What is HIPAA Security? Understanding Healthcare Data Protection

The HIPAA Security Rule: Technical Safeguards

The HIPAA Security Rule establishes the federal standards for protecting electronic protected health information (ePHI) — health information that is created, received, maintained, or transmitted in electronic form. It applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and business associates who handle ePHI on their behalf.

The Security Rule is organized around three categories of safeguards: administrative, physical, and technical. Technical safeguards are the technology and policy controls directly relevant to cybersecurity. Required technical safeguards include access controls (unique user identification, emergency access procedures, automatic logoff, and encryption), audit controls (hardware and software activity recording), integrity controls (mechanisms to ensure ePHI has not been altered or destroyed), and transmission security (encryption of ePHI transmitted over electronic communications networks).

The Risk Analysis Requirement

The foundational requirement of the HIPAA Security Rule — and the one most frequently cited in enforcement actions — is the requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI confidentiality, integrity, and availability. The risk analysis is not a one-time exercise; it must be conducted when material changes to the environment occur and must be reviewed and updated periodically. Organizations that cannot produce a current risk analysis document are in violation of the most fundamental HIPAA Security Rule requirement, regardless of how many other security controls they have implemented.

HIPAA Enforcement and Breach Notification

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services, and in some cases the media following the discovery of a breach of unsecured ePHI. Notification must occur without unreasonable delay and within 60 days of discovery. Breaches affecting 500 or more individuals in a state must be reported to prominent media outlets in that state.

HIPAA enforcement is conducted by the HHS Office for Civil Rights (OCR). Civil monetary penalties for HIPAA violations are tiered based on culpability, ranging from $137 per violation for unknowing violations to $2.07 million per violation for willful neglect not corrected within 30 days. Penalties are calculated per violation, per year of violation, with caps that can result in multi-million dollar settlements for significant breaches. The 2023 HHS settlement with Banner Health for $1.25 million for a breach affecting 2.8 million patients is a representative example of enforcement scale.

HIPAA in M&A: Healthcare Sector Due Diligence

HIPAA compliance is a material consideration in acquisitions of healthcare organizations. Historical HIPAA violations — particularly undisclosed breaches that triggered notification obligations the organization did not fulfill — represent regulatory liability that transfers with the acquisition. The OCR can investigate and penalize organizations for violations that occurred before the current ownership if the organization continues to operate the covered entity.

In Cloudskope's healthcare sector M&A due diligence engagements, HIPAA assessment covers: the adequacy of the most recent risk analysis, breach history and notification compliance, business associate agreement coverage for all relevant vendors, technical control implementation against Security Rule requirements, and current OCR investigation or audit status. HIPAA findings in due diligence drive representations and warranties, pre-close remediation requirements, and in some cases escrow arrangements for potential OCR enforcement liability.

Real-World Example: Advocate Health Care — Laptops, PHI, and $5.55M

In 2017, HHS reached a $5.55 million settlement with Advocate Health Care Network — the largest HIPAA settlement at the time — following the theft of four unencrypted laptops that contained the ePHI of over 4 million patients. The investigation found that Advocate had failed to conduct an enterprise-wide risk analysis as required by the Security Rule, had insufficient security policies for removing hardware containing ePHI from facilities, and had failed to obtain business associate agreements with vendors who had access to PHI. The laptops were stolen from a business associate's office. The settlement amount reflected both the scale of affected individuals and the number of compliance failures underlying the breach.