Why It Matters
HIPAA is the backbone of health data protection in the United States. With the digitization of healthcare, the explosion of telehealth, health apps, and AI-driven diagnostics, protecting patient data has become both more complex and more critical. Healthcare is the most breached industry, and HIPAA violations result in significant financial penalties and reputational damage.
The Three HIPAA Rules
Privacy Rule
Establishes standards for the use and disclosure of Protected Health Information (PHI):
- Patients have the right to access, amend, and receive an accounting of disclosures
- Covered entities must designate a Privacy Officer
- "Minimum necessary" standard — only use/disclose the minimum PHI needed
- Authorization required for most uses beyond treatment, payment, and healthcare operations
Security Rule
Requires safeguards for electronic PHI (ePHI) across three categories:
- Administrative — risk analysis, workforce training, policies, contingency plans
- Physical — facility access controls, workstation security, device controls
- Technical — access controls, audit controls, transmission security, encryption
Breach Notification Rule
- Individual notification within 60 days of discovery for breaches affecting 500+ individuals
- HHS notification — breaches of 500+ individuals reported to HHS within 60 days; smaller breaches reported annually
- Media notification — breaches of 500+ individuals in a state/jurisdiction
Who Must Comply
Covered Entities:
- Healthcare providers who transmit health information electronically
- Health plans (insurance companies, HMOs, government programs)
- Healthcare clearinghouses
Business Associates:
- Any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity
- Examples: cloud providers, billing companies, EHR vendors, consultants, shredding companies
What is PHI?
Protected Health Information includes any individually identifiable health information:
- Medical records, lab results, prescriptions
- Insurance claims and billing records
- Conversations between healthcare providers about patients
- Information in health apps (when created or maintained by covered entities)
- 18 identifiers — name, address, dates, SSN, medical record number, email, etc.
Penalties
| Tier | Culpability | Penalty per Violation | Annual Maximum |
|---|---|---|---|
| 1 | Did not know | $141 – $71,162 | $2,134,831 |
| 2 | Reasonable cause | $1,424 – $71,162 | $2,134,831 |
| 3 | Willful neglect (corrected) | $14,232 – $71,162 | $2,134,831 |
| 4 | Willful neglect (not corrected) | $71,162 | $2,134,831 |
Criminal penalties: up to 10 years imprisonment for knowingly obtaining or disclosing PHI.
Key Regulation
- HIPAA (1996) — Public Law 104-191
- HITECH Act (2009) — strengthened enforcement and breach notification
- Omnibus Rule (2013) — extended obligations to business associates
- Enforced by: HHS Office for Civil Rights (OCR)