Home/Glossary/HIPAA

HIPAA

The Health Insurance Portability and Accountability Act establishes standards for protecting sensitive patient health information in the United States.

Risk & ComplianceAlso called: "Health Insurance Portability and Accountability Act", "PHI protection"

HIPAA mandates strict safeguards for protected health information (PHI), applying to healthcare providers, health plans, clearinghouses, and their business associates.

Why it matters

  • Violations carry penalties from $100 to $50,000 per violation, up to $1.5M annually.
  • Data breaches affecting 500+ individuals require public notification and HHS reporting.
  • Business associates face same liability as covered entities for PHI breaches.
  • Repeated violations can result in criminal charges and imprisonment.
  • Patients trust healthcare organizations to protect their most sensitive data.

Key requirements

  • Privacy Rule: Standards for PHI use, disclosure, and individual rights.
  • Security Rule: Administrative, physical, and technical safeguards for ePHI.
  • Breach Notification: 60-day notification for breaches affecting 500+ individuals.
  • Encryption: Required for ePHI in transit and at rest (Safe Harbor provision).
  • Access controls: Role-based access and audit logging for all PHI access.
  • Business associate agreements: Written contracts mandating HIPAA compliance.
  • Risk assessments: Regular analysis of potential threats to ePHI.

Technical safeguards

  • Unique user identification and emergency access procedures.
  • Automatic logoff and encryption/decryption mechanisms.
  • Audit controls tracking access to ePHI systems.
  • Integrity controls preventing unauthorized PHI modification.
  • Transmission security for ePHI sent over networks.

Related Tools

Related Articles

View all articles
CrowdStrike vs Expel: MDR Detection Speed Comparison

CrowdStrike vs Expel: MDR Detection Speed Comparison

CrowdStrike and Expel are two of the only MDR providers that publish both detection and response time benchmarks. Expel is faster on MTTR (13 min vs 37 min). CrowdStrike has MITRE validation.

Read article →
CrowdStrike vs SentinelOne: Endpoint Security and MITRE ATT&CK Compared

CrowdStrike vs SentinelOne: Endpoint Security and MITRE ATT&CK Compared

Both CrowdStrike and SentinelOne deliver strong MITRE ATT&CK detection results. The key difference: CrowdStrike is the only vendor with MITRE Managed Services evaluation.

Read article →
Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Master the formal security models that underpin all access control systems. This comprehensive guide covers Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, lattice-based access control, and how to choose the right model for your organization.

Read article →
Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Master the critical metrics behind biometric authentication systems including False Acceptance Rate (FAR), False Rejection Rate (FRR), and Crossover Error Rate (CER). Learn how to evaluate, tune, and deploy biometric systems across enterprise, consumer, and high-security environments.

Read article →

Explore More Risk & Compliance

View all terms

Compliance Penalty

Financial fines and sanctions imposed for failing to meet regulatory data protection and security requirements.

Read more →

GDPR

The General Data Protection Regulation is the EU's comprehensive data privacy law that governs how organizations collect, process, and protect personal data.

Read more →

SOC 2

Service Organization Control 2 is an auditing standard for service providers that store customer data, focusing on security, availability, processing integrity, confidentiality, and privacy.

Read more →
Back to glossary