Skip to main contentSkip to main content
    Back to Glossary
    framework
    2 min read

    HIPAA

    HIPAA (Health Insurance Portability and Accountability Act) is a US federal law that establishes standards for protecting sensitive patient health information (PHI) from disclosure without consent.

    HIPAA is a US federal law enacted in 1996 that provides data privacy and security provisions for safeguarding medical information. It applies to covered entities and their business associates.

    HIPAA consists of several key rules: - Privacy Rule: Standards for the protection of PHI - Security Rule: Standards for ePHI (electronic PHI) security - Breach Notification Rule: Requirements for notifying affected individuals - Enforcement Rule: Penalties and procedures for violations

    The Security Rule requires three types of safeguards: 1. Administrative Safeguards: Policies, procedures, training 2. Physical Safeguards: Facility access, workstation security 3. Technical Safeguards: Access controls, encryption, audit controls

    HIPAA violations can result in penalties ranging from $100 to $50,000 per violation, with annual maximums of $1.5 million.

    Why It Matters

    HIPAA violations carry severe penalties—up to $1.5 million per year per violation category—and can result in criminal charges. For any organization handling patient health data, HIPAA compliance is not optional. Beyond penalties, a HIPAA breach triggers mandatory notification to affected individuals, HHS, and potentially the media, causing significant reputational damage that can take years to recover from.

    Key Points

    Applies to healthcare providers, insurers, and business associates
    Protects PHI (Protected Health Information)
    Requires administrative, physical, and technical safeguards
    Penalties up to $1.5 million per year
    Business Associate Agreements (BAAs) required for vendors

    Applicable Compliance Frameworks

    HIPAA

    Related Terms

    SOC 2

    SOC 2 is an auditing framework developed by AICPA that evaluates how service organizations manage customer data based on five Trust Service Criteria.

    Encryption at Rest

    Encryption at rest protects data stored on disks, databases, or storage systems by converting it to an unreadable format that requires a key to decrypt.

    Access Control

    Access control is a security mechanism that regulates who can view or use resources in a computing environment, ensuring only authorized users can access systems and data.

    Related Articles

    HIPAA Compliance ChecklistHIPAA vs SOC 2

    Frequently Asked Questions

    What is a Business Associate Agreement?

    A BAA is required when a covered entity shares PHI with a third party. It ensures the business associate will protect PHI appropriately.

    Does HIPAA require encryption?

    Encryption is "addressable"—strongly recommended but not absolutely required. If you don't encrypt, you must document equivalent protections.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    SOC 2 Compliance

    Trust services criteria for security, availability, and confidentiality

    Learn more
    Standard

    ISO 27001 Certification

    International standard for information security management

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with HIPAA?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms