HIPAA

Health Insurance Portability and Accountability Act (Public Law 104-191)

RegulationUS

HIPAA establishes national standards for protecting individuals’ medical records and health information. The Privacy Rule protects all individually identifiable health information, the Security Rule safeguards electronic PHI, and the Breach Notification Rule requires notification following breaches of unsecured PHI. Enforcement is by the HHS Office for Civil Rights (OCR).

PHI Identifiers

Penalty Tiers

$1.5M

Max Annual Penalty

1996

Enacted

Who Needs to Comply

Covered Entities

Health plans (insurers, HMOs, Medicare, employer group plans)
Healthcare providers (physicians, hospitals, clinics — if electronic transactions)
Healthcare clearinghouses

Business Associates

Third-party administrators, billing services, medical transcriptionists
IT service providers and cloud storage providers
Consultants, pharmacy benefits managers
Must sign Business Associate Agreements (BAAs)
Directly liable since HITECH Act (2009)

Penalty Tiers (HITECH Act)

Tier 1 — Did Not Know: $100/violation, $25K annual cap
Tier 2 — Reasonable Cause: $1,000/violation, $250K annual cap
Tier 3 — Willful Neglect (corrected ≤30 days): $10,000/violation, $250K annual cap
Tier 4 — Willful Neglect (not corrected): $50,000/violation, $1.5M annual cap

Key Compliance Areas

45 CFR 164 Sub. A, E

Privacy Rule

Protects all individually identifiable health information (PHI). Establishes patient rights to access, amend, and receive accounting of disclosures of their health information.

45 CFR 164 Sub. A, C

Security Rule

Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Covers access controls, audit controls, integrity controls, and transmission security.

45 CFR §§ 164.400-414

Breach Notification Rule

Requires notification to affected individuals, HHS Secretary, and media (if 500+ affected) following a breach of unsecured protected health information.

45 CFR 160 Sub. C-E

Enforcement Rule

Provisions for compliance investigations, civil money penalties, and hearing procedures. Four-tier penalty structure established by the HITECH Act.

45 CFR Part 162

Transactions & Code Sets

Standards for 8 electronic healthcare transactions and medical data code sets. Covered entities using electronic media must comply with these standards.

How Orizon Helps

PHI Inventory

Identify all protected health information across your organisation: where it’s created, received, maintained, and transmitted. Map all 18 PHI identifiers.

Risk Analysis

Conduct a thorough risk analysis of ePHI per the Security Rule. Identify threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

Safeguard Implementation

Implement administrative, physical, and technical safeguards. Address access controls, workforce training, facility security, and encryption requirements.

BAA Management

Establish Business Associate Agreements with all entities that create, receive, maintain, or transmit PHI on your behalf. Monitor compliance.

Breach Response Plan

Develop and test breach notification procedures meeting HIPAA timelines: individual notification, HHS reporting, and media notification for large breaches.

Ongoing Compliance

Regular risk assessments, workforce training, policy updates, and audit log reviews. Prepare for potential OCR compliance reviews and investigations.

Official Sources

Assess Your Compliance

Expert guidance for your HIPAA compliance journey.

Get Started