HIPAA — the Health Insurance Portability and Accountability Act — was signed in 1996 to make health insurance portable when workers changed jobs. The "Accountability" half of the name became the bigger story: a sprawling set of rules about how health data must be handled. The original 1996 law is a husk now; what practitioners call "HIPAA" is the body of administrative rules built on top of it by the Department of Health and Human Services (HHS) over the following two decades.
Three rules carry the day-to-day weight: the Privacy Rule (2003), the Security Rule (2005), and the Breach Notification Rule (2009, amended 2013). The HITECH Act of 2009 toughened enforcement and added the breach rule. The 2013 Omnibus Rule extended direct liability to business associates — the contractors, vendors, and SaaS providers that touch health data on behalf of a hospital.
Who's covered
HIPAA applies to two categories. The distinction matters: it determines what you sign, what you're liable for, and who comes for you when something goes wrong.
- Covered entities are the headline group: health plans (insurers, HMOs, Medicare, employer-sponsored group health plans), healthcare providers that transmit health information electronically in connection with HIPAA-named transactions (almost every modern doctor's office, hospital, dentist, pharmacy, mental health practice, physical therapist), and healthcare clearinghouses (the data-transformation companies that translate provider claims into the standard formats payers expect).
- Business associates are everyone else who handles Protected Health Information (PHI) on behalf of a covered entity. The IT outsourcer running the EHR. The cloud provider hosting the patient portal. The transcription service. The shredding company. The legal firm handling malpractice cases. The data analytics startup. Since the 2013 Omnibus Rule, business associates are directly liable under HIPAA — not just contractually liable to the hospital that hired them.
If you build software that any healthcare provider uses to store, view, or transmit patient information, you're almost certainly a business associate and the hospital will require you to sign a Business Associate Agreement (BAA) before they let your product near their data. Major cloud providers (AWS, Azure, GCP) sign BAAs as a standard service offering for a defined subset of their services.
PHI: the thing being protected
Protected Health Information is the term of art. It's individually identifiable health information held or transmitted by a covered entity or its business associate. "Identifiable" is broad — the HIPAA Privacy Rule names 18 identifiers that turn health data into PHI:
| The 18 identifiers |
|---|
| Names; geographic subdivisions smaller than a state (including zip code in most cases); all dates more specific than year that relate to the individual (birth, admission, discharge, death); telephone numbers; fax numbers; email addresses; Social Security Numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate or license numbers; vehicle identifiers (including plate); device identifiers and serial numbers; URLs; IP addresses; biometric identifiers (including finger and voice prints); full-face photographic images; and any other unique identifying number, characteristic, or code. |
That last "and any other" clause is what makes PHI a practical category, not a checklist. If a data set is de-identified by stripping all 18 categories (the "Safe Harbor" method) or certified de-identified by a qualified statistician (the "Expert Determination" method), it stops being PHI and HIPAA stops applying. Re-identification then becomes its own concern — combining "de-identified" datasets is a classic way to re-create identity.
The three rules
Privacy Rule
Issued in 2003, the Privacy Rule sets the substantive limits: what you can and can't do with PHI, regardless of format (paper, electronic, oral). It covers permitted uses and disclosures (treatment, payment, health care operations — "TPO"), patient rights to access and amend their own records, the Notice of Privacy Practices a provider must hand patients, the Minimum Necessary standard (only use or disclose the smallest amount of PHI required for the purpose), and accounting of disclosures.
Security Rule
Issued in 2005, the Security Rule is the part security practitioners actually live in. It applies specifically to electronic PHI (ePHI) — paper records are out of scope here. It's organized into three families of safeguards plus organizational and policy requirements.
Administrative safeguards
Policies and procedures. Security management process (risk analysis, risk management). Assigned security responsibility (a designated security official). Workforce security. Information access management. Security awareness training. Incident procedures, contingency plan (DR/BC), evaluation.
Physical safeguards
Facility access controls. Workstation use and security. Device and media controls (disposal, re-use, accountability, backup). The "lost unencrypted laptop" remains the most common breach cause this family addresses.
Technical safeguards
Access controls (unique user IDs, emergency access, automatic logoff). Audit controls. Integrity controls. Authentication. Transmission security (encryption in transit). Notably, encryption is "addressable," not "required" — but see below.
Organizational requirements
Business associate contracts. Policies, procedures, and documentation requirements. Six-year retention of all HIPAA-related documents.
Each Security Rule specification is either required or addressable. "Addressable" does not mean optional. It means: implement it as written, implement an equivalent alternative, or document why it isn't reasonable and appropriate for your organization. Encryption of ePHI at rest is addressable. The OCR's interpretation is that if you can do it, you should; if you can't, document the alternative. "Addressable" has gotten more organizations into trouble than any other word in the Security Rule.
