HIPAA – Overview
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted on August 21, 1996 (Public Law 104-191) that establishes national standards for the protection of individually identifiable health information. HIPAA's Administrative Simplification provisions — codified primarily in 45 CFR Parts 160 and 164 — mandate that covered entities and their business associates implement safeguards to ensure the confidentiality, integrity, and availability of Protected Health Information (PHI) and electronic Protected Health Information (ePHI).[cite:1][cite:2][cite:3][cite:4]
HIPAA is administered and enforced by the U.S. Department of Health and Human Services (HHS), primarily through its Office for Civil Rights (OCR). Criminal violations are referred to the U.S. Department of Justice (DOJ) for prosecution. The law has been significantly amended over time — most notably by the HITECH Act of 2009 and the HIPAA Omnibus Rule of 2013 — and continues to evolve through proposed rulemaking that targets modern cybersecurity threats and emerging technologies such as artificial intelligence.[cite:5][cite:6][cite:7][cite:8][cite:9]
HIPAA comprises five titles, but the provisions most relevant to compliance fall under Title II (Administrative Simplification), which includes the Privacy Rule, Security Rule, Breach Notification Rule, Enforcement Rule, and Transaction and Code Set Standards.[cite:10][cite:1]
HIPAA – What It Is
HIPAA is a comprehensive federal regulatory framework that serves two primary purposes: (1) ensuring the portability of health insurance coverage when individuals change or lose employment, and (2) establishing standards for the privacy, security, and electronic exchange of health information.[cite:1]
The Administrative Simplification provisions created a national floor for health data protection. The key regulatory components include:
- Privacy Rule (45 CFR §164.500–534): Governs the use and disclosure of PHI in any form — oral, written, or electronic. Sets individual rights including the right to access, amend, and receive an accounting of disclosures of their health information.[cite:11][cite:12]
- Security Rule (45 CFR §164.302–318): Requires administrative, physical, and technical safeguards specifically for ePHI. Mandates risk analysis, workforce training, access controls, audit trails, and encryption among other controls.[cite:2][cite:13]
- Breach Notification Rule (45 CFR §164.400–414): Requires notification to affected individuals, HHS, and in some cases the media when unsecured PHI is compromised.[cite:14][cite:15]
- Enforcement Rule (45 CFR §160.400–552): Establishes procedures for compliance investigations, hearings, and the imposition of civil monetary penalties.[cite:10]
- Transaction and Code Set Standards: Standardize the format and content of electronic healthcare transactions (e.g., claims, eligibility inquiries, payment remittance).[cite:16][cite:10]
HIPAA does not preempt state laws that provide greater privacy protections. Where state law is more protective of patient information, the stricter standard applies.[cite:10]
HIPAA – Who It Applies To
HIPAA applies to two primary categories of entities: Covered Entities and Business Associates.[cite:17][cite:16]
Covered Entities
Covered entities are individuals, institutions, or organizations that transmit PHI electronically in connection with transactions for which HHS has adopted standards. The three categories are:[cite:16]
- Healthcare Providers — Hospitals, clinics, physicians, dentists, psychologists, chiropractors, nursing homes, pharmacies, home health agencies, and any other provider that transmits health information electronically in connection with covered transactions.[cite:16]
- Health Plans — Health insurance companies, HMOs, employer-sponsored health plans, government programs (Medicare, Medicaid, TRICARE, Veterans' health programs), and other entities that pay for healthcare.[cite:16]
- Healthcare Clearinghouses — Organizations that process nonstandard health information and convert data to conform with HIPAA Administrative Simplification standards (e.g., billing services, repricing companies, community health information systems).[cite:16]
Business Associates
A business associate is any person or entity (other than a member of a covered entity's workforce) that performs functions or activities on behalf of, or provides services to, a covered entity involving the use or disclosure of PHI. Examples include:[cite:18][cite:17]
- Cloud service providers and SaaS platforms hosting ePHI
- IT contractors and managed service providers
- Claims processing and billing companies
- Legal, actuarial, and consulting firms with PHI access
- Health information exchanges
- AI/ML platform vendors processing PHI
