Compliance

HIPAA

The US Health Insurance Portability and Accountability Act — sets standards for protecting sensitive patient health information.

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets national standards for the protection of sensitive patient health information (Protected Health Information, or PHI).

Key Rules

  • Privacy Rule — establishes national standards for the protection of PHI
  • Security Rule — sets standards for securing electronic PHI (ePHI)
  • Breach Notification Rule — requires notification of breaches of unsecured PHI

Who Must Comply

  • Covered entities — health plans, healthcare clearinghouses, healthcare providers
  • Business associates — entities that handle PHI on behalf of covered entities

Penalties

Fines range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. Criminal penalties can include imprisonment.

Comparison with GDPR

HIPAA is sector-specific (healthcare only), while the GDPR applies broadly to all personal data. Both require appropriate security measures and breach notification.

Related Terms

Data BreachPrivacy

A security incident that leads to the unauthorized access, disclosure, or loss of personal data.

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

EncryptionTechnical

The process of converting data into a coded form so that only authorised parties can read it.

Breach NotificationCompliance

The legal obligation to inform authorities and affected individuals when a personal data breach occurs.

Hashing