US Federal Law

HIPAA Compliance

The Health Insurance Portability and Accountability Act establishes national standards to protect sensitive patient health information from being disclosed without consent.

Start HIPAA Assessment View HIPAA Rules

$1.5M

Annual cap per tier

Up to $1.9M total

PHI

Protected data

18 identifiers

Core rules

Privacy, Security, Breach

1996

Enacted

Updated 2013 (HITECH)

Who Must Comply with HIPAA?

HIPAA applies to Covered Entities and their Business Associates who handle Protected Health Information (PHI).

Covered Entities

Healthcare providers (hospitals, clinics, doctors)
Health plans (insurers, HMOs, Medicare)
Healthcare clearinghouses
Pharmacies and laboratories

Business Associates

Cloud service providers hosting PHI
IT support and managed services
Billing and claims processing services
Software vendors (EHR, practice management)

Business Associate Agreements (BAAs): Any vendor that handles PHI on behalf of a Covered Entity must sign a BAA and comply with HIPAA requirements.

Core HIPAA Rules

HIPAA compliance is built on three fundamental rules

Privacy Rule

Establishes national standards for protecting individually identifiable health information. Defines patient rights and limits on use and disclosure of PHI.

Minimum necessary standardPatient access rightsAuthorization requirementsNotice of Privacy PracticesAccounting of disclosures

Security Rule

Requires administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of electronic PHI (ePHI).

Risk assessmentAccess controlsAudit controlsEncryptionContingency planning

Breach Notification Rule

Requires covered entities and business associates to notify individuals, HHS, and sometimes media following a breach of unsecured PHI.

60-day notification to HHSIndividual notificationsMedia notification (500+ individuals)Annual smaller breach reportDocumentation of all breaches

HIPAA Penalty Tiers

Penalties are based on the level of culpability and knowledge of the violation.

Tier 1

Unknowing

Min: $100

Max: $50K

Annual: $25K

Tier 2

Reasonable Cause

Min: $1K

Max: $50K

Annual: $100K

Tier 3

Willful Neglect (Corrected)

Min: $10K

Max: $50K

Annual: $250K

Tier 4

Willful Neglect (Not Corrected)

Min: $50K

Max: $50K

Annual: $1.5M

Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years.

How Dependra Helps with HIPAA

Manage Business Associate relationships and ensure PHI is protected across your vendor ecosystem.

Inventory all vendors with access to PHI
Track Business Associate Agreement status
Assess vendor HIPAA compliance posture
Monitor for HIPAA-related security incidents
Identify HIPAA-compliant alternatives
Generate vendor risk documentation for audits

Start HIPAA Assessment

12 vendors with signed BAAs

3 BAAs need renewal

Related Standards & Regulations

SOC 2

Service organization controls

ISO 27001

Information security management

GDPR

EU data protection regulation

PCI DSS

Payment card security standard

Official Resources

HHS HIPAA Homepage

Official HHS HIPAA resources

HIPAA Security Rule Guidance

Security implementation guidance

HIPAA Quick Facts

Full Name: Health Insurance Portability and Accountability Act
Enacted: 1996
Enhanced By: HITECH Act (2009)
Enforced By: HHS Office for Civil Rights
Scope: US Healthcare Industry

Ready for HIPAA Compliance?

Protect patient health information and meet regulatory requirements.

Start HIPAA Assessment View Demo