What is HIPAA?
Definition
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets standards for protecting sensitive patient health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates who handle Protected Health Information.
In Depth
HIPAA consists of several rules that work together to protect health information: the Privacy Rule establishes standards for the use and disclosure of Protected Health Information (PHI), the Security Rule sets requirements for safeguarding electronic PHI (ePHI) through administrative, physical, and technical safeguards, and the Breach Notification Rule defines requirements for reporting data breaches. The HITECH Act of 2009 expanded HIPAA's scope by extending direct liability to business associates and increasing penalty amounts. The Security Rule requires covered entities to conduct a thorough risk analysis, implement a risk management program, and maintain documentation of compliance efforts. Penalties are tiered based on the level of negligence, ranging from $100 per violation for unknowing breaches up to $1.5 million per year for willful neglect. The HHS Office for Civil Rights (OCR) is responsible for enforcement and publishes a public breach portal listing breaches affecting 500 or more individuals.
Related Frameworks
Related Terms
Breach Notification
Breach notification is the legal requirement for organizations to inform regulatory authorities and affected individuals when a security incident results in unauthorized access to protected data. Notification timelines and requirements vary significantly by framework and jurisdiction.
Encryption at Rest
Encryption at rest refers to the protection of data stored on physical or virtual storage media using cryptographic algorithms. It ensures that data remains unreadable to unauthorized parties even if the storage medium is physically compromised or improperly decommissioned.
Encryption in Transit
Encryption in transit protects data as it moves between systems, networks, or endpoints by encrypting the communication channel. TLS (Transport Layer Security) is the most common protocol used to secure data in transit over networks.
Access Control
Access control encompasses the policies, procedures, and technical mechanisms that regulate who can view or use resources within a computing environment. It ensures that only authorized individuals can access specific systems, data, or physical locations based on their role and need.
Risk Assessment
Risk assessment is the systematic process of identifying, analyzing, and evaluating information security risks to an organization. It involves determining the likelihood and impact of threats exploiting vulnerabilities, then prioritizing risks for treatment through mitigation, transfer, avoidance, or acceptance.
Generate compliance docs with PoliWriter
Stop reading about compliance and start achieving it. PoliWriter generates audit-ready policies customized to your organization in hours.
Get Started Free