What is HIPAA?
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a US federal law enacted in 1996 that establishes standards for protecting sensitive patient health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates.
Key rules
- Privacy Rule — governs the use and disclosure of protected health information (PHI)
- Security Rule — requires administrative, physical, and technical safeguards for electronic PHI (ePHI)
- Breach Notification Rule — mandates notification of affected individuals and HHS after a data breach
- Enforcement Rule — establishes investigation and penalty procedures
Protected Health Information (PHI)
PHI includes any individually identifiable health information, such as:
- Medical records and diagnoses
- Treatment and payment information
- Names, addresses, dates of birth, and Social Security numbers when linked to health data
Business Associate Agreements (BAAs)
Any vendor that handles PHI on behalf of a covered entity must sign a BAA. This contract:
- Defines how the vendor can use and disclose PHI
- Requires the vendor to implement appropriate safeguards
- Establishes breach notification obligations
- Makes the vendor directly liable for HIPAA violations
HIPAA penalties
Penalties range from $141 to $2,134,831 per violation depending on the level of negligence, with an annual cap of $2,134,831 per identical violation category. Criminal penalties can include fines up to $250,000 and imprisonment.
HIPAA for SaaS companies
SaaS companies that store, process, or transmit PHI are considered business associates and must comply with HIPAA. Common requirements include encryption at rest and in transit, access controls, audit logging, and incident response procedures.
How episki helps with HIPAA
episki maps safeguards to your systems, tracks BAA renewals, and provides auditor portals for sharing evidence. Learn more on our HIPAA compliance page.
