In depth
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996 and substantially expanded by the HITECH Act of 2009, is the United States regulatory framework governing the security and privacy of Protected Health Information (PHI). Covered entities (health plans, health-care providers, health-care clearinghouses) and their business associates (any vendor that processes PHI on behalf of a covered entity) are bound by the Privacy Rule, the Security Rule and the Breach Notification Rule, with enforcement by the Department of Health and Human Services Office for Civil Rights (HHS OCR).
The Security Rule (45 CFR Parts 160 and 164) is the part with which most security teams interact. It mandates administrative safeguards (risk analysis, workforce training, access management, contingency planning), physical safeguards (facility access controls, workstation security, device and media controls), and technical safeguards (access control, audit controls, integrity, person or entity authentication, transmission security). Each safeguard is classified as required or addressable — addressable safeguards must be implemented unless the covered entity documents a reasoned alternative that achieves equivalent protection.
HIPAA is not prescriptive about specific technologies. It does not name a required encryption algorithm, a required MFA mechanism or a required SIEM. It does require a documented risk analysis (45 CFR 164.308(a)(1)(ii)(A)) that identifies threats and vulnerabilities to PHI, and a risk management programme that implements security measures sufficient to reduce risk to a reasonable and appropriate level. Penetration testing is widely treated as evidence of the risk-analysis obligation, though it is not explicitly named in the statute.
Breach notification is the high-profile half. Any breach of unsecured PHI affecting 500 or more individuals triggers notification to the affected individuals, to HHS OCR, and (for breaches affecting 500+ in a single state) to prominent media outlets, all within 60 days. Civil monetary penalties under the HITECH Act tiered structure range from $137 to $68,928 per violation, capped at $2,067,813 per identical-violation type per year (2024 adjusted figures), plus state-level Attorney General actions. See compliance services.
The Security Rule (45 CFR Parts 160 and 164) is the part with which most security teams interact. It mandates administrative safeguards (risk analysis, workforce training, access management, contingency planning), physical safeguards (facility access controls, workstation security, device and media controls), and technical safeguards (access control, audit controls, integrity, person or entity authentication, transmission security). Each safeguard is classified as required or addressable — addressable safeguards must be implemented unless the covered entity documents a reasoned alternative that achieves equivalent protection.
HIPAA is not prescriptive about specific technologies. It does not name a required encryption algorithm, a required MFA mechanism or a required SIEM. It does require a documented risk analysis (45 CFR 164.308(a)(1)(ii)(A)) that identifies threats and vulnerabilities to PHI, and a risk management programme that implements security measures sufficient to reduce risk to a reasonable and appropriate level. Penetration testing is widely treated as evidence of the risk-analysis obligation, though it is not explicitly named in the statute.
Breach notification is the high-profile half. Any breach of unsecured PHI affecting 500 or more individuals triggers notification to the affected individuals, to HHS OCR, and (for breaches affecting 500+ in a single state) to prominent media outlets, all within 60 days. Civil monetary penalties under the HITECH Act tiered structure range from $137 to $68,928 per violation, capped at $2,067,813 per identical-violation type per year (2024 adjusted figures), plus state-level Attorney General actions. See compliance services.