What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets standards for protecting sensitive patient health information (PHI). It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates.
The Privacy Rule
The HIPAA Privacy Rule establishes standards for the use and disclosure of Protected Health Information (PHI). It gives patients rights over their health information and sets limits on who can access and receive PHI.
The Security Rule
The HIPAA Security Rule specifically addresses electronic PHI (ePHI). It requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Safeguards include access controls, encryption, audit controls, and integrity controls.
Business Associate Requirements
Business Associates鈥攙endors that handle PHI on behalf of covered entities鈥攎ust comply with HIPAA. Business Associate Agreements (BAAs) are required contracts that outline responsibilities, permitted uses of PHI, and breach notification obligations.
Risk Assessment
HIPAA requires regular risk assessments to identify threats and vulnerabilities to ePHI. Risk assessments should evaluate the likelihood and impact of potential risks and document risk mitigation strategies. The HHS provides guidance on conducting these assessments.
Breach Notification
HIPAA requires notification of breaches affecting unsecured PHI. Individual notifications must be sent within 60 days. Breaches affecting 500+ individuals require media notice and reporting to HHS. All breaches must be logged in an annual report.
Penalties
HIPAA violations can result in civil penalties ranging from $100 to $50,000 per violation (up to $1.5 million per year for each violation category) and criminal penalties including fines and imprisonment for willful violations.
Compliance Steps
Key steps include: conducting risk assessments, implementing administrative safeguards (policies, training), physical safeguards (facility access), technical safeguards (encryption, access controls), executing BAAs with vendors, and establishing incident response procedures.
Recommended Service Providers
These verified providers can help you on your compliance journey.
