Library / Jurisdictions
HIPAA

HIPAA — Health Insurance Portability and Accountability Act (US)

US sectoral law governing protected health information, with explicit Business Associate obligations that flow through to a covered entity's vendors.

At a glance
Authority
HHS Office for Civil Rights (OCR)
Maximum fine
$1.5M per violation category per year (with multi-million settlements not uncommon)
Vendor monitoring
Required (Business Associate Agreements; HHS guidance on ongoing oversight)

The Health Insurance Portability and Accountability Act, as amended by HITECH and various rules, is the US sectoral law governing Protected Health Information (PHI). It applies to Covered Entities (health plans, health care providers, healthcare clearinghouses) and to their Business Associates — the vendors that handle PHI on their behalf.

Who is in scope

  • Covered Entities. Health plans, healthcare providers conducting standard transactions electronically, healthcare clearinghouses.
  • Business Associates. Any vendor that creates, receives, maintains, or transmits PHI for a Covered Entity. Common examples: cloud hosting providers serving healthcare data, billing services, transcription services, EHR vendors, analytics platforms scoped to clinical data.
  • Subcontractors of Business Associates. Treated as Business Associates themselves; the chain runs.

The Business Associate Agreement

A Business Associate Agreement (BAA) is the contract between a Covered Entity and a Business Associate. Required terms (45 CFR § 164.504(e)):

  • Permitted and required uses and disclosures of PHI.
  • Prohibition on uses or disclosures beyond what is permitted.
  • Implementation of safeguards required by the Security Rule.
  • Reporting of breaches and security incidents.
  • Ensuring subcontractors agree to the same restrictions.
  • Making PHI available for individual access, amendment, and accounting of disclosures.
  • Making internal practices and records available to HHS.
  • Returning or destroying PHI at termination.

Without a BAA in place, a Covered Entity disclosing PHI to a vendor is in breach of HIPAA — regardless of whether the vendor's actual security is good or bad.

Security Rule

The Security Rule applies to electronic PHI (ePHI) and divides safeguards into three groups:

  • Administrative safeguards. Workforce security, training, contingency planning, evaluation.
  • Physical safeguards. Facility access, workstation security, device controls.
  • Technical safeguards. Access controls, audit controls, integrity, transmission security.

Each safeguard has "required" and "addressable" implementations. Addressable does not mean optional — it means the entity must either implement it or document why an equivalent measure is sufficient.

Vendor monitoring under HIPAA

The BAA isn't a one-time document. HHS guidance and enforcement consistently emphasise ongoing oversight:

  • Periodic risk analysis including risks introduced by Business Associates.
  • Monitoring of Business Associate compliance, especially after security incidents in the broader healthcare sector.
  • Re-evaluation when a Business Associate's services change, when they engage new subcontractors, or when their attestation status changes.
  • Breach response coordination, including the chain of notification through subcontractors.

Specific to BA oversight:

  • A Business Associate that sub-processes to a non-BAA-bound subcontractor is in breach.
  • A Business Associate's privacy policy or DPA changing to permit broader uses of data is a material change.
  • Cloud vendors hosting ePHI must be on a BAA; the AWS, GCP, Azure HIPAA-eligible service lists are operative.

Enforcement

HHS Office for Civil Rights handles enforcement. Themes:

  • Phishing and ransomware breaches are the dominant enforcement source by volume.
  • Failure to conduct an enterprise-wide risk analysis is the most common finding.
  • Business Associate failures are increasingly cited as contributing causes in covered-entity enforcement.
  • Lost or stolen unencrypted devices remain a recurring source of multi-million settlements.

Penalties scale by culpability: did not know ($100-$50,000 per violation), reasonable cause ($1,000-$50,000), willful neglect with correction ($10,000-$50,000), willful neglect without correction (minimum $50,000). Annual cap of $1.5M per violation category.

State-level overlay

Several states have their own health privacy laws (California's CMIA, New York's SHIELD Act in part). When state law provides greater protection, it applies in addition to HIPAA. This affects vendor monitoring in jurisdictions where the state and federal regimes are not identical.