What is the Health Insurance Portability and Accountability Act (HIPAA)?

The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, is a US federal law that sets national standards for protecting sensitive patient health information from disclosure without consent.

From a cybersecurity perspective, HIPAA matters because it created the Security Rule, which specifically requires covered entities and their business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI).

These requirements include encryption for data at rest and in transit, access controls to limit who can view patient records, audit logging to track data access, and regular risk assessments to identify vulnerabilities. Healthcare providers, health plans, healthcare clearinghouses, and any vendors that handle patient data on their behalf must comply. The penalties for violations can be severe, ranging from $100 to $50,000 per violation, with annual maximums reaching $1.5 million per violation category.

What makes HIPAA particularly challenging from a security standpoint is that it sets performance standards rather than prescriptive technical requirements, meaning organizations must interpret how to implement appropriate safeguards for their specific environment. This flexibility is both a strength and a complication, especially as healthcare technology evolves and threat actors increasingly target medical data.

Congress passed HIPAA in 1996 primarily to address healthcare portability issues—allowing people to maintain insurance coverage when changing jobs. But lawmakers also recognized that the healthcare industry's increasing digitization created privacy risks. The initial Privacy Rule, finalized in 2000 and effective in 2003, established patient rights and limited how health information could be used and disclosed. The Security Rule followed in 2003, becoming enforceable in 2005, and specifically addressed electronic protected health information. This rule required covered entities to conduct risk analyses, implement policies and procedures, and deploy technical controls appropriate to their size and complexity.

The HITECH Act of 2009 significantly strengthened HIPAA by making business associates directly liable for compliance, increasing penalty amounts, and requiring breach notification when patient data is compromised. This was partly a response to the reality that many healthcare organizations were outsourcing data handling to third parties who weren't held to the same standards.

The enforcement landscape shifted dramatically after HITECH, with the Office for Civil Rights conducting more audits and imposing steeper fines for violations, particularly when organizations failed to conduct adequate risk assessments or left known vulnerabilities unaddressed.

Healthcare data remains one of the most valuable targets for cybercriminals, worth significantly more on dark web markets than credit card numbers or Social Security numbers. Medical records contain everything an identity thief needs, and they can't be changed the way you'd cancel a credit card.

HIPAA compliance has become synonymous with healthcare cybersecurity, though the two aren't quite the same—you can be compliant on paper while still being vulnerable in practice. The challenge is that many healthcare organizations, especially smaller practices and regional hospitals, struggle with both the technical complexity and the cost of implementing robust security controls. Legacy medical devices often can't be patched or updated, creating persistent vulnerabilities.

The rapid shift to telehealth during recent years expanded the attack surface considerably, with patient data flowing through video platforms, patient portals, and mobile apps that weren't always designed with HIPAA requirements in mind. Ransomware attacks on healthcare organizations have increased sharply, with attackers knowing that hospitals may pay quickly to restore access to critical patient systems.

When a breach occurs, the consequences extend beyond regulatory fines to include lawsuits, reputational damage, and most importantly, potential harm to patient care when systems go offline.

Plurilock helps healthcare organizations and their business associates navigate HIPAA's security requirements with practical, defensible approaches. Our risk assessments identify where your ePHI is actually at risk rather than just checking compliance boxes.

We implement technical safeguards like encryption, access controls, and audit logging that both satisfy regulatory requirements and actually defend against real threats. Our team includes practitioners who understand both the healthcare environment and the specific security challenges of medical systems.

Whether you need help with incident response when a breach occurs or ongoing monitoring to prevent one, we mobilize quickly—often in days rather than weeks. Learn more about our governance, risk, and compliance services tailored for organizations handling sensitive data.