Business associates must enter into a Business Associate Agreement (BAA) and are directly liable for compliance with the Security Rule, certain Privacy Rule provisions, and the Breach Notification Rule under the HITECH Act and Omnibus Rule.[cite:19][cite:17]
Entities NOT Covered
Medical examiner and coroner offices, life insurance companies, employers (in their role as employers), workers' compensation carriers, and most schools and school districts are not covered entities under HIPAA. However, they may be subject to other privacy laws.[cite:20]
HIPAA – What It Requires – Privacy Rule
The HIPAA Privacy Rule (45 CFR §164.500–534) establishes national standards for the protection of PHI and applies to all forms of information — paper, oral, and electronic.[cite:12][cite:11]
Core Requirements
- Permitted Uses and Disclosures: PHI may be used or disclosed without patient authorization for treatment, payment, and healthcare operations (TPO). Other disclosures require written patient authorization unless a specific exception applies (e.g., public health, law enforcement, judicial proceedings, research with IRB waiver).[cite:21][cite:1]
- Minimum Necessary Standard: Covered entities must make reasonable efforts to limit PHI use, disclosure, and requests to the minimum amount necessary to accomplish the intended purpose. This applies to all uses and disclosures except treatment, as-requested by the individual, as required by the Secretary for compliance investigations, as required by law, and for authorized disclosures.[cite:22][cite:12]
- Individual Rights:
- Right to access their PHI (within 30 days of request)
- Right to request amendments to their records
- Right to an accounting of disclosures
- Right to request restrictions on uses and disclosures
- Right to request confidential communications
- Right to receive a Notice of Privacy Practices (NPP)[cite:12]
- Notice of Privacy Practices (NPP): Covered entities must provide individuals with a clear notice explaining how PHI may be used and disclosed, individual rights, and the entity's legal duties.[cite:23][cite:12]
- De-Identification: HIPAA permits two methods for de-identifying PHI: the Expert Determination method (statistical/scientific analysis) and the Safe Harbor method (removal of 18 specific identifiers).[cite:24]
Administrative Requirements
- Designate a Privacy Officer
- Develop and implement written privacy policies and procedures
- Train all workforce members on privacy policies
- Establish sanctions for workforce members who violate policies
- Mitigate harmful effects of known violations
- Maintain privacy-related documentation for six years[cite:12][cite:10]
HIPAA – What It Requires – Security Rule
The HIPAA Security Rule (45 CFR §164.302–318) establishes standards for protecting ePHI through three categories of safeguards: administrative, physical, and technical.[cite:13][cite:3][cite:2]
Administrative Safeguards (§164.308)
Administrative safeguards constitute over half of the Security Rule's requirements:[cite:25]
- Security Management Process — Implement policies and procedures to prevent, detect, contain, and correct security violations. This includes conducting a thorough risk analysis and implementing a risk management program.[cite:26][cite:2]
- Assigned Security Responsibility — Designate a security official responsible for developing and implementing security policies.[cite:26]
- Workforce Security — Implement policies to ensure all workforce members have appropriate access to ePHI and to prevent unauthorized access.[cite:13]
- Information Access Management — Implement policies authorizing access to ePHI based on role and need-to-know.[cite:2]
- Security Awareness and Training — Implement a security awareness program for all workforce members including training on malicious software, login monitoring, and password management.[cite:26]
- Security Incident Procedures — Implement policies for identifying, responding to, and mitigating security incidents.[cite:2]
- Contingency Plan — Establish policies for responding to emergencies including data backup, disaster recovery, and emergency mode operations.[cite:2]
- Evaluation — Perform periodic technical and non-technical evaluations of security policies and procedures.[cite:26]
- Business Associate Agreements — Obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI.[cite:13]
Physical Safeguards (§164.310)
- Facility Access Controls — Limit physical access to facilities while ensuring authorized access; includes contingency operations plans, facility security plans, access control/validation procedures, and maintenance records.[cite:27][cite:13]
- Workstation Use — Specify proper use of and access to workstations.[cite:27][cite:2]
- Workstation Security — Implement physical safeguards for workstations accessing ePHI to restrict access to authorized users.[cite:2]
