The Health Insurance Portability and Accountability Act (HIPAA) sets US national standards for protecting sensitive patient health information. Its Security, Privacy and Breach Notification Rules govern how protected health information (PHI) is safeguarded and disclosed. It applies to covered entities and their business associates — including offshore vendors that handle PHI.
Who must comply
| Party | Examples |
|---|---|
| Covered entities | Healthcare providers, health plans, healthcare clearinghouses |
| Business associates | Vendors that create/receive/maintain/transmit PHI for a covered entity — including Indian IT/BPO/SaaS providers |
| Subcontractors | Downstream vendors of business associates that handle PHI |
The Security Rule safeguards (for electronic PHI)
| Category | Examples |
|---|---|
| Administrative | Risk analysis & management, workforce security, training, contingency planning, incident procedures |
| Physical | Facility access controls, workstation and device security, media disposal |
| Technical | Access control, audit controls, integrity, authentication, transmission security (encryption) |
Safeguards are either "required" or "addressable" (must implement or document a reasonable alternative). A documented risk analysis is the foundation.
The Privacy Rule and Breach Notification Rule
- Privacy Rule — limits the use and disclosure of PHI, defines the minimum-necessary standard and gives patients rights over their information.
- Breach Notification Rule — requires notifying affected individuals, HHS and (for large breaches) the media, within defined timelines.
- Business Associate Agreements (BAAs) — contractually bind vendors handling PHI to HIPAA obligations.
Compliance roadmap
- Identify PHI and map data flows across systems and vendors.
- Perform the required Security Rule risk analysis and document risk management.
- Implement administrative, physical and technical safeguards.
- Put BAAs in place with all business associates/subcontractors.
- Establish breach-notification and incident-response processes.
- Train the workforce; operate, monitor and evidence continuously.
Penalty tiers
| Tier | Culpability |
|---|---|
| 1 | Lack of knowledge (could not have avoided with reasonable diligence) |
| 2 | Reasonable cause, not wilful neglect |
| 3 | Wilful neglect, corrected within the required period |
| 4 | Wilful neglect, not corrected |
Penalties escalate by tier, with annual caps per violation category; wilful neglect can also attract criminal penalties.
Readiness checklist
- PHI is inventoried and data flows are mapped.
- A Security Rule risk analysis is complete and current.
- Administrative, physical and technical safeguards are implemented.
- BAAs are in place with every business associate/subcontractor.
- Access controls, audit logging and encryption are enforced.
- A breach-notification process and incident response exist.
- Workforce training is delivered and recorded.
Frequently asked questions
Need help with HIPAA?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
