HIPAA — the Health Insurance Portability and Accountability Act — is one of the most complex US compliance frameworks. It applies specifically to entities that handle protected health information (PHI). Here is a plain-English guide to whether it applies to your business and what you need to do.
Who HIPAA applies to
HIPAA applies to two categories of organisations:
Covered entities: Healthcare providers (doctors, hospitals, pharmacies, therapists, dentists), health plans (insurance companies, employer health plans, government programs like Medicare), and healthcare clearinghouses (companies that process health data between providers and payers).
Business associates: Any company that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This is the category most SMBs fall into. Examples include billing services, cloud storage providers used to store health records, EHR software vendors, practice management software, marketing agencies that have access to patient lists, and IT companies that manage systems containing PHI.
What is protected health information (PHI)
PHI is individually identifiable health information held or transmitted by a covered entity or business associate. It includes: medical records, diagnoses, treatment information, prescription history, billing records, and any combination of information that could identify someone and relates to their past, present, or future health or payment for healthcare.
PHI in digital form (emails, cloud storage, databases) is called ePHI and is subject to the HIPAA Security Rule.
The three HIPAA rules
Privacy Rule: Sets standards for how PHI can be used and disclosed. Patients have rights to access, amend, and receive an accounting of disclosures of their PHI. Covered entities must provide a Notice of Privacy Practices.
Security Rule: Requires administrative, physical, and technical safeguards to protect ePHI. This includes access controls, audit logs, encryption, and workforce training.
Breach Notification Rule: Requires notification to affected individuals, the HHS, and (for large breaches) the media when PHI is breached. The notification timeline is 60 days after discovery.
Business Associate Agreements (BAAs)
If you're a covered entity, you must have a BAA with every business associate who has access to PHI. If you're a business associate, the covered entity should be presenting you with a BAA. Operating without a BAA when PHI is involved is a HIPAA violation even if no breach occurs.
Penalties
HIPAA penalties range from $137 to $68,928 per violation depending on culpability, with annual maximums per violation category. The HHS Office for Civil Rights investigates complaints and breaches. State attorneys general can also bring HIPAA enforcement actions. Criminal penalties apply in cases of intentional misuse of PHI.
Does your website need a HIPAA-specific privacy policy
If you are a covered entity or business associate, your privacy policy should reflect HIPAA requirements in addition to any applicable state and federal privacy laws. The HIPAA Notice of Privacy Practices is a specific document with required content — it is not the same as a standard website privacy policy, though they can coexist.