Skip to Content
Governance and Compliance

What Is HIPAA (the US Health Data Law)?

HIPAA (the Health Insurance Portability and Accountability Act) is the US federal law that protects health data. It requires health plans, healthcare providers and their vendors to safeguard a patient's health information, sets rules for privacy, security and breach notification, and is enforced by the government's civil rights office (OCR), which can fine violators. Because health data is a sensitive category under almost every privacy law, HIPAA reaches any organization, inside or outside the US, that handles the health data of US patients.

Zamak TechnologiesUpdated on July 10, 2026

How HIPAA works in practice

HIPAA is not software you install. It is a set of duties on whoever touches a patient's health information (PHI), from the electronic record to an email that mentions a diagnosis. The cycle has four parts.

1

Know who is subject to the law

HIPAA distinguishes the covered entity (health plan, provider, clearinghouse) from the vendor that handles PHI on its behalf (the business associate). A scheduling system, a cloud, a call center: all enter the chain of responsibility.

2

Protect PHI on three fronts

The Privacy Rule limits how information is used and disclosed; the Security Rule requires technical, physical and administrative controls over electronic PHI; the Breach Notification Rule requires telling those affected when a leak happens.

3

Formalize the tie with each vendor

Hiring a vendor that touches PHI without a data protection agreement (the BAA) does not transfer the risk: the covered entity still answers for what the vendor does.

4

Report a breach within the deadline

An incident that exposes PHI has to be reported to patients and to the civil rights office within a time set by law, not hidden until it surfaces.

Source: U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), and the HIPAA rules.

The three rules that make up HIPAA

  • Privacy Rule Defines what PHI is and limits how health information may be used and shared, giving the patient the right to access their own record.
  • Security Rule Requires administrative, physical and technical safeguards over PHI in electronic form, starting with a documented risk analysis.
  • Breach Notification Rule Requires notifying patients, the government and, in large incidents, the press, within set deadlines, when PHI is exposed.

Why health information is the most expensive target

US$7.42M
is the average cost of a breach in healthcare, the most expensive of all sectors for 14 years (IBM, 2025)
279 days
is the average time to identify and contain a healthcare data breach (IBM, 2025)
US$2.19M
is the annual fine ceiling per HIPAA violation category (HHS/OCR, 2025 adjustment)

Health data is worth more on the criminal market than a card number, because it cannot be canceled: a medical history does not expire. That translates into cost. Healthcare has been, for 14 straight years, the sector that pays most for a data breach: US$7.42 million on average per incident, against a US$4.44 million all-industry global average (IBM, 2025). And the exposure runs long, 279 days on average to identify and contain an incident in the sector. On the regulatory side, the US civil rights office can fine across several tiers of severity, with an annual ceiling of US$2.19 million per violation category (2025 adjustment). None of this depends on size: the law does not exempt the small clinic.

How an organization prepares for HIPAA

HIPAA compliance is not a certificate you hang on the wall, it is a routine that has to hold. The most direct path:

  1. Map where PHI lives and flowsList where health information is created, stored and transmitted, and who it passes through. Without that map, the risk analysis is blind.
  2. Run the risk analysis and treat what it findsIt is the control the regulator asks for most: identify the threats to electronic PHI and reduce each meaningful risk, with a record of what was done.
  3. Sign an agreement with every vendor that touches PHIEvery business associate needs a signed BAA. Without it, responsibility falls entirely on the covered entity.
  4. Have an incident response plan readyFiguring out the notification process during the breach costs days the law does not grant. A plan tested beforehand is what shortens the window.

In practice

The question that reveals the real risk: if the civil rights office asked today for the organization's PHI risk analysis, would someone hand over a current document, or a spreadsheet from three years ago?

How Zamak handles HIPAA compliance

Zamak Technologies supports HIPAA readiness as part of Governance and Compliance in the Zamak Method: control mapping, continuous evidence collection and an audit trail on a compliance platform. A good starting point is the Compliance Audit Express, which shows in minutes where the organization is most exposed.

Frequently asked questions about HIPAA

Does HIPAA only apply to US hospitals?
No. The law reaches health plans, providers and, above all, the vendors that handle health information on their behalf (the business associates), wherever they are. A technology company outside the US that processes a US patient's health data falls within the law's reach.
What is the difference between a covered entity and a business associate?
The covered entity is the one providing the health service or plan; the business associate is the vendor that touches PHI on its behalf, a system, a cloud, a call center. Both answer for HIPAA, and the tie between them needs a specific contract (the BAA).
What is PHI?
PHI (Protected Health Information) is any health information that can identify a person: diagnosis, test, history, together with data such as name, address and identifiers tied to that health context.
Does HIPAA require encryption?
The Security Rule treats encryption as an addressable item, not a mandate in every situation. In practice, when the risk analysis flags exposure of electronic PHI, encrypting is almost always the expected measure, and its absence weighs on the fine.
Does a small company have to comply with HIPAA?
Yes. There is no exemption based on size. The civil rights office factors size into how it scales the fine, not into the duty to protect PHI.
Are HIPAA and the LGPD the same thing?
No. HIPAA is specific to health data in the US; the LGPD (in Brazil) and the GDPR (in Europe) are general data protection laws that treat health as a sensitive category. A global organization usually answers to more than one at once.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake