Knowledge Center / HIPAA
US Dept. of Health & Human Services · United States

HIPAA

US law protecting the privacy and security of protected health information (PHI).

The Health Insurance Portability and Accountability Act (HIPAA) sets US national standards for protecting sensitive patient health information. Its Security, Privacy and Breach Notification Rules govern how protected health information (PHI) is safeguarded and disclosed. It applies to covered entities and their business associates — including offshore vendors that handle PHI.

Who must comply

PartyExamples
Covered entitiesHealthcare providers, health plans, healthcare clearinghouses
Business associatesVendors that create/receive/maintain/transmit PHI for a covered entity — including Indian IT/BPO/SaaS providers
SubcontractorsDownstream vendors of business associates that handle PHI

The Security Rule safeguards (for electronic PHI)

CategoryExamples
AdministrativeRisk analysis & management, workforce security, training, contingency planning, incident procedures
PhysicalFacility access controls, workstation and device security, media disposal
TechnicalAccess control, audit controls, integrity, authentication, transmission security (encryption)

Safeguards are either "required" or "addressable" (must implement or document a reasonable alternative). A documented risk analysis is the foundation.

The Privacy Rule and Breach Notification Rule

  • Privacy Rule — limits the use and disclosure of PHI, defines the minimum-necessary standard and gives patients rights over their information.
  • Breach Notification Rule — requires notifying affected individuals, HHS and (for large breaches) the media, within defined timelines.
  • Business Associate Agreements (BAAs) — contractually bind vendors handling PHI to HIPAA obligations.

Compliance roadmap

  1. Identify PHI and map data flows across systems and vendors.
  2. Perform the required Security Rule risk analysis and document risk management.
  3. Implement administrative, physical and technical safeguards.
  4. Put BAAs in place with all business associates/subcontractors.
  5. Establish breach-notification and incident-response processes.
  6. Train the workforce; operate, monitor and evidence continuously.

Penalty tiers

TierCulpability
1Lack of knowledge (could not have avoided with reasonable diligence)
2Reasonable cause, not wilful neglect
3Wilful neglect, corrected within the required period
4Wilful neglect, not corrected

Penalties escalate by tier, with annual caps per violation category; wilful neglect can also attract criminal penalties.

Readiness checklist

  • PHI is inventoried and data flows are mapped.
  • A Security Rule risk analysis is complete and current.
  • Administrative, physical and technical safeguards are implemented.
  • BAAs are in place with every business associate/subcontractor.
  • Access controls, audit logging and encryption are enforced.
  • A breach-notification process and incident response exist.
  • Workforce training is delivered and recorded.
How CyberSigma helps
For Indian and global business associates, we run the HIPAA Security Rule risk analysis, implement safeguards, structure BAAs and build breach-response processes — with an independent assessment your US covered-entity customers can rely on (HITRUST is often used as a certifiable proxy).

Frequently asked questions

Does HIPAA apply to Indian companies?
Yes — if an Indian IT/BPO/SaaS company processes PHI on behalf of a US covered entity, it is a business associate and must comply, backed by a Business Associate Agreement.
Is there a HIPAA certification?
HIPAA has no official government certification. Organisations demonstrate compliance via risk analysis, safeguards and independent assessments; HITRUST is often used as a certifiable proxy.

Need help with HIPAA?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.