What is HIPAA Security? Understanding Healthcare Data Protection

The HIPAA Security Rule: Technical Safeguards

The HIPAA Security Rule establishes the federal standards for protecting electronic protected health information (ePHI) — health information that is created, received, maintained, or transmitted in electronic form. It applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and business associates who handle ePHI on their behalf.

The Security Rule is organized around three categories of safeguards: administrative, physical, and technical. Technical safeguards are the technology and policy controls directly relevant to cybersecurity. Required technical safeguards include access controls (unique user identification, emergency access procedures, automatic logoff, and encryption), audit controls (hardware and software activity recording), integrity controls (mechanisms to ensure ePHI has not been altered or destroyed), and transmission security (encryption of ePHI transmitted over electronic communications networks).

The Risk Analysis Requirement

The foundational requirement of the HIPAA Security Rule — and the one most frequently cited in enforcement actions — is the requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI confidentiality, integrity, and availability. The risk analysis is not a one-time exercise; it must be conducted when material changes to the environment occur and must be reviewed and updated periodically. Organizations that cannot produce a current risk analysis document are in violation of the most fundamental HIPAA Security Rule requirement, regardless of how many other security controls they have implemented.

HIPAA Enforcement and Breach Notification

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services, and in some cases the media following the discovery of a breach of unsecured ePHI. Notification must occur without unreasonable delay and within 60 days of discovery. Breaches affecting 500 or more individuals in a state must be reported to prominent media outlets in that state.

HIPAA enforcement is conducted by the HHS Office for Civil Rights (OCR). Civil monetary penalties for HIPAA violations are tiered based on culpability, ranging from $137 per violation for unknowing violations to $2.07 million per violation for willful neglect not corrected within 30 days. Penalties are calculated per violation, per year of violation, with caps that can result in multi-million dollar settlements for significant breaches. The 2023 HHS settlement with Banner Health for $1.25 million for a breach affecting 2.8 million patients is a representative example of enforcement scale.

HIPAA Diligence for Healthcare M&A

For PE buyers acquiring healthcare organizations or businesses that handle PHI as business associates, HIPAA exposure is the dominant cyber due diligence consideration. The standard questions: What is the organization's most recent HIPAA Security Rule risk assessment, and what gaps did it surface? Is there documentation of completed Security Rule training for the workforce? What is the organization's breach history, and how were breaches reported and remediated? Are Business Associate Agreements in place with all vendors that handle PHI? What is the organization's HHS OCR enforcement history and current audit status? HIPAA findings in due diligence drive representations and warranties, pre-close remediation requirements, and in some cases escrow arrangements for potential OCR enforcement liability.

Related: Compliance Risk Assessment for HIPAA Programs

HIPAA Security Rule compliance programs benefit substantially from a formal compliance risk assessment that maps the specific Administrative, Physical, and Technical safeguards against the organization's current implementation state. For healthcare organizations subject to additional frameworks (HITRUST, state-level health information privacy laws, payment card data handling), the compliance risk assessment also identifies overlapping control requirements that can be addressed through unified programs rather than parallel work.

Real-World Example: Advocate Health Care — Laptops, PHI, and $5.55M

In 2017, HHS reached a $5.55 million settlement with Advocate Health Care Network — the largest HIPAA settlement at the time — following the theft of four unencrypted laptops that contained the ePHI of over 4 million patients. The investigation found that Advocate had failed to conduct an enterprise-wide risk analysis as required by the Security Rule, had insufficient security policies for removing hardware containing ePHI from facilities, and had failed to obtain business associate agreements with vendors who had access to PHI. The laptops were stolen from a business associate's office. The settlement amount reflected both the scale of affected individuals and the number of compliance failures underlying the breach.