Home
Pricing
Talk to our team
Compliance Hub

What Is HIPAA

Espresso Labs Team
3 min read
What Is HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. For cybersecurity and IT professionals, HIPAA’s Security Rule — which applies specifically to electronic Protected Health Information (ePHI) — is the primary compliance framework.

The Short Answer

HIPAA requires healthcare providers, health plans, healthcare clearinghouses, and their business associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). Unlike many compliance frameworks, HIPAA’s Security Rule is risk-based rather than prescriptive — it requires organizations to assess their specific risks and implement “reasonable and appropriate” safeguards, but it does not mandate specific technologies.

HIPAA’s Three Key Rules

1. The Privacy Rule

Establishes national standards for how Protected Health Information (PHI) can be used and disclosed. It gives patients rights over their own health information including the right to access records, request corrections, and receive an accounting of disclosures. The Privacy Rule covers PHI in any form — paper, electronic, or oral.

2. The Security Rule

Applies specifically to Electronic Protected Health Information (ePHI). It requires covered entities and business associates to implement:

  • Administrative safeguards: Security management processes, workforce training, information access management, contingency planning
  • Physical safeguards: Facility access controls, workstation use policies, device and media controls
  • Technical safeguards: Access controls, audit controls, integrity controls, transmission security (encryption)

3. The Breach Notification Rule

Requires covered entities to notify affected individuals, the HHS Secretary, and in some cases media outlets when unsecured PHI is breached. Business associates must notify the covered entity within 60 days of discovering a breach.

What Is Protected Health Information (PHI)?

PHI is any individually identifiable health information that relates to:

  • The past, present, or future physical or mental health of an individual
  • The provision of healthcare to an individual
  • The past, present, or future payment for healthcare

PHI includes 18 specific identifiers defined by HIPAA, including names, dates, geographic data, telephone numbers, email addresses, Social Security numbers, medical record numbers, and more. When these identifiers are removed, the data is considered “de-identified” and no longer subject to HIPAA.

Who Enforces HIPAA?

The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) is the primary enforcement agency for HIPAA. OCR investigates complaints, conducts compliance audits, and can impose civil monetary penalties. The Department of Justice handles criminal violations.

HIPAA penalties are tiered based on the level of culpability:

  • Tier 1 (lack of knowledge): $100–$50,000 per violation, up to $25,000/year
  • Tier 2 (reasonable cause): $1,000–$50,000 per violation, up to $100,000/year
  • Tier 3 (willful neglect, corrected): $10,000–$50,000 per violation, up to $250,000/year
  • Tier 4 (willful neglect, not corrected): $50,000 per violation, up to $1.5 million/year

The HIPAA Final Rule (2024 Updates)

HHS published a Notice of Proposed Rulemaking in 2024 to update the HIPAA Security Rule for the first time since 2013. The proposed updates reflect modern cybersecurity threats and would make several currently “addressable” safeguards mandatory, including encryption, multi-factor authentication, and network segmentation — aligning HIPAA more closely with current NIST cybersecurity guidance.

How Espresso Labs Helps

Espresso Labs delivers HIPAA Security Rule compliance as a managed service — implementing and continuously enforcing the required technical safeguards, maintaining your risk assessment documentation, providing 24/7 monitoring of ePHI environments, and collecting audit evidence automatically so you’re always ready for OCR inquiries or audits.

Ready to Get Started?

CMMC compliance does not have to require a large internal team or a 6-figure budget. Espresso Labs delivers it as an automated, managed service so you can focus on winning contracts, not managing controls.

Talk to our team