verified_user
Standardful
Homechevron_rightStandardschevron_rightHIPAA
ActiveInternational Standardupdate Standard Updated: December 2024fact_check Fact checked: Jun 28, 2026

HIPAA

Health Insurance Portability and Accountability Act — US Public Law 104-191

apartmentPublishing Organization:U.S. Department of Health and Human Services (HHS)

Standard Introduction

The Health Insurance Portability and Accountability Act (HIPAA) is a foundational US federal law enacted in August 1996 to protect sensitive patient health information from being disclosed without patient consent or knowledge. HIPAA establishes national standards for the protection of Protected Health Information (PHI), ensuring that healthcare providers, health plans, healthcare clearinghouses, and their business associates implement appropriate safeguards. The law comprises multiple rules including the Privacy Rule (effective April 2003), Security Rule (effective April 2005), and Breach Notification Rule (enforceable September 2009). HIPAA applies to 'covered entities' - healthcare providers conducting electronic transactions, health plans, and healthcare clearinghouses - as well as 'business associates' who handle PHI on behalf of covered entities.

HIPAA compliance requires implementing three categories of safeguards: Administrative (policies, procedures, training), Physical (facility access controls, workstation security), and Technical (access controls, encryption, audit controls). The Privacy Rule governs the use and disclosure of PHI, granting patients rights to access their records, request corrections, and receive an accounting of disclosures. The Security Rule specifically addresses electronic PHI (ePHI) protection through required and addressable implementation specifications. Recent updates include the 2024 Reproductive Health Privacy Rule and proposed 2025 cybersecurity enhancements addressing ransomware and hacking threats. The HHS Office for Civil Rights (OCR) enforces HIPAA through audits and investigations, with penalties ranging from $100 to $50,000 per violation, up to $1.5 million per year for each violation category. The 2024-2025 HIPAA audit program focuses on Security Rule compliance related to cybersecurity threats.

local_hospital

Protected Health Information

Establishes national standards for protecting individually identifiable health information (PHI) — including electronic, paper, and oral forms.

vpn_key

Security Rule Safeguards

Requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).

notification_important

Breach Notification

Mandates notification to affected individuals, HHS, and (for large breaches) media within 60 days of discovering a breach of unsecured PHI.

list_alt Key Rules

  • Privacy Rule — limits use and disclosure of PHI
  • Security Rule — administrative, physical, and technical safeguards for ePHI
  • Breach Notification Rule — 60-day notification requirement
  • Enforcement Rule — investigation and penalty procedures
  • Minimum Necessary standard — limit PHI to what is needed
  • Business Associate Agreements (BAAs) required
  • Patient right to access their health records

Who Needs to Comply?

groups

Covered entities (health plans, healthcare clearinghouses, healthcare providers conducting electronic transactions) and their business associates that create, receive, maintain, or transmit PHI.

Key Requirements

1

Risk Analysis

Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.

2

Access Controls

Implement technical policies and procedures to limit access to ePHI to only those persons and software programs that have been granted access rights. Includes unique user IDs, emergency access, and automatic logoff.

3

Business Associate Agreements

Execute written contracts with all business associates that create, receive, maintain, or transmit PHI on your behalf. BAAs must specify permitted uses and require safeguards.

4

Audit Controls

Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.

5

Workforce Training

Train all workforce members on HIPAA policies and procedures. Apply appropriate sanctions against employees who violate policies.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare and Scope

Determine whether your organization is a covered entity or a business associate, and identify all systems, workflows, and vendors that create, receive, maintain, or transmit PHI and ePHI. Appoint a Privacy Officer and a Security Officer, catalog data flows, and map where PHI lives across on-premises and cloud environments.

2
Phase 2schedule Duration: 3-6 weeks

Gap Analysis and Risk Analysis

Conduct the required Security Rule risk analysis to identify threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Compare current practices against the Privacy, Security, and Breach Notification Rules, then document gaps and prioritize remediation based on likelihood and impact.

3
Phase 3schedule Duration: 8-16 weeks

Implement Safeguards

Deploy administrative, physical, and technical safeguards such as access controls, audit logging, encryption of ePHI in transit and at rest, and workforce training. Execute Business Associate Agreements (BAAs) with all vendors that handle PHI, and adopt policies, procedures, and an incident response and breach notification process.

4
Phase 4schedule Duration: Ongoing

Audit and Maintain

Establish ongoing monitoring, periodic risk analysis updates, and internal audits to sustain compliance as systems and threats evolve. Review BAAs, retrain the workforce, test incident response, and maintain documentation for at least six years to demonstrate accountability to HHS OCR.

