What Is HIPAA? A Complete Guide to HIPAA Compliance
Quick Answer
HIPAA (Health Insurance Portability and Accountability Act) is a US federal law that sets national standards for protecting sensitive patient health information (PHI) from being disclosed without the patient's consent or knowledge.
What Is HIPAA?
HIPAA (the Health Insurance Portability and Accountability Act) is a US federal law enacted in 1996 that establishes national standards for protecting individuals' medical records and personal health information. Unlike voluntary frameworks like SOC 2, HIPAA is a legal requirement — violations carry significant fines ranging from $100 to $1.9 million per violation category, per year.
Key Takeaways
- HIPAA is a US federal law (not a voluntary framework) — non-compliance carries fines up to $1.9M per violation category per year
- Applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates
- Three main rules: Privacy Rule, Security Rule, and Breach Notification Rule
- Protects Protected Health Information (PHI) — any health data that can identify an individual
- Enforced by the HHS Office for Civil Rights (OCR)
Who Must Comply with HIPAA?
HIPAA applies to two categories of organizations: covered entities and business associates. If you touch Protected Health Information in any way, you're likely subject to HIPAA.
| Entity Type | Examples | HIPAA Obligations |
|---|---|---|
| Covered Entity: Healthcare Provider | Hospitals, doctors, dentists, pharmacies, clinics, telehealth providers | Full HIPAA compliance — all rules apply |
| Covered Entity: Health Plan | Health insurance companies, HMOs, Medicare, Medicaid, employer health plans | Full HIPAA compliance — all rules apply |
| Covered Entity: Healthcare Clearinghouse | Entities that process healthcare transactions between providers and insurers | Full HIPAA compliance — all rules apply |
| Business Associate | Cloud providers, EHR vendors, billing companies, IT support, SaaS tools handling PHI | Must comply via Business Associate Agreement (BAA) and implement required safeguards |
| Subcontractor | Vendors of business associates who also access PHI | Same obligations as business associates — must have BAAs in place |
What Is Protected Health Information (PHI)?
PHI is any information about health status, healthcare provision, or payment for healthcare that can be linked to a specific individual. This includes 18 identifiers defined by HIPAA:
- Names, addresses, dates (birth, admission, discharge, death)
- Phone numbers, fax numbers, email addresses
- Social Security numbers, medical record numbers, health plan IDs
- Account numbers, certificate/license numbers
- Vehicle identifiers, device identifiers and serial numbers
- Web URLs, IP addresses, biometric identifiers
- Full-face photographs, any other unique identifying number
❗ ePHI = Electronic PHI
When PHI is created, stored, transmitted, or received electronically, it's called ePHI. The HIPAA Security Rule specifically addresses ePHI protections. If you're a technology company, virtually all PHI you handle will be ePHI.
The Three Main HIPAA Rules
HIPAA Rule Structure
HIPAA consists of three primary rules that together create a comprehensive framework for protecting health information
Privacy Rule
Who can access PHI and under what conditions
Security Rule
Technical, physical, and administrative safeguards for ePHI
Breach Notification Rule
Requirements when PHI is compromised
The Privacy Rule
The Privacy Rule establishes standards for when and how PHI can be used and disclosed. It gives patients rights over their health information, including the right to access their records, request corrections, and know who has accessed their data.
The Security Rule
The Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. It's the most prescriptive of the three rules.
The Breach Notification Rule
The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI. Notifications must be made within 60 days of discovery.
HIPAA Penalties at a Glance
| Tier | Knowledge Level | Fine Per Violation | Annual Maximum |
|---|---|---|---|
| Tier 1 | Unknowing violation | $100-$50,000 | $25,000 |
| Tier 2 | Reasonable cause (not willful neglect) | $1,000-$50,000 | $100,000 |
| Tier 3 | Willful neglect, corrected within 30 days | $10,000-$50,000 | $250,000 |
| Tier 4 | Willful neglect, not corrected | $50,000 | $1,900,000 |
For more details on penalties and real enforcement examples, see our guide on HIPAA violation penalties.
Getting Started with HIPAA Compliance
HIPAA Compliance Roadmap
Determine if HIPAA applies to you
Are you a covered entity or business associate? Do you create, receive, maintain, or transmit PHI? If yes, HIPAA applies.
Conduct a risk assessment
The single most important HIPAA requirement. Identify threats to PHI, assess vulnerabilities, and document risk levels. See our HIPAA risk assessment guide.
Implement safeguards
Address gaps found in your risk assessment. Implement administrative safeguards (policies, training), physical safeguards (facility access), and technical safeguards (access controls, encryption, audit logs).
Execute Business Associate Agreements
Ensure all vendors that access PHI have signed BAAs. Review and update annually.
Train your workforce
All employees who handle PHI must receive HIPAA training. Training must be documented and refreshed annually.
Document everything
HIPAA requires extensive documentation — policies, risk assessments, BAAs, training records, incident logs. If it's not documented, it didn't happen.
Is there a HIPAA certification?
No. Unlike ISO 27001 or SOC 2, there is no official HIPAA certification. HHS does not endorse or recognize any private HIPAA certifications. Companies demonstrate HIPAA compliance through risk assessments, policies, and sometimes third-party audits, but there's no certificate to hang on the wall.
Does HIPAA apply to my SaaS product?
If your SaaS product stores, processes, or transmits PHI on behalf of a covered entity, you're a business associate and must comply with HIPAA. This includes EHR systems, telehealth platforms, health analytics tools, cloud storage used for PHI, and billing software.
Can I be fined for a HIPAA breach I didn't know about?
Yes. Tier 1 violations (unknowing) still carry fines of $100-$50,000 per violation. However, fines are lower when the covered entity can demonstrate they made reasonable efforts to comply and didn't act with willful neglect.
Does HIPAA apply outside the US?
HIPAA is a US federal law and applies to covered entities and business associates operating in the US or handling US residents' health data. If you're a non-US company processing PHI for US healthcare entities, HIPAA likely applies through your BAA.
What's the difference between HIPAA and HITRUST?
HIPAA is a law; HITRUST is a certifiable security framework that incorporates HIPAA requirements along with other standards (SOC 2, ISO 27001, NIST). HITRUST certification can demonstrate HIPAA compliance but is not required by HIPAA itself. See our comparison at /learn/hipaa/hipaa-vs-hitrust.
Find HIPAA Compliance Tools
Compare HIPAA compliance software, auditors, and consulting services for your organization.
Browse HIPAA Tools