Skip to content
In development

HIPAA: what it requires of covered entities and their vendors

Health Insurance Portability and Accountability Act · United States — healthcare

HIPAA governs protected health information held by US covered entities — health plans, clearinghouses, and providers — and by the business associates that process it on their behalf. It imposes a Privacy Rule on use and disclosure, a Security Rule on safeguards for electronic PHI, and a Breach Notification Rule requiring disclosure within 60 days.

Who it applies to

  • Covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically
  • Business associates: any vendor that creates, receives, maintains, or transmits protected health information on a covered entity's behalf
  • Subcontractors of business associates, who are themselves business associates
  • A software vendor serving a US healthcare provider is almost always a business associate

What it requires

A Business Associate Agreement, before any PHI moves

Without a signed BAA in place, a vendor cannot lawfully process protected health information. In practice it is a gating item in every healthcare sales cycle.

The Privacy Rule

Limits use and disclosure of PHI to treatment, payment, healthcare operations, and specific permitted purposes. Everything else needs authorisation.

The Security Rule

Administrative, physical, and technical safeguards for electronic PHI — access control, audit controls, integrity, transmission security, and a documented risk analysis.

The minimum necessary standard

Use and disclose only the minimum PHI needed for the purpose. This is a design constraint on your data model, not a policy sentence.

Breach notification within 60 days

To affected individuals and to HHS. Breaches affecting 500 or more individuals must also be reported to the media and posted publicly.

A documented risk analysis

Not optional, and the single most commonly cited failure in enforcement actions. It must be current, not a document written once at founding.

Penalties

Civil penalties are tiered by culpability, running from roughly $100 to $50,000 per violation with an annual cap per identical provision. Wilful neglect that is not corrected carries the highest tier, and criminal penalties apply to knowing misuse.

HIPAA support is in development

To be straight with you: RegRely runs GDPR today. HIPAA is not shipped yet. The underlying workflows — data subject requests, records of processing, consent, risk, and evidence — are the same across regimes, which is what makes the extension tractable rather than a rewrite.

If HIPAA is on your critical path, tell us your timeline and we will tell you honestly whether we can meet it.

See what ships today

Frequently asked questions

A BAA is the contract HIPAA requires between a covered entity and any vendor handling protected health information on its behalf. Without one, the vendor cannot lawfully process PHI — which makes it a gating item in every healthcare sales cycle.

If it creates, receives, maintains, or transmits protected health information on behalf of a covered entity, yes — even if you never look at the data. Mere conduits for transmission, such as an ISP, are excluded, but hosted software that stores PHI is not.

HIPAA is US, sector-specific, and covers protected health information held by covered entities and their business associates. GDPR is EU, cross-sector, and covers all personal data, with health data treated as a special category requiring an additional condition for processing. A company operating in both markets must satisfy both.

Affected individuals and HHS must be notified without unreasonable delay and no later than 60 days from discovery. Breaches affecting 500 or more individuals also require media notification and public posting.