Compliance Checklist

0 / 13

checklist Administrative Safeguards

checklist Technical Safeguards

checklist Breach and Incident Response

Penalties & Enforcement

warning

Civil penalties range from $141 to $2,134,831 per violation depending on the level of culpability. Criminal penalties for knowing misuse include fines up to $250,000 and up to 10 years imprisonment. HHS OCR enforces through audits and investigations.

Frequently Asked Questions

Who must comply with HIPAA?

expand_more

HIPAA applies to covered entities, which include health plans, health care clearinghouses, and health care providers that transmit health information electronically for certain transactions. It also applies to business associates, which are vendors and subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity. Both categories are directly liable under the HIPAA Rules.

What is PHI and ePHI?

expand_more

PHI, or Protected Health Information, is individually identifiable health information held or transmitted by a covered entity or business associate in any form. ePHI is simply PHI created, stored, or transmitted in electronic form, and it is the specific focus of the HIPAA Security Rule. Both must be protected against unauthorized use and disclosure.

What is a BAA and when is it needed?

expand_more

A Business Associate Agreement (BAA) is a written contract that binds a vendor handling PHI to safeguard that data and use it only as permitted. A BAA is required whenever a covered entity discloses PHI to a business associate, and whenever a business associate uses a subcontractor that will access PHI. Without an executed BAA, sharing PHI with the vendor is generally a HIPAA violation.

What are the Security Rule safeguard categories, and what is a required risk analysis?

expand_more

The HIPAA Security Rule organizes protections into three categories: administrative safeguards (policies, training, and risk management), physical safeguards (facility access and device controls), and technical safeguards (access control, audit controls, integrity, and transmission security). A cornerstone of the administrative safeguards is the risk analysis, a systematic assessment of threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The risk analysis is explicitly required, and HHS OCR frequently cites its absence in enforcement actions.

What are the breach notification timelines and thresholds?

expand_more

Under the Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach. Breaches affecting 500 or more individuals must also be reported to HHS OCR and prominent media within that 60-day window. Smaller breaches may be logged and reported to HHS OCR annually within 60 days after the end of the calendar year.

What are the penalties for HIPAA violations?

expand_more

Civil monetary penalties are tiered based on the level of culpability, ranging from unknowing violations to willful neglect. Penalties are assessed per violation with an annual cap per identical violation category that is periodically adjusted for inflation, reaching roughly 1.9 million US dollars per category per year. Egregious violations can also lead to criminal prosecution and reputational harm.

Does HIPAA require encryption?

expand_more

HIPAA classifies encryption as an addressable implementation specification rather than a strict mandate, meaning you must implement it where reasonable and appropriate or document why an equivalent alternative is used. In practice, encryption of ePHI in transit and at rest is a strong safeguard and provides a safe harbor from breach notification if properly encrypted data is lost. Most organizations treat encryption as effectively required.

What should I consider for cloud and SaaS vendors?

expand_more

Cloud and SaaS providers that store or process ePHI are business associates and must sign a BAA before any PHI is shared. You remain responsible for verifying the vendor's safeguards, understanding the shared responsibility model, and ensuring configuration such as access controls and encryption is correct on your side. Using a compliant provider does not transfer your own accountability under HIPAA.

Official Documentation

View All

Implementation Timeline

gavel
Aug 1996
HIPAA enacted by President Clinton - Public Law 104-191 signed into law to protect patient health information
privacy_tip
Dec 2000
Privacy Rule published - HHS issued final Privacy Rule establishing national standards for PHI protection
check_circle
Apr 2003
Privacy Rule effective date - Healthcare providers, health plans, and clearinghouses required to comply
security
Feb 2003
Security Rule published - HHS issued final Security Rule for electronic PHI (ePHI) protection
verified_user
Apr 2005
Security Rule effective date - Covered entities required to implement administrative, physical, and technical safeguards
notification_important
Sept 2009
Breach Notification Rule enforceable - HITECH Act requirement to notify individuals of PHI breaches became enforceable
rule
March 2013
Omnibus Final Rule enforceable - Strengthened privacy and security protections, extended to business associates
health_and_safety
June 2024
Reproductive Health Privacy Rule effective - New protections for reproductive healthcare information privacy
shield
Jan 2025
Security Rule cybersecurity update proposed - NPRM published with enhanced cybersecurity standards addressing ransomware

Related Categories