Breach Notification Rule
Added by HITECH (2009), this rule turns breaches into notification events. A breach is presumed for any unauthorized acquisition, access, use, or disclosure of unsecured PHI unless the covered entity can demonstrate (via four-factor risk assessment) that there is a low probability of compromise. "Unsecured" effectively means unencrypted — properly encrypted PHI that's stolen is, by HHS guidance, not a reportable breach.
- Breaches of fewer than 500 individuals: notify affected individuals without unreasonable delay (within 60 days). Log it; report annually to HHS.
- Breaches of 500 or more individuals: notify affected individuals within 60 days, notify HHS within 60 days, AND notify "prominent media outlets" serving the state or jurisdiction. These appear on the HHS Office for Civil Rights public breach portal — informally known as the "Wall of Shame." Anyone can browse it.
- Business associates must notify the covered entity (their customer); the covered entity then handles individual / HHS / media notification.
Enforcement and penalties
HIPAA is enforced by the HHS Office for Civil Rights (OCR). OCR investigates complaints, conducts compliance audits, and assesses Civil Monetary Penalties (CMPs). Criminal cases get referred to the Department of Justice.
Penalties are tiered by culpability. The amounts adjust annually for inflation; the figures below reflect the 2024 ranges per HHS's Federal Register notice:
| Tier | Culpability | Per violation | Annual cap (per identical violation) |
|---|---|---|---|
| 1 | Did not know and would not have known with reasonable diligence | ~$137 – $34,464 | ~$34,464 |
| 2 | Reasonable cause (not willful neglect) | ~$1,379 – $137,886 | ~$137,886 |
| 3 | Willful neglect, corrected within 30 days | ~$13,785 – $68,928 | ~$344,638 |
| 4 | Willful neglect, not corrected | ~$68,928 – $2,067,813 | ~$2,067,813 |
Beyond CMPs, settlements often include multi-year Corrective Action Plans (CAPs) requiring the organization to overhaul its security program under OCR oversight. The headline-grabbing cases — Anthem's $16M (2018), Premera's $6.85M (2020), Excellus's $5.1M (2021), Banner Health's $1.25M (2023) — usually combine a CMP with a multi-year CAP that costs many multiples of the fine to execute. Criminal liability applies to knowingly obtaining PHI in violation of HIPAA, up to 10 years' imprisonment for intent to sell or use it for malicious purposes.
What HIPAA means for a security team
Translated from regulator language into practitioner reality:
- Inventory ePHI. You can't protect what you don't know about. Catalog every system, application, file share, backup, and vendor that touches ePHI. Most failed audits trace to "we forgot about that database."
- Risk analysis is the keystone requirement. Conduct a comprehensive risk analysis annually (more often after major change). Document it. OCR's first ask in nearly every investigation: show me your most recent risk analysis. If you can't, the tier-3/tier-4 penalty conversation starts.
- Encrypt ePHI at rest and in transit. Addressable in the rule, effectively required in practice. Use FIPS 140-2/-3 validated modules where possible.
- Unique user IDs, MFA, RBAC. Shared accounts are the antithesis of audit logging. MFA isn't explicitly named in the rule, but it's expected by 2024 OCR auditors.
- Audit logs and review. Generating logs isn't enough — the rule requires that you actually review them. SIEM ingestion, alerting, periodic access reviews.
- BAAs with every vendor that touches ePHI. Cloud providers, payment processors, secure messaging, e-faxing, EHRs, backup vendors. No BAA = no business associate relationship = direct HIPAA violation.
- Workforce training. Annual at minimum, more often after policy changes or incidents.
- Incident response plan. Tested. With the 60-day breach notification clock running, you don't have time to figure out who notifies whom while the incident is unfolding.
- Retention. Six years for all HIPAA-related documentation: policies, procedures, risk analyses, training records, BAAs, incident records.
HIPAA is not a technical standard — it's a regulatory framework that requires you to manage security according to your own documented risk analysis. The rule itself is mostly principles-based. The implementing details are yours to choose, but you have to choose them, document why, and execute consistently. The lethal failure mode is not "we didn't encrypt" — it's "we never did a risk analysis and we can't explain how we decided what to encrypt." OCR's view of willful neglect bends sharply around documentation.
If you take only three things from HIPAA into your career: encrypt every device, sign BAAs with every vendor, and document your risk analysis annually. The first two prevent the most common breaches. The third lets you survive the investigation when one happens anyway.
Sources
- U.S. Department of Health & Human Services. (2024). HIPAA for Professionals. https://www.hhs.gov/hipaa/for-professionals/index.html
- HHS Office for Civil Rights. (2024). Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- HHS. (2013). Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act (Omnibus Rule). 78 Fed. Reg. 5566.
- HHS Office for Civil Rights. (2022). HIPAA Security Rule: NIST resources. https://www.hhs.gov/hipaa/for-professionals/security/nist/index.html
- NIST. (2024). NIST SP 800-66 Rev. 2: Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide. https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/final
- Federal Register. (2024). Annual Civil Monetary Penalties Inflation Adjustment. 89 Fed. Reg. 12546.