- Device and Media Controls — Implement policies for disposal, re-use, accountability, and data backup/storage of electronic media containing ePHI.[cite:13]
Technical Safeguards (§164.312)
- Access Control — Implement technical policies to allow only authorized access to ePHI, including unique user identification, emergency access procedures, automatic logoff, and encryption/decryption.[cite:17][cite:2]
- Audit Controls — Implement hardware, software, and/or procedural mechanisms to record and examine activity in systems containing ePHI.[cite:2]
- Integrity Controls — Implement policies and procedures to protect ePHI from improper alteration or destruction.[cite:2]
- Person or Entity Authentication — Implement procedures to verify that a person or entity seeking access to ePHI is who they claim to be.[cite:2]
- Transmission Security — Implement technical security measures to guard against unauthorized access to ePHI being transmitted over electronic networks, including encryption.[cite:17][cite:2]
HIPAA – What It Requires – Breach Notification Rule
The HIPAA Breach Notification Rule (45 CFR §164.400–414) requires covered entities and business associates to provide notification following a breach of unsecured PHI.[cite:15][cite:14]
Definition of a Breach
A breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. There are three exceptions:[cite:14]
- Unintentional acquisition by a workforce member acting in good faith within the scope of authority
- Inadvertent disclosure between authorized persons within the same covered entity or business associate
- Disclosure where the unauthorized person could not reasonably have retained the information[cite:14]
Notification Requirements
| Notification Type | Trigger | Timeline | Method |
|---|---|---|---|
| Individual Notice | Any breach of unsecured PHI | Within 60 days of discovery | First-class mail or email (with consent) [cite:15] |
| HHS Secretary (≥500) | Breach affecting 500+ individuals | Within 60 days of discovery | Online HHS breach portal; listed publicly [cite:28] |
| HHS Secretary (<500) | Breach affecting fewer than 500 | Within 60 days after end of calendar year | Annual log submission to HHS [cite:15][cite:28] |
| Media Notice | Breach affecting 500+ in a single state/jurisdiction | Within 60 days of discovery | Prominent media outlets in the affected area [cite:28] |
Content of Individual Notices
All breach notifications to individuals must include:[cite:15]
- A description of the breach and date of discovery
- The types of PHI involved
- Steps individuals should take to protect themselves
- Measures the organization is taking to investigate and mitigate harm
- Contact information for the organization
Business Associate Obligations
Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. The BA should provide the covered entity with the identification of each individual affected and any other available information required for the covered entity to fulfill its notification obligations.[cite:29][cite:14]
HIPAA – What It Requires – Transaction Standards and Code Sets
HIPAA mandates that covered entities conducting electronic healthcare transactions use standardized formats and code sets established by HHS under 45 CFR Part 162.[cite:10][cite:16]
Covered Transactions
- Healthcare claims or equivalent encounter information
- Payment and remittance advice
- Healthcare claim status
- Eligibility for a health plan
- Enrollment and disenrollment in a health plan
- Coordination of benefits
- Health care electronic funds transfers (EFT)
- Referral certification and authorization[cite:16]
Key Standards
- Transaction Standards: ASC X12 Version 5010 for electronic claims, eligibility, and other transactions
- Code Sets: ICD-10-CM/PCS, CPT-4, HCPCS, CDT, NDC
- Unique Identifiers: National Provider Identifier (NPI), Employer Identification Number (EIN), and the HPID for health plans[cite:30][cite:10]
HIPAA – What It Requires – Business Associate Agreements
Covered entities must execute Business Associate Agreements (BAAs) with all business associates before disclosing PHI.[cite:18][cite:17]
BAA Requirements
A compliant BAA must include:
- Description of the permitted and required uses/disclosures of PHI by the business associate
- A prohibition against uses or disclosures not permitted by the agreement or by law
- Requirement to implement appropriate safeguards (including the Security Rule requirements for ePHI)
- Requirement to report security incidents and breaches of unsecured PHI
- Requirement that the BA ensure any subcontractors agree to the same restrictions and conditions
- Requirement to make PHI available to individuals exercising their rights under the Privacy Rule
