Skip to main content
> HIPAA

Health Insurance Portability and Accountability Act

Protecting patient health information through mandated security safeguards

Governing Body: U.S. Department of Health and Human Services (HHS)
Established: 1996 (Security Rule effective 2005) Last Updated: 2013 (Omnibus Rule) Scope: United States
750,000+
Covered Entities

// What is HIPAA?

HIPAA establishes national standards for protecting sensitive patient health information from disclosure without patient consent. The law applies to healthcare providers, health plans, and healthcare clearinghouses, along with their business associates who handle protected health information (PHI).

The Security Rule specifically requires covered entities to implement administrative, physical, and technical safeguards ensuring the confidentiality, integrity, and availability of electronic protected health information (ePHI). Organizations must conduct risk assessments, implement appropriate controls, and maintain documentation demonstrating compliance efforts.

Enforcement has intensified significantly since 2018, with the Office for Civil Rights (OCR) pursuing both large health systems and small practices for violations. The 2013 Omnibus Rule expanded business associate liability and strengthened breach notification requirements.

// Inside the Regulation

The HIPAA Security Rule (45 CFR Part 160 and Part 164, Subparts A and C) establishes the standards most relevant to cybersecurity programs. It's structured around three safeguard categories, each containing required and addressable implementation specifications.

1

Administrative Safeguards

§164.308

The largest section covering policies and procedures governing ePHI protection. These controls address organizational behavior and workforce management.

Risk Analysis & Management

Required assessment of potential risks to ePHI, plus measures to reduce them to reasonable levels. This is where most OCR enforcement actions originate.

Workforce Security

Authorization procedures, clearance processes, and termination protocols ensuring only appropriate personnel access ePHI.

Security Awareness Training

Ongoing education including phishing awareness, password management, and security reminders for all workforce members.

Contingency Planning

Data backup plans, disaster recovery procedures, and emergency mode operations ensuring ePHI availability during crises.

Business Associate Management

Written contracts (BAAs) requiring partners to implement equivalent safeguards when handling PHI.

2

Physical Safeguards

§164.310

Controls protecting the physical infrastructure housing ePHI systems and the hardware itself.

Facility Access Controls

Policies and procedures limiting physical access to electronic information systems and facilities housing them.

Workstation Security

Physical safeguards for workstations accessing ePHI, including positioning and access restrictions.

Device and Media Controls

Procedures governing hardware disposal, media reuse, and movement of devices containing ePHI.

3

Technical Safeguards

§164.312

The technology and policies protecting ePHI and controlling access—the controls security teams implement and monitor daily.

Access Controls

Unique user identification, emergency access procedures, automatic logoff, and encryption/decryption mechanisms.

Audit Controls

Hardware, software, and procedural mechanisms recording and examining system activity containing ePHI.

Integrity Controls

Policies and procedures protecting ePHI from improper alteration or destruction.

Transmission Security

Technical measures guarding against unauthorized access to ePHI transmitted over networks.

Note: The Security Rule distinguishes between 'required' specifications (must implement) and 'addressable' specifications (implement if reasonable, or document why an alternative provides equivalent protection). Addressable does not mean optional—organizations must either implement the specification or document why it's not reasonable and what alternative measures they've adopted.

// Who Must Comply

  • 1 Healthcare providers transmitting health information electronically (hospitals, clinics, physicians, dentists, pharmacies)
  • 2 Health plans (health insurers, HMOs, employer-sponsored plans, government programs like Medicare/Medicaid)
  • 3 Healthcare clearinghouses processing nonstandard health information
  • 4 Business associates handling PHI on behalf of covered entities (IT vendors, billing companies, cloud providers, consultants)
  • 5 Subcontractors of business associates with PHI access

// Key Requirements

Risk Assessment

Conduct accurate and thorough assessments of risks to ePHI confidentiality, integrity, and availability

Access Management

Implement role-based access controls ensuring workforce members only access PHI necessary for their functions

Encryption

Encrypt ePHI at rest and in transit, or document why encryption is not reasonable and implement equivalent measures

Breach Notification

Notify affected individuals within 60 days of breach discovery, plus HHS and media for breaches affecting 500+ individuals

Documentation

Maintain written policies, procedures, and evidence of compliance activities for six years

Training

Provide regular security awareness training to all workforce members with PHI access

// Enforcement & Penalties

OCR enforces HIPAA through investigations and audits, with penalties based on the level of negligence. Willful neglect violations carry the steepest fines, while organizations demonstrating good-faith compliance efforts may receive reduced penalties.

Maximum Penalty

$1.5 million per violation category per year

Examples:

  • Anthem Inc. - $16 million settlement for breach affecting 79 million individuals
  • Premera Blue Cross - $6.85 million for breach affecting 10.4 million
  • Banner Health - $1.25 million for lack of risk analysis and risk management

// Cyber Insurance Impact

Cyber insurers increasingly require documented HIPAA compliance programs before issuing policies to healthcare organizations. Claims involving PHI breaches trigger policy provisions requiring evidence of Security Rule compliance. Inadequate HIPAA programs can result in coverage denials or significantly increased premiums. Many insurers now require annual risk assessments and penetration testing as coverage conditions.

// How Breach Craft Helps

We help organizations achieve HIPAA compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of HIPAA.

Gap Assessment

Measure your security against industry standards.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Tabletop Exercises

Practice your incident response.

Learn more

// Related Frameworks

SOC 2 NIST CSF

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873