officer)
- Workforce security & training
- Information access management
- Contingency plan (backup, disaster recovery)
- Evaluation & business associate contracts
Physical Safeguards
- Facility access controls
- Workstation use & security policies
- Device and media controls
- Proper disposal of PHI media
- Data backup before moving equipment
- Accountability for hardware/media movement
Technical Safeguards
- Access control (unique user IDs, emergency access)
- Audit controls (hardware, software, procedural)
- Integrity controls (mechanism to authenticate ePHI)
- Person or entity authentication
- Transmission security (encryption for ePHI in transit)
Patient Rights Under HIPAA
Right to Access
View and obtain copy of PHI (30 days)
View and obtain copy of PHI (30 days)
Right to Amend
Request corrections to PHI
Request corrections to PHI
Accounting of Disclosures
Know who received their PHI
Know who received their PHI
Right to Restrict
Request limits on use/disclosure
Request limits on use/disclosure
Confidential Communications
Request alternative contact methods
Request alternative contact methods
Notice of Privacy Practices
Receive description of privacy practices
Receive description of privacy practices
Key Organizational Requirements
| Requirement | HIPAA Reference | What It Means | Platform Feature |
|---|---|---|---|
| Risk Analysis | § 164.308(a)(1) | Conduct an accurate, thorough assessment of potential risks to ePHI | CDE Registry identifies sensitive data |
| Policies & Procedures | § 164.316 | Implement reasonable policies & procedures to comply with HIPAA | DG Concepts + governance framework |
| Training | § 164.308(a)(5) | Train all workforce members on PHI handling and security awareness | Platform Guide + Glossary |
| Access Controls | § 164.312(a) | Implement technical policies to restrict access to authorized users only | Users & Roles with RBAC |
| Audit Controls | § 164.312(b) | Implement hardware, software, and procedures to record system activity | Audit Log tracks all changes |
| Business Associate Agreements | § 164.308(b) | Written contracts with all business associates ensuring PHI protection | Lineage maps data flows to external systems |
| Data Inventory | § 164.308(a)(1) | Identify where all ePHI is created, received, maintained, or transmitted | Technical Metadata + Glossary |
Penalty Structure (HITECH Act)
| Tier | Culpability Level | Per Violation | Annual Maximum |
|---|---|---|---|
| Tier 1 | Did not know (and reasonably should not have known) | $137 – $68,928 | $2,067,813 |
| Tier 2 | Reasonable cause, not willful neglect | $1,379 – $68,928 | $2,067,813 |
| Tier 3 | Willful neglect, corrected within 30 days | $13,785 – $68,928 | $2,067,813 |
| Tier 4 | Willful neglect, not corrected | $68,928 | $2,067,813 |
Criminal Penalties
Knowingly obtaining/disclosing PHI: up to $50,000 fine + 1 year imprisonmentUnder false pretenses: up to $100,000 + 5 years
With intent to sell or harm: up to $250,000 + 10 years
State Attorney General
State AGs can bring civil actions on behalf of residents for HIPAA violations. Damages up to $25,000 per violation category per calendar year, per state. Many states also have their own health privacy laws with additional penalties.HIPAA vs GDPR: Quick Comparison
| Aspect | HIPAA | GDPR |
|---|---|---|
| Scope | Healthcare entities + business associates (US) | Any organization processing EU residents' data (global) |
| Data Covered | Protected Health Information (PHI) only | All personal data |
| Consent | Not always required (TPO exception) | One of six lawful bases, must be freely given |
| Right to Delete | No general right to erasure | Right to erasure ("right to be forgotten") |
| Breach Notification | 60 days to individuals | 72 hours to authority, "without undue delay" to individuals |
| Enforcement | HHS Office for Civil Rights (OCR) | National Data Protection Authorities (DPAs) |
| Max Penalty | ~$2.1M/year per category + criminal | €20M or 4% global turnover |