Everything healthcare organizations, health tech companies, and their vendors need to know about HIPAA — Privacy Rule, Security Rule, Breach Notification, BAAs, and civil/criminal penalties.
✓ HHS OCR Official SourcePenalty tiers updated 2024Updated March 2026
What Is HIPAA?
✓ Verified DataVerified: HHS official HIPAA documentation
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress and signed into law by President Clinton on August 21, 1996. It established the first federal privacy and security standards for protecting patients' medical records and other personal health information. (HHS.gov/HIPAA)
HIPAA is enforced by the HHS Office for Civil Rights (OCR). The OCR has collected over $160 million in resolution agreements and civil money penalties since 2008. The DOJ handles criminal HIPAA prosecutions. (HHS OCR Enforcement Highlights)
1996
HIPAA Enacted
18
PHI Identifiers
$1.9M
Max Civil Penalty/Year
60 days
Breach Notification Deadline
10 yrs
Max Criminal Sentence
The Major HIPAA Rules
✓ Verified DataVerified: 45 CFR Parts 160 and 164
HIPAA compliance is governed by five major rules, each codified in the Code of Federal Regulations (CFR). (45 CFR Parts 160, 162, 164)as of March 2026
Privacy Rule
Standards for Privacy of Individually Identifiable Health Information
Establishes national standards to protect PHI. Defines permitted uses and disclosures, patient rights (access, amendment, accounting), and minimum necessary standard. Effective April 2003.
Security Rule
Security Standards for the Protection of ePHI
Requires covered entities to implement administrative, physical, and technical safeguards to protect electronic PHI. Distinguishes between required and addressable implementation specifications. Effective April 2005.
Breach Notification
Notification in Case of Breach of Unsecured PHI
Requires covered entities to notify affected individuals, HHS, and in some cases the media within 60 days of discovering a breach of unsecured PHI involving 500+ individuals. Effective September 2009.
Omnibus Rule
Final Omnibus HIPAA Rule (2013 Modifications)
Extended HIPAA compliance obligations directly to business associates and their subcontractors. Enhanced patient rights. Increased penalties. Updated breach notification standards. Effective September 2013.
HITECH Act
Health Information Technology for Economic and Clinical Health Act
Enacted as part of ARRA (2009), HITECH strengthened HIPAA enforcement, increased penalties, established the Breach Notification Rule, and introduced the Medicare/Medicaid EHR Incentive Programs.
Covered Entities vs. Business Associates
✓ Verified DataHHS OCR definition verified
Covered Entities (CEs)
Organizations directly subject to HIPAA include: (HHS OCR)
Health plans: Health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid, and CHIP
Healthcare clearinghouses: Entities that process non-standard health information into standard formats (billing services, repricing companies)
Healthcare providers: Any provider that transmits health information electronically — hospitals, physician practices, pharmacies, dental offices, nursing homes, chiropractors
Business Associates (BAs)
Vendors and contractors who create, receive, maintain, or transmit PHI on behalf of a covered entity are "business associates" directly subject to HIPAA since the 2013 Omnibus Rule. Examples include:
Electronic Health Record (EHR) vendors (Epic, Cerner, Athenahealth)
Cloud storage and hosting providers (if they access PHI)
Medical billing and coding services
Health information exchanges (HIEs)
Data analytics companies processing patient data
Legal firms handling PHI for covered entities
Business Associate Agreements (BAAs): Before any PHI can be shared with a BA, a written BAA must be executed. The BAA contractually obligates the BA to implement appropriate safeguards, report breaches, and return or destroy PHI at contract end. Failure to have a BAA in place is a common HIPAA violation.