- Requirement to make internal practices and records available to HHS for compliance audits
- Requirement to return or destroy PHI at the termination of the agreement
- Authorization for the covered entity to terminate the contract if the BA violates the agreement[cite:17][cite:13]
Under the HITECH Act and Omnibus Rule, business associates are directly liable for compliance and subject to the same civil and criminal penalties as covered entities.[cite:31][cite:19]
HIPAA – What It Requires – Administrative Requirements
Beyond the specific rules, HIPAA imposes overarching administrative compliance obligations:[cite:10]
- Policies and Procedures: Maintain written, up-to-date policies and procedures implementing all HIPAA requirements
- Documentation Retention: Maintain all HIPAA-related documentation for a minimum of six years from the date of creation or the date last in effect
- Training: Provide HIPAA training to all workforce members at hiring and periodically thereafter; document training activities
- Sanctions Policy: Apply appropriate sanctions against workforce members who violate HIPAA policies
- Complaint Process: Establish a process for individuals to file complaints about the entity's HIPAA practices
- Non-Retaliation / Whistleblower Protections: Prohibit retaliation against individuals who file HIPAA complaints or report violations
- Mitigation: Take reasonable steps to mitigate known harmful effects of a use or disclosure in violation of HIPAA policies[cite:12][cite:10]
HIPAA – Governance Implications
HIPAA compliance has significant governance implications for all covered entities and business associates, particularly as healthcare organizations adopt AI, cloud computing, and other emerging technologies.[cite:32][cite:24]
Organizational Governance
- Privacy and Security Officers: Organizations must designate a Privacy Officer and a Security Officer (may be the same individual in smaller organizations) who are responsible for developing, implementing, and maintaining compliance programs.[cite:26][cite:12]
- Risk Management Framework: HIPAA requires an ongoing risk analysis and risk management process — not a one-time assessment. Organizations must regularly evaluate threats and vulnerabilities to ePHI and implement measures to reduce risks to a reasonable and appropriate level.[cite:9][cite:2]
- Board and Executive Accountability: While HIPAA does not explicitly require board-level oversight, enforcement trends and the scale of penalties make HIPAA compliance a board governance issue. Organizations should integrate HIPAA compliance into enterprise risk management frameworks.[cite:5]
AI and Emerging Technology Governance
Healthcare organizations deploying AI/ML systems that process PHI face heightened governance obligations:[cite:24][cite:32]
- PHI in AI Pipelines: ePHI created, received, maintained, or transmitted via AI platforms is covered by HIPAA. Organizations must conduct risk assessments specific to AI tools and monitor them for vulnerabilities.[cite:33][cite:24]
- Business Associate Requirements: Third-party AI vendors processing PHI must be covered by BAAs. Organizations should verify that vendors maintain HIPAA-compliant security controls and conduct audits of their AI platforms.[cite:24]
- Algorithmic Bias and Transparency: While not explicitly a HIPAA requirement, AI governance policies should address algorithmic bias in clinical decision-making, as biased outcomes can erode patient trust and trigger regulatory scrutiny under non-HIPAA authorities.[cite:24]
- De-Identification Risks: AI models trained on PHI can potentially re-identify de-identified data. Organizations must evaluate whether their AI implementations maintain the integrity of HIPAA's de-identification standards.[cite:24]
- Proposed Security Rule Provisions: The January 2025 Security Rule NPRM explicitly addresses emerging technologies including AI, quantum computing, and virtual/augmented reality, requiring organizations to assess how these technologies affect ePHI security even if not yet deployed.[cite:9]
Shared Responsibility in Cloud Environments
Cloud-based platforms such as Salesforce Health Cloud require a shared responsibility model: the cloud provider secures the infrastructure, but the covered entity retains full responsibility for data classification, access control configuration, and ongoing compliance monitoring.[cite:17]
E/A/D Axis Integration
| Axis | Level | HIPAA Controls |
|---|---|---|
| E — Error | E2 | Privacy Rule minimum-necessary standard, Security Rule risk analysis and access controls, de-identification safeguards — errors expose PHI and carry legal consequences |
| A — Authority | A3 | Designated Privacy and Security Officers, Business Associate Agreements, risk management framework, workforce training — regulated system of record required |
