Glossary

What is HIPAA?

Key takeaway

HIPAA is the US federal law protecting health information. Learn about the Privacy Rule, Security Rule, BAAs, PHI safeguards, and penalties for non-compliance.

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a US federal law enacted in 1996 that establishes standards for protecting sensitive patient health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates.

What are the key HIPAA rules?

  • Privacy Rule — governs the use and disclosure of protected health information (PHI)
  • Security Rule — requires administrative, physical, and technical safeguards for electronic PHI (ePHI)
  • Breach Notification Rule — mandates notification of affected individuals and HHS after a data breach
  • Enforcement Rule — establishes investigation and penalty procedures

What is Protected Health Information (PHI)?

PHI includes any individually identifiable health information, such as:

  • Medical records and diagnoses
  • Treatment and payment information
  • Names, addresses, dates of birth, and Social Security numbers when linked to health data

What is a Business Associate Agreement (BAA)?

Any vendor that handles PHI on behalf of a covered entity must sign a BAA. This contract:

  • Defines how the vendor can use and disclose PHI
  • Requires the vendor to implement appropriate safeguards
  • Establishes breach notification obligations
  • Makes the vendor directly liable for HIPAA violations

What are HIPAA penalties?

Penalties range from $141 to $2,134,831 per violation depending on the level of negligence, with an annual cap of $2,134,831 per identical violation category. Criminal penalties can include fines up to $250,000 and imprisonment.

How does HIPAA apply to SaaS companies?

SaaS companies that store, process, or transmit PHI are considered business associates and must comply with HIPAA. Common requirements include encryption at rest and in transit, access controls, audit logging, and incident response procedures.

How does episki help with HIPAA?

episki maps safeguards to your systems, tracks BAA renewals, and provides auditor portals for sharing evidence. Learn more on our HIPAA compliance page.

Related frameworks

hipaa

Related questions

Continue exploring

HIPAA Breach Notification Rule

Framework topic

Business Associate Agreements (BAA)

Framework topic

What is HIPAA?

Framework overview

What is Access Control?

Glossary definition

What is an Audit Trail?

Glossary definition

Drata vs Secureframe

Head-to-head comparison

episki vs Drata

See how we compare

Replacing the FFIEC CAT: What Banks Are Choosing — and Why CSF Alone Isn't Enough

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a demo