What Is HIPAA (the US Health Data Law)?
HIPAA (the Health Insurance Portability and Accountability Act) is the US federal law that protects health data. It requires health plans, healthcare providers and their vendors to safeguard a patient's health information, sets rules for privacy, security and breach notification, and is enforced by the government's civil rights office (OCR), which can fine violators. Because health data is a sensitive category under almost every privacy law, HIPAA reaches any organization, inside or outside the US, that handles the health data of US patients.
How HIPAA works in practice
HIPAA is not software you install. It is a set of duties on whoever touches a patient's health information (PHI), from the electronic record to an email that mentions a diagnosis. The cycle has four parts.
Know who is subject to the law
HIPAA distinguishes the covered entity (health plan, provider, clearinghouse) from the vendor that handles PHI on its behalf (the business associate). A scheduling system, a cloud, a call center: all enter the chain of responsibility.
Protect PHI on three fronts
The Privacy Rule limits how information is used and disclosed; the Security Rule requires technical, physical and administrative controls over electronic PHI; the Breach Notification Rule requires telling those affected when a leak happens.
Formalize the tie with each vendor
Hiring a vendor that touches PHI without a data protection agreement (the BAA) does not transfer the risk: the covered entity still answers for what the vendor does.
Report a breach within the deadline
An incident that exposes PHI has to be reported to patients and to the civil rights office within a time set by law, not hidden until it surfaces.
Source: U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), and the HIPAA rules.
The three rules that make up HIPAA
- Privacy Rule Defines what PHI is and limits how health information may be used and shared, giving the patient the right to access their own record.
- Security Rule Requires administrative, physical and technical safeguards over PHI in electronic form, starting with a documented risk analysis.
- Breach Notification Rule Requires notifying patients, the government and, in large incidents, the press, within set deadlines, when PHI is exposed.
Why health information is the most expensive target
Health data is worth more on the criminal market than a card number, because it cannot be canceled: a medical history does not expire. That translates into cost. Healthcare has been, for 14 straight years, the sector that pays most for a data breach: US$7.42 million on average per incident, against a US$4.44 million all-industry global average (IBM, 2025). And the exposure runs long, 279 days on average to identify and contain an incident in the sector. On the regulatory side, the US civil rights office can fine across several tiers of severity, with an annual ceiling of US$2.19 million per violation category (2025 adjustment). None of this depends on size: the law does not exempt the small clinic.
How an organization prepares for HIPAA
HIPAA compliance is not a certificate you hang on the wall, it is a routine that has to hold. The most direct path:
- Map where PHI lives and flowsList where health information is created, stored and transmitted, and who it passes through. Without that map, the risk analysis is blind.
- Run the risk analysis and treat what it findsIt is the control the regulator asks for most: identify the threats to electronic PHI and reduce each meaningful risk, with a record of what was done.
- Sign an agreement with every vendor that touches PHIEvery business associate needs a signed BAA. Without it, responsibility falls entirely on the covered entity.
- Have an incident response plan readyFiguring out the notification process during the breach costs days the law does not grant. A plan tested beforehand is what shortens the window.
In practice
The question that reveals the real risk: if the civil rights office asked today for the organization's PHI risk analysis, would someone hand over a current document, or a spreadsheet from three years ago?
How Zamak handles HIPAA compliance
Zamak Technologies supports HIPAA readiness as part of Governance and Compliance in the Zamak Method: control mapping, continuous evidence collection and an audit trail on a compliance platform. A good starting point is the Compliance Audit Express, which shows in minutes where the organization is most exposed.