| D — Defensibility | D2 | 60-day breach notification to HHS/individuals, OCR investigation cooperation, documented compliance programme, audit trails and access logs |
HIPAA – Enforcement Penalties
HIPAA enforcement is carried out by OCR (civil penalties) and the DOJ (criminal penalties). Penalties have been adjusted for inflation and are tiered based on the level of culpability.[cite:7][cite:5]
Civil Monetary Penalties (2025 Updated Figures)
| Tier | Description | Minimum Per Violation | Maximum Per Violation | Annual Cap |
|---|---|---|---|---|
| Tier 1 | Did Not Know | $145 | $73,011 | $2,190,294 [cite:34] |
| Tier 2 | Reasonable Cause | $1,461 | $73,011 | $2,190,294 [cite:34] |
| Tier 3 | Willful Neglect (Corrected ≤30 days) | $14,602 | $73,011 | $2,190,294 [cite:34] |
| Tier 4 | Willful Neglect (Not Corrected) | $73,011 | $2,190,294 | $2,190,294 [cite:34] |
Note: The 2020 Supreme Court-related interpretation and subsequent HHS guidance resulted in a period where lower annual caps applied to Tiers 1–3. HHS has since reasserted higher annual caps per identical provision.[cite:35][cite:34]
Criminal Penalties (DOJ-Prosecuted)
| Tier | Description | Fine | Imprisonment |
|---|---|---|---|
| Tier 1 | Wrongful disclosure of PHI (knowing violation) | Up to $50,000 | Up to 1 year [cite:36][cite:37] |
| Tier 2 | Obtaining PHI under false pretenses | Up to $100,000 | Up to 5 years [cite:36] |
| Tier 3 | Obtaining/disclosing PHI for personal gain or malicious intent | Up to $250,000 | Up to 10 years [cite:36] |
Criminal penalties apply to individuals (including employees) who knowingly obtain or disclose PHI in violation of HIPAA. Covered entities can also be prosecuted under principles of corporate criminal liability.[cite:6][cite:38]
Additional Enforcement Mechanisms
- Corrective Action Plans (CAPs): OCR frequently requires organizations to implement multi-year corrective action plans alongside financial penalties, including new policies, staff training, and infrastructure improvements.[cite:31]
- State Attorneys General: Under the HITECH Act, state attorneys general have authority to bring civil actions for HIPAA violations on behalf of state residents.[cite:35]
- OCR Audit Program: OCR conducts periodic compliance audits of covered entities and business associates to assess compliance with the Privacy, Security, and Breach Notification Rules.[cite:39]
In 2024, HHS resolved multiple high-profile cases with penalties ranging from tens of thousands to millions of dollars, including against small and mid-sized providers.[cite:5]
HIPAA – Intersection With Other Frameworks
HIPAA does not exist in isolation. Organizations subject to HIPAA often must also comply with overlapping or complementary frameworks.[cite:40][cite:41]
NIST Cybersecurity Framework (CSF)
NIST CSF provides a voluntary framework of cybersecurity best practices organized around five core functions: Identify, Protect, Detect, Respond, and Recover. HHS has explicitly aligned the proposed 2025 Security Rule update with NIST CSF and its Cybersecurity Performance Goals. NIST also publishes SP 800-66, a dedicated resource for implementing the HIPAA Security Rule.[cite:41][cite:42][cite:9]
HITRUST CSF
HITRUST integrates requirements from HIPAA, NIST, ISO 27001/27002, COBIT, PCI DSS, GDPR, and others into a single certifiable framework. A HITRUST certification demonstrates compliance across multiple regulatory standards simultaneously, reducing redundant audit efforts. HITRUST is widely used in healthcare to satisfy BAA security assurance requirements.[cite:43][cite:44][cite:45]
SOC 2
SOC 2 (System and Organization Controls 2) audits evaluate a service organization's controls across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. While SOC 2 is not healthcare-specific, it overlaps significantly with HIPAA's Security Rule, and healthcare organizations frequently require SOC 2 reports from their technology vendors alongside BAAs.[cite:44][cite:43][cite:40][cite:41]
GDPR (EU General Data Protection Regulation)
Organizations operating internationally or processing health data of EU residents must comply with GDPR in addition to HIPAA. Key areas of overlap include data subject rights, breach notification, and data protection by design. GDPR imposes stricter consent requirements and broader individual rights (e.g., right to erasure) that go beyond HIPAA.[cite:40][cite:41]
42 CFR Part 2 (Substance Use Disorder Records)
Part 2 provides additional privacy protections for substance use disorder (SUD) patient records. In 2024, HHS finalized a rule aligning Part 2 more closely with HIPAA, allowing Part 2 data to flow under HIPAA-like permissions for TPO once patient consent is obtained.[cite:8]
