Home/Glossary/HIPAA

HIPAA

The Health Insurance Portability and Accountability Act establishes standards for protecting sensitive patient health information in the United States.

Risk & ComplianceAlso called: "Health Insurance Portability and Accountability Act", "PHI protection"

HIPAA mandates strict safeguards for protected health information (PHI), applying to healthcare providers, health plans, clearinghouses, and their business associates.

Why it matters

  • Violations carry penalties from $100 to $50,000 per violation, up to $1.5M annually.
  • Data breaches affecting 500+ individuals require public notification and HHS reporting.
  • Business associates face same liability as covered entities for PHI breaches.
  • Repeated violations can result in criminal charges and imprisonment.
  • Patients trust healthcare organizations to protect their most sensitive data.

Key requirements

  • Privacy Rule: Standards for PHI use, disclosure, and individual rights.
  • Security Rule: Administrative, physical, and technical safeguards for ePHI.
  • Breach Notification: 60-day notification for breaches affecting 500+ individuals.
  • Encryption: Required for ePHI in transit and at rest (Safe Harbor provision).
  • Access controls: Role-based access and audit logging for all PHI access.
  • Business associate agreements: Written contracts mandating HIPAA compliance.
  • Risk assessments: Regular analysis of potential threats to ePHI.

Technical safeguards

  • Unique user identification and emergency access procedures.
  • Automatic logoff and encryption/decryption mechanisms.
  • Audit controls tracking access to ePHI systems.
  • Integrity controls preventing unauthorized PHI modification.
  • Transmission security for ePHI sent over networks.

Related Tools

Related Articles

View all articles
📄

AI Gateway Guide: What They Are, Why You Need One, and How to Choose

A comprehensive guide to AI gateways — the proxy layer between your app and LLM providers. Compare Cloudflare AI Gateway, Portkey, Helicone, LiteLLM, AWS Bedrock, Azure APIM, and more across pricing, features, and architecture.

Read article →
📄

Object Storage Face-Off: Cloudflare R2 vs S3 vs Azure Blob vs Google Cloud Storage

A deep technical comparison of object storage platforms — Cloudflare R2, AWS S3, Azure Blob Storage, and Google Cloud Storage — covering architecture, egress fees, features, pricing, and migration strategies.

Read article →
CrowdStrike vs Expel: MDR Detection Speed Comparison

CrowdStrike vs Expel: MDR Detection Speed Comparison

CrowdStrike and Expel are two of the only MDR providers that publish both detection and response time benchmarks. Expel is faster on MTTR (13 min vs 37 min). CrowdStrike has MITRE validation.

Read article →
CrowdStrike vs SentinelOne: Endpoint Security and MITRE ATT&CK Compared

CrowdStrike vs SentinelOne: Endpoint Security and MITRE ATT&CK Compared

Both CrowdStrike and SentinelOne deliver strong MITRE ATT&CK detection results. The key difference: CrowdStrike is the only vendor with MITRE Managed Services evaluation.

Read article →

Explore More Risk & Compliance

View all terms

Compliance Penalty

Financial fines and sanctions imposed for failing to meet regulatory data protection and security requirements.

Read more →

GDPR

The General Data Protection Regulation is the EU's comprehensive data privacy law that governs how organizations collect, process, and protect personal data.

Read more →

SOC 2

Service Organization Control 2 is an auditing standard for service providers that store customer data, focusing on security, availability, processing integrity, confidentiality, and privacy.

Read more →
Back to glossary