Home FAQs HIPAA

HIPAA — Health Insurance Portability and Accountability Act FAQ

Expert answers on HIPAA compliance, PHI protection, Privacy Rule, Security Rule, and healthcare data security.

Understanding HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a US federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. It requires healthcare providers, health plans, and their business associates to implement safeguards to protect Protected Health Information (PHI).

HIPAA consists of several rules including the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. Learn more about HIPAA compliance.

PHI is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity. This includes:

  • Patient names, addresses, dates of birth
  • Medical records and health conditions
  • Test results and prescriptions
  • Insurance information and billing records
  • Any other data that can identify a patient and relates to their health

PHI in electronic form is called ePHI (electronic Protected Health Information).

HIPAA compliance is required for:

  • Covered Entities: Healthcare providers, health plans, healthcare clearinghouses
  • Business Associates: Any organization that handles PHI on behalf of a covered entity (cloud providers, IT companies, billing services, consultants)

If you are a technology company that stores, processes, or transmits healthcare data for US healthcare organizations, you are a business associate and must comply.

Compliance & Penalties

HIPAA penalties are tiered based on the level of negligence:

  • Tier 1 (Unknowing): $100 - $50,000 per violation
  • Tier 2 (Reasonable Cause): $1,000 - $50,000 per violation
  • Tier 3 (Willful Neglect, Corrected): $10,000 - $50,000 per violation
  • Tier 4 (Willful Neglect, Not Corrected): $50,000 per violation

Annual maximum is $1.5 million per violation category. Criminal penalties can include up to 10 years imprisonment.

A HIPAA risk assessment is a required process to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. It must evaluate:

  • Where ePHI is created, received, maintained, and transmitted
  • Potential threats (natural, human, environmental)
  • Current security measures
  • Likelihood and impact of threat occurrence
  • Risk levels and mitigation plans

Risk assessments should be conducted annually and whenever significant changes occur. Avantcert can conduct your HIPAA risk assessment.