HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that sets national standards for protecting the privacy and security of US citizen medical information and for standardising electronic healthcare transactions. It created both Privacy and Security Rules that govern how “protected health information” (PHI) is used, disclosed, stored, and transmitted by healthcare organisations and their service providers.

HIPAA directly governs Covered Entities - health plans, healthcare clearinghouses, and healthcare providers that transmit health data electronically. Business Associates are vendors (suppliers) or subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity. Cloud providers, billing services, telehealth platforms and other digital health suppliers are common examples of Business Associates. This relationship is comparable to the GDPR Data Controller and Data Processor relationship.

Protected Health Information (PHI) is any individually identifiable health data (past, present, or future) created, received, or maintained by a covered entity or business associate. This can be broad including items like medical records and lab results, but also appointment reminders, insurance IDs, biometric identifiers, and even device IDs when they can reasonably link back to a person’s health status.

A BAA is a legally binding contract that spells out each party’s HIPAA responsibilities and allocates liability for safeguarding PHI. Covered entities must execute a BAA before any PHI flows to a vendor or subcontractor. Without one, both organisations are non-compliant, even if no breach occurs. A BAA is comparable to a DPA (Data Processing Agreement).

• Privacy Rule - Governs how, when, and why protected health information (PHI) may be used or disclosed, enforces the “minimum-necessary” standard, and grants patients rights to access or amend their data.
• Security Rule - Requires a risk-based implementation of administrative, physical, and technical safeguards - think policies, facility controls, encryption, access management, and audit logging-to protect electronic PHI (ePHI).
• Breach Notification Rule - Mandates that business associates must notify the covered entity of a breach of PHI without unreasonable delay, and that the covered entity must alert the affected individuals and the HHS.

The Security Rule requires every covered entity or business associate to build a risk-based program that keeps electronic PHI confidential, intact, and available when needed. It groups safeguards into three mutually reinforcing layers:

• Administrative - Perform and update a risk analysis, name a security officer, adopt policies, train staff, assess
• Physical  - Restrict and monitor facility access, secure workstations, mobile devices and hardware, and control the handling, reuse, and disposal of servers or media.
• Technical  - Enforce unique log-ins and least-privilege roles, audit and review logs, encrypt data in transit and at rest, verify data integrity, and auto-logoff idle sessions.

All controls must be documented, periodically tested, and adjusted as technology, threats, or the business change - HIPAA cares less about the specific tools you buy than about proving that the safeguards you chose are effective and continually improved.

No. A compliant-ready infrastructure only solves a fraction of the obligations. You still need a signed BAA with the cloud provider and must configure services securely, control application-layer access, document policies, train staff, maintain audit trails, manage incident response, and monitor for new risks. HIPAA liability ultimately stays with the covered entity or business associate, not the cloud vendor.

U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules.

The HHS Office for Civil Rights uses a four-tier civil penalty scale that currently ranges from about $137 to $68,000 per violation, with an annual cap of roughly $2 million per violation category. Uncorrected wilful neglect can escalate to criminal charges prosecuted by the Department of Justice, with fines up to $250,000 and prison terms of up to 10 years. Beyond government penalties, OCR routinely publishes settlement agreements that often reach seven or eight figures and require multi-year corrective-action plans, while organisations also shoulder breach-response costs, lawsuits, and reputational fallout.

HHS does not issue or recognise any formal certification. Independent auditors and third party organisations can perform external HIPAA audits and assessments, which can be advantageous but not an absolute requirement. Ultimately, compliance is demonstrated through continuous adherence to the rules and the ability to show evidence during an OCR investigation.

Assuric centralises the entire HIPAA program in one workspace - mapping each HIPAA requirement to straight-forward tasks and controls, across multiple frameworks, along with automated evidence collection. Guided workflows walk teams through the necessary risk analyses, policy management, employee training, vendor/supplier assessments and BAAs, and much more.