HIPAA — the Health Insurance Portability and Accountability Act — is the federal law that governs how healthcare organizations must protect the privacy and security of patient health information in the United States. For any organization that touches patient data, HIPAA compliance is not optional. Understanding it is the starting point for building or operating any HIPAA compliant system.
A Brief History of HIPAA
HIPAA was signed into law by President Clinton on August 21, 1996. The original purpose was actually health insurance portability — making it easier for workers to maintain coverage when changing or losing jobs. But Title II of the Act, the Administrative Simplification provisions, became the foundation for the comprehensive privacy and security regulations we know today.
The Privacy Rule, which established national standards for protecting identifiable health information, was finalized in 2000 and took effect in April 2003. The Security Rule, covering electronic health information specifically, was finalized in 2003 and took effect in April 2005. The 2009 HITECH Act significantly strengthened HIPAA, extending obligations to business associates, introducing meaningful penalties, and establishing the Breach Notification Rule.
The Omnibus Rule of 2013 implemented the HITECH Act changes and tightened many HIPAA requirements. As of 2025, HHS has proposed additional HIPAA Security Rule updates — the first substantive Security Rule update in more than 20 years — reflecting the dramatically changed threat landscape for healthcare data.
Who Does HIPAA Apply To?
HIPAA applies to two categories of organizations: covered entities and business associates.
Covered Entities
Covered entities are the organizations directly engaged in healthcare. They fall into three categories:
- •Healthcare providers — physicians, hospitals, clinics, pharmacies, nursing homes, and any other provider that transmits health information electronically in connection with a transaction covered by HIPAA.
- •Health plans — health insurance companies, HMOs, employer-sponsored health plans, government programs like Medicare and Medicaid, and long-term care insurers.
- •Healthcare clearinghouses — organizations that process non-standard health information into standard formats (or vice versa) for submission to health plans.
Business Associates
Business associates are organizations or individuals that perform functions or activities on behalf of a covered entity that involve access to Protected Health Information (PHI). This is an expansive category that includes software developers, cloud providers, billing companies, transcription services, IT vendors, consultants, and many others.
Business associates were brought under direct HIPAA enforcement by the HITECH Act. Before 2009, BAs faced HIPAA liability only through their covered entity contracts. Now, the OCR can pursue enforcement actions directly against business associates — and has done so repeatedly.
What is Protected Health Information (PHI)?
Protected Health Information is any individually identifiable health information held or transmitted by a covered entity or business associate. PHI can be in any form — electronic (ePHI), paper, or spoken. The key is that it identifies an individual (or could reasonably be used to identify them) and relates to their health condition, healthcare provision, or payment for healthcare.
HIPAA identifies 18 specific categories of identifiers that, when combined with health information, create PHI:
Data that has been properly de-identified under one of HIPAA's two de-identification methods (Expert Determination or Safe Harbor) is not considered PHI and falls outside HIPAA's scope.
The Three HIPAA Rules
1. The Privacy Rule (45 CFR Part 164, Subparts A and E)
The Privacy Rule establishes national standards for protecting patients' medical records and other individually identifiable health information. It gives patients rights over their health information and sets limits on who can use and disclose PHI without patient authorization.
Key Privacy Rule requirements include:
- •Minimum Necessary: Use or disclose only the minimum PHI needed for a given purpose.
- •Notice of Privacy Practices: Provide patients a written notice explaining how their PHI may be used and disclosed.
- •Individual Rights: Patients have rights to access their PHI, request amendments, and receive an accounting of disclosures.
- •Permitted Disclosures: PHI may be used for treatment, payment, and healthcare operations without patient authorization — but most other disclosures require written authorization.
- •Business Associate Contracts: PHI shared with BAs must be governed by a BAA.
2. The Security Rule (45 CFR Part 164, Subparts A and C)
The Security Rule applies specifically to electronic PHI (ePHI) and requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure its confidentiality, integrity, and availability.
The three safeguard categories are:
- •Administrative Safeguards: Policies, procedures, risk analysis, workforce training, access management, and contingency planning.
- •Physical Safeguards: Facility access controls, workstation security, device and media controls to protect physical access to ePHI.
- •Technical Safeguards: Access controls, audit controls, integrity controls, and transmission security — the software and systems layer of HIPAA compliance.
The Security Rule distinguishes between Required specifications (which must be implemented) and Addressable specifications (which must be implemented if reasonable and appropriate, or documented with an equivalent alternative). Addressable does not mean optional.
A critical Security Rule requirement is the annual HIPAA Security Risk Analysis — a thorough assessment of threats and vulnerabilities to ePHI. This is the foundation of a HIPAA security program and one of the most commonly cited deficiencies in OCR investigations.
3. The Breach Notification Rule (45 CFR Part 164, Subpart D)
The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media when there is a breach of unsecured PHI. Business associates must notify covered entities of breaches within 60 days of discovery (covered entities have 60 days from discovery to notify affected individuals and HHS).
A breach is presumed unless the covered entity or BA can demonstrate through a four-factor risk assessment that there is a low probability that PHI has been compromised. The four factors are: the nature and extent of PHI involved, who accessed the PHI, whether PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. Breaches affecting 500 or more individuals in a state require media notification; all breaches of 500 or more must be reported to HHS immediately.
HIPAA Penalties
The Office for Civil Rights (OCR) within HHS enforces HIPAA and can impose civil monetary penalties. HITECH established a tiered penalty structure based on culpability:
| Violation Category | Min Per Violation | Max Per Violation | Annual Cap |
|---|---|---|---|
| Did not know | $137 | $68,928 | $2,067,813 |
| Reasonable cause | $1,379 | $68,928 | $2,067,813 |
| Willful neglect — corrected | $13,785 | $68,928 | $2,067,813 |
| Willful neglect — not corrected | $68,928 | $2,067,813 | $2,067,813 |
These are per-violation, per-calendar-year caps. A single data breach involving thousands of records can generate thousands of individual violations, resulting in settlements or judgments far exceeding the per-violation caps. OCR has levied settlements exceeding $16 million in single cases.
Beyond civil penalties, criminal violations of HIPAA can result in fines up to $250,000 and imprisonment up to 10 years, enforced by the Department of Justice. Criminal liability can attach to individuals, not just organizations.
HIPAA Compliance in Software Development
For software developers and technology companies, HIPAA compliance is not an administrative exercise — it is an engineering discipline. Building HIPAA compliant software requires designing PHI data flows carefully, implementing technical safeguards at every layer, managing third-party vendor risk, and establishing the documentation and monitoring programs that demonstrate compliance.
Common HIPAA failures in software systems include: storing PHI in plaintext log files, using unauthenticated or publicly accessible API endpoints, failing to encrypt PHI at rest or in transit, logging insufficient data to support audit requirements, and using third-party services without BAAs.
A systematic approach to HIPAA software compliance starts with a risk analysis — identifying all PHI data flows in the system, assessing threats and vulnerabilities to each, and implementing controls proportionate to the risk. Read our HIPAA Software Development Checklist and HIPAA App Development Guide for detailed technical guidance.