Client Portal
UNDER ATTACK?

The Health Insurance Portability and Accountability Act (HIPAA)

  • Home
  • The Health Insurance Portability and Accountability Act (HIPAA)

What Is HIPAA and Why It Matters

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that governs how protected health information (PHI) is handled, stored, and protected.

HIPAA is often misunderstood as a healthcare-only regulation. In reality, it affects a wide range of organizations—many of which don’t consider themselves “healthcare companies” at all.

At its core, HIPAA exists to ensure that sensitive health information is confidential, available when needed, and protected from unauthorized access or disclosure. Achieving that depends heavily on IT systems, cybersecurity controls, and operational discipline.

Who HIPAA Applies To

HIPAA applies to two main groups:

Covered Entities

  • Healthcare providers (clinics, hospitals, practices)

  • Health plans (insurers, HMOs)

  • Healthcare clearinghouses

Business Associates

Any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity, including:

  • MSPs and IT providers

  • Cloud and SaaS vendors

  • Billing and claims processors

  • EHR vendors

  • Data analytics providers

  • Managed security providers

  • Consultants and professional services firms

If you touch PHI in any way, HIPAA likely applies to you, even if healthcare is not your primary business.

What Information Is Regulated Under HIPAA

HIPAA regulates Protected Health Information (PHI), including any health-related data that can identify an individual, such as:

  • Names, addresses, dates of birth

  • Medical records and diagnoses

  • Treatment and prescription data

  • Insurance and billing information

  • Patient portal credentials

  • Appointment and communication records

  • Any combination of data that identifies a patient

When PHI is stored or transmitted electronically, it becomes ePHI, which is where IT and cybersecurity controls are critical.

The HIPAA Rules (High-Level Overview)

HIPAA compliance is built around several key rules:

Privacy Rule

Defines how PHI may be used and disclosed, and establishes patient rights.

Security Rule

Requires administrative, physical, and technical safeguards to protect ePHI.

Breach Notification Rule

Mandates notification to affected individuals, HHS, and sometimes the media after certain breaches.

Enforcement Rule

Defines penalties and enforcement mechanisms.

From a practical standpoint, the Security Rule drives most IT and cybersecurity requirements.

What HIPAA Requires From an IT & Cybersecurity Perspective

HIPAA does not prescribe specific tools, but it does require reasonable and appropriate safeguards based on risk.

In practice, this means:

Administrative Safeguards

  • Risk assessments and risk management plans

  • Security policies and procedures

  • Workforce training

  • Incident response and breach handling processes

  • Vendor management and Business Associate Agreements (BAAs)

Technical Safeguards

  • Unique user identification

  • Strong access controls and least privilege

  • Multi-factor authentication (MFA)

  • Encryption (at rest and in transit)

  • Audit logs and monitoring

  • Secure remote access

Physical Safeguards

  • Device and media controls

  • Secure workstation and server access

  • Secure disposal of hardware and data

HIPAA compliance fails most often when technical safeguards are weak or undocumented.

Why HIPAA Compliance Is More Than a Legal Requirement

Many organizations think HIPAA is about avoiding fines. In reality, HIPAA failures often lead to:

  • Data breaches

  • Ransomware incidents

  • Operational downtime

  • Reputational damage

  • Insurance claim denials

  • Loss of customer and partner trust

HIPAA enforcement increasingly focuses on whether organizations took reasonable steps to protect ePHI—not whether an attack was sophisticated.

How HIPAA Fits Into Broader Cyber Risk Management

HIPAA aligns closely with widely used frameworks such as:

  • NIST Cybersecurity Framework (CSF)

  • NIST SP 800-53

  • ISO 27001

  • SOC 2

  • HITRUST CSF

That means HIPAA compliance is largely built on the same cybersecurity fundamentals used across industries. The difference is the sensitivity of the data and the documentation required.

The Reality of HIPAA Compliance

Here’s the truth most organizations don’t hear:

Most HIPAA requirements are basic cybersecurity best practices.

MFA is MFA. Encryption is encryption. Logging is logging.

HIPAA doesn’t demand cutting-edge technology—it demands discipline, consistency, and proof that reasonable safeguards are in place.

How We Help With HIPAA (and Any Compliance Standard)

Our cyber risk and compliance assessments help organizations:

  • Identify PHI exposure and risk

  • Evaluate safeguards against HIPAA requirements

  • Close technical and documentation gaps

  • Prepare defensible evidence for audits and incidents

  • Reduce breach and enforcement risk

We focus on practical controls that actually protect your environment, not checkbox compliance.

How SMBs Can Prepare for HIPAA Compliance

Here is a practical, high-impact roadmap.

Step 1: Identify Where PHI Exists


Document:

  • Systems that store or process PHI
  • Data flows between systems
  • Who has access
  • Vendors and third parties involved

    • You can’t secure PHI you don’t know about.

    Step 2: Conduct a Risk Assessment


    HIPAA explicitly requires a risk analysis. This includes:

  • Identifying threats and vulnerabilities
  • Evaluating likelihood and impact
  • Documenting mitigation steps

    • This is one of the most commonly cited gaps in enforcement actions.

    Step 3: Implement or Strengthen Core Security Controls


    At minimum:

  • MFA for all systems handling PHI
  • Encryption of data and backups
  • Endpoint and email security
  • Logging and monitoring
  • Secure remote access
  • Regular patching and updates

    • Step 4: Formalize Policies and Procedures


    HIPAA expects documented:

  • Security policies
  • Incident response plans
  • Backup and disaster recovery procedures
  • Access management processes

    • Policies must reflect how systems actually work, not theoretical controls.

    Step 5: Manage Vendor and Third-Party Risk


    Ensure:

  • Business Associate Agreements (BAAs) are in place
  • Vendors meet security expectations
  • Ongoing oversight exists

    • You remain responsible for PHI—even when vendors are involved.

    Step 6: Train Your Workforce


    Employees should understand:

  • How PHI should be handled
  • Security best practices
  • How to recognize and report incidents
  • Their role in protecting patient data

    • Human error remains a top cause of HIPAA incidents.

    Start My Risk Assessment

    Trigger Question Answers

    Lorem ipsum dolor sit amet, consectetur adipiscing elit.
    Get In Touch
    Lorem ipsum dolor sit amet, consectetur adipiscing elit.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

    Take Control of Your HIPAA Risk

    HIPAA compliance is not a one-time project—it’s an ongoing risk management process.

    Understand where you stand, what’s missing, and how to move forward with confidence.

    Start My Risk Assessment

    Talk to an Executive Advisor Today

    Client Portal
    UNDER ATTACK?