Civil monetary penalties (CMPs) are set by statute and adjusted annually for inflation. The following tiers reflect 2024 HHS inflation adjustments. (HHS 45 CFR 160.404)
Violation Category
Per Violation Range
Annual Cap
Did Not Know (reasonable diligence)
$137 – $68,928
$2,067,813
Reasonable Cause (not willful neglect)
$1,379 – $68,928
$2,067,813
Willful Neglect — Corrected
$13,785 – $68,928
$2,067,813
Willful Neglect — Not Corrected
$68,928 – $2,067,813
$2,067,813
Criminal Penalties (DOJ)
Offense Level
Fine
Imprisonment
Wrongful disclosure of PHI
Up to $50,000
Up to 1 year
Under false pretenses
Up to $100,000
Up to 5 years
With intent to sell / malicious
Up to $250,000
Up to 10 years
The 18 HIPAA PHI Identifiers
✓ Verified DataVerified: 45 CFR § 164.514(b)(2)
Protected Health Information (PHI) is any individually identifiable health information. Under the Safe Harbor method of de-identification, these 18 identifiers must be removed: (45 CFR § 164.514(b)(2))
#1
Names
Full name, last name, first name
#2
Geographic Data
Street address, city, county, ZIP (first 3 digits only allowed)
#3
Dates
Birth date, admission date, discharge date, death date (year only OK)
#4
Phone Numbers
All telephone numbers
#5
Fax Numbers
All fax numbers
#6
Email Addresses
All email addresses
#7
Social Security Numbers
Full or partial SSNs
#8
Medical Record Numbers
MRN or health plan beneficiary numbers
#9
Health Plan Numbers
Beneficiary, account, or certificate numbers
#10
Account Numbers
Financial account numbers
#11
Certificate/License Numbers
All certificate/license numbers
#12
Vehicle Identifiers
VIN, serial numbers, license plates
#13
Device Identifiers
Serial numbers and unique device identifiers
#14
Web URLs
Web Universal Resource Locators
#15
IP Addresses
Internet Protocol address numbers
#16
Biometric Identifiers
Finger/voice prints
#17
Full-Face Photos
Full face photographs and comparable images
#18
Unique Identifiers
Any other unique identifying number, characteristic, or code
HIPAA Compliance Checklist
~ AI-EstimatedSummarized from HHS OCR audit protocols
This checklist summarizes key HIPAA requirements for covered entities. Business associates have overlapping but distinct obligations. Consult legal counsel for a full compliance program.
Designate a HIPAA Privacy Officer and Security Officer
Conduct and document an annual HIPAA Risk Analysis (Security Rule requirement)
Implement a Risk Management Plan addressing identified risks
Establish written HIPAA policies and procedures; train all workforce members annually
Execute Business Associate Agreements (BAAs) with all applicable vendors
Implement access controls — minimum necessary standard for PHI access
Implement audit controls to track all access to ePHI
Encrypt ePHI at rest and in transit (AES-256, TLS 1.2+)
Implement automatic logoff for workstations accessing ePHI
Maintain a documented media disposal and destruction policy
Establish a breach detection and response program
Notify affected individuals within 60 days of breach discovery
Report breaches of 500+ individuals to HHS OCR within 60 days
Maintain HIPAA documentation for 6 years from creation or last effective date
Provide patients with Notice of Privacy Practices (NPP)
Honor patient rights: access, amendment, restriction requests, accounting of disclosures
Frequently Asked Questions
Does HIPAA apply to employers with employee health plans?
Yes, if an employer sponsors a self-insured health plan. The plan itself is a covered entity. However, the employer in its capacity as employer (using employee information for HR purposes) is generally not subject to HIPAA. The line between employer and plan can be complex — consult legal counsel.
Is a SaaS company building healthcare software automatically a Business Associate?
Only if the software creates, receives, maintains, or transmits PHI on behalf of a covered entity. A SaaS company providing a generic CRM that a healthcare provider happens to use for patient scheduling may be a BA. A payment processor who processes credit cards for a doctor but never sees diagnosis codes may not be. Analyze data flows carefully and execute BAAs proactively.
What is the Breach Notification Rule 60-day timeline based on?
The 60-day clock starts from the date the breach is "discovered" — which HHS defines as the first day a workforce member (or agent) of the covered entity knew or reasonably should have known of the breach. The clock runs even if you are still investigating. For breaches affecting 500+ individuals in a state, media notification is also required.
Can patients sue under HIPAA?
No private right of action exists under HIPAA — patients cannot directly sue covered entities for HIPAA violations. However, HIPAA violations may support state-law negligence or privacy tort claims. Many states have enacted their own health privacy laws with stronger protections and private rights of action (e.g., California's CMIA).