Skip to main content
Home/Glossary/HIPAA

HIPAA

The Health Insurance Portability and Accountability Act establishes standards for protecting sensitive patient health information in the United States.

Risk & ComplianceAlso called: "Health Insurance Portability and Accountability Act", "PHI protection"

HIPAA mandates strict safeguards for protected health information (PHI), applying to healthcare providers, health plans, clearinghouses, and their business associates.

Why it matters

  • Violations carry penalties from $100 to $50,000 per violation, up to $1.5M annually.
  • Data breaches affecting 500+ individuals require public notification and HHS reporting.
  • Business associates face same liability as covered entities for PHI breaches.
  • Repeated violations can result in criminal charges and imprisonment.
  • Patients trust healthcare organizations to protect their most sensitive data.

Key requirements

  • Privacy Rule: Standards for PHI use, disclosure, and individual rights.
  • Security Rule: Administrative, physical, and technical safeguards for ePHI.
  • Breach Notification: 60-day notification for breaches affecting 500+ individuals.
  • Encryption: Required for ePHI in transit and at rest (Safe Harbor provision).
  • Access controls: Role-based access and audit logging for all PHI access.
  • Business associate agreements: Written contracts mandating HIPAA compliance.
  • Risk assessments: Regular analysis of potential threats to ePHI.

Technical safeguards

  • Unique user identification and emergency access procedures.
  • Automatic logoff and encryption/decryption mechanisms.
  • Audit controls tracking access to ePHI systems.
  • Integrity controls preventing unauthorized PHI modification.
  • Transmission security for ePHI sent over networks.

Related Tools

Related Articles

View all articles
📄

Claude Cowork: Anthropic's Autonomous Desktop Agent (What MSPs Need to Know)

Claude Cowork is an agentic mode in the Claude Desktop app that reads, edits, and organizes files on your computer and runs multi-step tasks on its own. Here's how it works, who can use it, and the security and governance controls IT teams should put in place first.

Read article →
📄

Object Storage Face-Off: Cloudflare R2 vs S3 vs Azure Blob vs Google Cloud Storage

A deep technical comparison of object storage platforms — Cloudflare R2, AWS S3, Azure Blob Storage, and Google Cloud Storage — covering architecture, egress fees, features, pricing, and migration strategies.

Read article →
📄

AI Gateway Guide: What They Are, Why You Need One, and How to Choose

A comprehensive guide to AI gateways — the proxy layer between your app and LLM providers. Compare Cloudflare AI Gateway, Portkey, Helicone, LiteLLM, AWS Bedrock, Azure APIM, and more across pricing, features, and architecture.

Read article →
Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Master the formal security models that underpin all access control systems. This comprehensive guide covers Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, lattice-based access control, and how to choose the right model for your organization.

Read article →

Explore More Risk & Compliance

View all terms

Compliance Penalty

Financial fines and sanctions imposed for failing to meet regulatory data protection and security requirements.

Read more →

GDPR

The General Data Protection Regulation is the EU's comprehensive data privacy law that governs how organizations collect, process, and protect personal data.

Read more →

SOC 2

Service Organization Control 2 is an auditing standard for service providers that store customer data, focusing on security, availability, processing integrity, confidentiality, and privacy.

Read more →
Back to glossary