FTC Health Breach Notification Rule
The FTC's Health Breach Notification Rule applies to entities not covered by HIPAA — such as health app developers, wearable device manufacturers, and personal health record vendors. It requires breach notification within 60 days, similar to HIPAA's Breach Notification Rule.[cite:46]
State Privacy Laws
Many states have enacted health privacy laws that are more protective than HIPAA (e.g., California's CMIA, Texas's medical privacy laws, New York's SHIELD Act). Where state law provides greater protections, HIPAA defers to the more protective standard.[cite:10]
| Framework | Focus | Mandatory/Voluntary | Relationship to HIPAA |
|---|---|---|---|
| NIST CSF | Cybersecurity risk management | Voluntary (federal agencies mandatory) | Explicitly mapped to Security Rule [cite:9] |
| HITRUST CSF | Multi-framework compliance | Voluntary certification | Incorporates HIPAA requirements [cite:43] |
| SOC 2 | Service organization controls | Voluntary (market-driven) | Overlaps with Security Rule controls [cite:40] |
| GDPR | EU data protection | Mandatory for EU data subjects | Stricter consent; right to erasure exceeds HIPAA [cite:41] |
| 42 CFR Part 2 | SUD records | Mandatory | Now more closely aligned with HIPAA [cite:8] |
| FTC HBNR | Non-HIPAA health apps/devices | Mandatory | Covers entities outside HIPAA scope [cite:46] |
HIPAA – Recent Updates
January 2025: Proposed Security Rule Overhaul (NPRM)
On December 27, 2024, HHS/OCR published a Notice of Proposed Rulemaking (NPRM) for the most significant Security Rule update since the 2013 Omnibus Rule. The NPRM was added to the Federal Register on January 6, 2025, with a 60-day comment period ending March 7, 2025. HHS received over 4,000 comments. Key proposed changes include:[cite:4][cite:47][cite:9]
- Elimination of "Addressable" vs. "Required" distinction: All implementation specifications would become mandatory.[cite:9][cite:2]
- Mandatory encryption of ePHI at rest and in transit.[cite:48][cite:9]
- Mandatory multi-factor authentication (MFA) for all ePHI access points.[cite:49][cite:9]
- Annual technology asset inventory and network mapping.[cite:9]
- Vulnerability scanning at least every six months; penetration testing at least annually.[cite:48][cite:9]
- Network segmentation requirements.[cite:9]
- Incident response and disaster recovery plans capable of restoring systems within 72 hours.[cite:2]
- Annual compliance audits for both covered entities and business associates.[cite:9]
- Emerging technology provisions addressing AI, quantum computing, and virtual/augmented reality.[cite:9]
- Estimated implementation cost: $9.3 billion in the first year across the industry.[cite:4]
The fate of this NPRM is uncertain following President Trump's January 2025 Executive Order requiring a "Regulatory Freeze Pending Review". The proposed rule remains on HHS's official regulatory agenda for potential finalization in May 2026.[cite:33][cite:4]
2024: Reproductive Health Care Privacy Rule (Subsequently Vacated)
In 2024, the Biden Administration finalized a rule amending the HIPAA Privacy Rule to strengthen protections for reproductive health care information, prohibiting the use of PHI to investigate or impose liability for lawful reproductive care. Key provisions included:[cite:50][cite:12]
- A new attestation requirement for requesters of reproductive health PHI
- Updated NPP requirements
- Restrictions on disclosures for investigation of lawful reproductive care
On June 18, 2025, a federal judge in the Northern District of Texas vacated the rule nationally, finding HHS exceeded its authority. On September 10, 2025, the Fifth Circuit dismissed an intervention appeal, leaving the vacatur in place. HHS has suspended enforcement actions for the vacated provisions. However, covered entities must still comply with surviving NPP requirements by February 16, 2026.[cite:51][cite:50][cite:23]
2024: 42 CFR Part 2 Alignment
HHS finalized a rule aligning substance use disorder patient records (42 CFR Part 2) more closely with HIPAA, allowing Part 2 data to flow under HIPAA-like permissions for treatment, payment, and healthcare operations once initial patient consent is obtained.[cite:8]
Ongoing Enforcement Trends
- OCR enforcement actions continue to ramp up, with 2024 featuring multiple high-profile settlements including penalties for small and mid-sized providers.[cite:5]
- Common enforcement targets include failure to conduct risk analyses, lack of timely breach notifications, improper record disposal, and impermissible PHI disclosures.[cite:5]
- HHS penalty amounts are adjusted annually for inflation.[cite:34][cite:35]
- The FTC has increased parallel enforcement under its Health Breach Notification Rule for entities outside HIPAA's scope.[cite:46]