HIPAA

HIPAA mandates strict safeguards for protected health information (PHI), applying to healthcare providers, health plans, clearinghouses, and their business associates.

Why it matters

• Violations carry penalties from relatedTools: ['data-breach-cost-calculator', 'cybersecurity-budget-calculator', 'cloud-security-self-assessment', 'cybersecurity-maturity-assessment'], category: 'Risk & Compliance', synonyms: ['regulatory fine', 'data protection penalty'], }, 00 to $50,000 per violation, up to relatedTools: ['data-breach-cost-calculator', 'cybersecurity-budget-calculator', 'cloud-security-self-assessment', 'cybersecurity-maturity-assessment'], category: 'Risk & Compliance', synonyms: ['regulatory fine', 'data protection penalty'], }, .5M annually.
• Data breaches affecting 500+ individuals require public notification and HHS reporting.
• Business associates face same liability as covered entities for PHI breaches.
• Repeated violations can result in criminal charges and imprisonment.
• Patients trust healthcare organizations to protect their most sensitive data.

Key requirements

• Privacy Rule: Standards for PHI use, disclosure, and individual rights.
• Security Rule: Administrative, physical, and technical safeguards for ePHI.
• Breach Notification: 60-day notification for breaches affecting 500+ individuals.
• Encryption: Required for ePHI in transit and at rest (Safe Harbor provision).
• Access controls: Role-based access and audit logging for all PHI access.
• Business associate agreements: Written contracts mandating HIPAA compliance.
• Risk assessments: Regular analysis of potential threats to ePHI.

Technical safeguards

• Unique user identification and emergency access procedures.
• Automatic logoff and encryption/decryption mechanisms.
• Audit controls tracking access to ePHI systems.
• Integrity controls preventing unauthorized PHI modification.
• Transmission security for ePHI sent over networks.