What is HIPAA compliance?

HIPAA is a federal law regulating how certain organizations involved in the provision of health care handle and secure health information.

Learning Objectives

After reading this article you will be able to:

  • Explain what HIPAA compliance is
  • Understand why HIPAA matters
  • Explore recommendations to maintain HIPAA compliance

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is HIPAA?

The U.S. Health Insurance Portability and Accountability Act (HIPAA) is a federal law that regulates how health information is handled and secured. HIPAA helps ensure the protection of health information by requiring security controls for electronic health information and mandating privacy practices.

HIPAA impacts two main types of organizations: "covered entities" such as healthcare providers, health plans, and healthcare clearinghouses; and “business associates” of covered entities, such as billing companies, electronic health record (EHR) vendors, consultants, or IT providers.

What is Protected Health Information (PHI)?

Protected Health Information (PHI) is any individually identifiable health information relating to the provision of healthcare that covered entities and business associates create, receive, store, or transmit. PHI is a type of personally identifiable information (PII), which is data that can be used to identify an individual.

Below are data fields that may be PHI if processed by a covered entity or business associate and to the extent the data is associated with the provision of healthcare:

  • Name
  • Address
  • Fingerprints
  • Facial recognition
  • Social Security number
  • Date of birth
  • Health insurance information
  • Medical record numbers
  • Account numbers
  • IP addresses
  • Billing records

One important note is that PHI can occur in multiple forms, from written to oral to electronic data.

Suppose Michael visits a general practitioner for the first time, and the practitioner's office records Michael's name and address, takes his health insurance information, and requests his medical records from his previous provider verbally. All of this written and oral data is considered PHI and must be protected.

Now suppose Michael has a telehealth appointment with this same practitioner the next week. Information about Michael's online activities that reveal details about his telehealth appointment may also be considered PHI, even though it is electronic, rather than a written or oral piece of information.

What is HIPAA Privacy Rule and Security Rule?

The HIPAA Privacy Rule requires covered entities and business associates to build in appropriate privacy safeguards and policies to protect PHI. There are strict regulations around what an organization is allowed to do with PHI without an individual’s consent, and the Privacy Rule grants individuals the right to know how their data is being used and/or request corrections.

The HIPAA Security Rule requires administrative, physical, and technical safeguards to appropriately handle PHI electronically, from ensuring secure facility access and device control, designating security personnels, and implementing workforce training, to conducting risk analysis.

Why is HIPAA important?

The HIPAA Security and Privacy Rules are important in assuring that individuals’ health information is properly protected while allowing for the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. These rules are particularly important given the diversity of the healthcare marketplace, the variety of uses and disclosures that need to be addressed, and the influx of innovative new technologies in the healthcare field, including telehealth, remote therapy, electronic health records, device-based health monitoring, and AI-assisted care. In particular, each of these new innovative technologies come with their own unique security and privacy challenges that organizations are required to address under the HIPAA Security and Privacy Rules.

What are common HIPAA compliance violations?

HIPAA violations can lead to hefty penalties and legal action. Some of the most common violations include:

  • Data breaches resulting from a failure to adequately secure PHI, such as theft of PHI for profit or personal gain
  • Unauthorized access to or inappropriate disclosure or use of PHI data
  • Inadequate and poor training of employees handling PHI
  • Failure to appropriately notify relevant authorities and individuals after a data breach
  • Lack of required physical, technical, and administrative safeguards

Imagine that Michael’s doctor left the patient form with Michael’s name, date of birth, Social Security number, and medical concerns in the waiting room for 24 hours, where it could be accessed by any patient or staff member. Then, imagine that the doctor uploaded Michael’s health information to an online portal, which was not password protected. Both situations are examples of HIPAA compliance violations.

What are the penalties for HIPAA violations?

Penalties for HIPAA noncompliance are significant, and can range from $100 per violation to $1.5 million per provision annually. The Office for Civil Rights (OCR) categorizes HIPAA violations based on severity and willful neglect.

  • Tier I: Unaware of violation. The entity is unaware of its noncompliance with HIPAA regulations, and penalties range from $100 to $50,000 per violation, with the maximum penalty at $25,000 a year.
  • Tier II: Reasonable cause. The entity did not act with wilful negligence. Penalties for Tier II violations range from $1,000 to $50,000 per instance, with a maximum penalty of $100,000 per year.
  • Tier III: Willful neglect that is corrected within 30 days of discovery. The penalties can range from $10,000 to $50,000 per violation, and can reach up to a maximum of $250,000 a year.
  • Tier IV: Willful neglect that is not corrected within 30 days. As the most severe tier, penalties for Tier IV violations can reach up to $1.5 million per provision each year.

How do cloud providers maintain HIPAA compliance?

Cloud providers must enter a HIPAA-compliant business associate agreement (BAA) with their customers in order to create, receive, maintain, or transmit PHI. A BAA requires the cloud service provider to provide appropriate protections for PHI, and to conduct risk analyses to identify potential vulnerabilities. It may also include specific instructions about data availability, backups, disaster recovery, and data retention.

Cloud service providers are also liable for any unauthorized disclosures of PHI, or failure to protect PHI or notify relevant authorities of a data breach.

Best practices for HIPAA compliance

Here are six recommendations for ensuring HIPAA compliance:

  1. Identify unique risks and create policies to manage those risks, including training programs and established breach notification policies.
  2. Monitor the use of PHI and minimize access to protected data where possible.
  3. Conduct regular and comprehensive risk analysis, including security and compliance audits.
  4. Build in physical and digital safeguards such as password protection, device and media usage restrictions, and access controls.
  5. Incorporate technical safeguards such as audit controls, encryption, and authentication policies.
  6. Implement security processes and infrastructure to help trusted vendors properly handle PHI.

How Cloudflare helps organizations comply with HIPAA?

Cloudflare provides cloud-based network, application and enterprise security services that can help organizations meet the stringent technical requirements of the HIPAA Security Rule and avoid inadvertent disclosure or misuse of PHI in violation of the HIPAA Privacy Rule. These services include the following:

  • Cloudflare Zero Trust. Cloudflare’s Zero Trust product suite includes access control and data loss prevention features that allow organizations to granularly restrict access to PHI on your network and prevent the unauthorized disclosure of PHI out of your network.
  • Cloudflare Network Services. Cloudflare’s Network Services product suite allows organizations to establish a secure network boundary for your organization in compliance with the HIPAA Security Rule.
  • Cloudflare Application Services. Cloudflare’s Application Services product suite provides robust protection for patient websites and applications.

Cloudflare’s products also comply with industry-recognized security and privacy standards, including ISO 27001, ISO 27701, SOC 2, and the EU Cloud Code of Conduct. While HIPAA does not provide for formal validation of compliance, Cloudflare’s network, management infrastructure, and processes are consistent with the HIPAA Security and Privacy Rules and related regulations.

Learn more about Cloudflare and US privacy law here.