HIPAA: what it requires of covered entities and their vendors
Health Insurance Portability and Accountability Act · United States — healthcare
HIPAA governs protected health information held by US covered entities — health plans, clearinghouses, and providers — and by the business associates that process it on their behalf. It imposes a Privacy Rule on use and disclosure, a Security Rule on safeguards for electronic PHI, and a Breach Notification Rule requiring disclosure within 60 days.
Who it applies to
- Covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically
- Business associates: any vendor that creates, receives, maintains, or transmits protected health information on a covered entity's behalf
- Subcontractors of business associates, who are themselves business associates
- A software vendor serving a US healthcare provider is almost always a business associate
What it requires
A Business Associate Agreement, before any PHI moves
Without a signed BAA in place, a vendor cannot lawfully process protected health information. In practice it is a gating item in every healthcare sales cycle.
The Privacy Rule
Limits use and disclosure of PHI to treatment, payment, healthcare operations, and specific permitted purposes. Everything else needs authorisation.
The Security Rule
Administrative, physical, and technical safeguards for electronic PHI — access control, audit controls, integrity, transmission security, and a documented risk analysis.
The minimum necessary standard
Use and disclose only the minimum PHI needed for the purpose. This is a design constraint on your data model, not a policy sentence.
Breach notification within 60 days
To affected individuals and to HHS. Breaches affecting 500 or more individuals must also be reported to the media and posted publicly.
A documented risk analysis
Not optional, and the single most commonly cited failure in enforcement actions. It must be current, not a document written once at founding.
Penalties
Civil penalties are tiered by culpability, running from roughly $100 to $50,000 per violation with an annual cap per identical provision. Wilful neglect that is not corrected carries the highest tier, and criminal penalties apply to knowing misuse.
HIPAA support is in development
To be straight with you: RegRely runs GDPR today. HIPAA is not shipped yet. The underlying workflows — data subject requests, records of processing, consent, risk, and evidence — are the same across regimes, which is what makes the extension tractable rather than a rewrite.
If HIPAA is on your critical path, tell us your timeline and we will tell you honestly whether we can meet it.