HIPAA Data Protection Requirements for Covered Entities

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes the foundational federal standard for protecting health information held by covered entities and their business associates. This page describes the regulatory structure, compliance obligations, and enforcement framework that govern how protected health information (PHI) must be handled across the U.S. healthcare sector. Compliance failures carry significant civil and criminal exposure, making accurate understanding of these requirements essential for legal, operational, and risk management functions.

Definition and scope

HIPAA's privacy and security requirements apply to covered entities — a statutory classification comprising three categories: health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in connection with covered transactions (HHS, "Covered Entities and Business Associates"). Business associates — third parties that perform functions on behalf of covered entities and access PHI — are also directly subject to HIPAA Rules under the HITECH Act of 2009.

The central protected category is Protected Health Information (PHI): individually identifiable health information relating to a person's past, present, or future physical or mental health, the provision of healthcare, or payment for care. PHI encompasses 18 specific identifier categories defined by the HHS Safe Harbor de-identification standard (45 CFR §164.514), including names, geographic data smaller than a state, dates (other than year) directly related to an individual, and biometric identifiers.

For context on how HIPAA interacts with other federal frameworks, the US Data Protection Laws Overview provides the broader legislative landscape.

How it works

HIPAA's compliance framework rests on three primary Rules, each administered by the HHS Office for Civil Rights (OCR):

1. The Privacy Rule (45 CFR Part 164, Subparts A and E) — Establishes national standards for the use and disclosure of PHI, defines patient rights (access, amendment, accounting of disclosures), and requires covered entities to provide a Notice of Privacy Practices (NPP).

2. The Security Rule (45 CFR Part 164, Subparts A and C) — Applies exclusively to electronic PHI (ePHI) and requires covered entities to implement administrative, physical, and technical safeguards. Safeguards are classified as either required (mandatory) or addressable (must be implemented or a documented equivalent substitute adopted).

3. The Breach Notification Rule (45 CFR Part 164, Subpart D) — Mandates notification to affected individuals within 60 days of discovering a breach of unsecured PHI, to HHS annually (or within 60 days if the breach affects 500 or more individuals in a state), and to prominent media outlets for breaches affecting 500 or more residents of a state or jurisdiction. Full procedural requirements are covered at Data Breach Notification Requirements.

The Security Rule's addressable versus required distinction is operationally significant. Required safeguards — such as a unique user identification (§164.312(a)(2)(i)) — admit no substitution. Addressable safeguards — such as encryption of ePHI at rest (§164.312(a)(2)(iv)) — allow a covered entity to implement an equivalent alternative if encryption is documented as unreasonable or inappropriate, though OCR enforcement history shows that failure to encrypt is a recurring cited deficiency. See Data Encryption Standards Compliance for technical standard benchmarks relevant to ePHI handling.

A HIPAA Security Risk Analysis — a formal, documented assessment of threats and vulnerabilities to ePHI — is a required administrative safeguard under §164.308(a)(1). OCR has identified incomplete or absent risk analyses as the single most commonly cited violation finding across enforcement actions (HHS OCR HIPAA Audit Program).

Common scenarios

Covered entities encounter HIPAA obligations across a range of operational contexts:

• Vendor contracting: Before disclosing PHI to a business associate — a billing vendor, IT managed service provider, or cloud storage platform — a covered entity must execute a Business Associate Agreement (BAA) meeting §164.308(b)(1) requirements. The absence of a BAA is a direct Rule violation. Third-Party Vendor Data Security addresses the due diligence framework.

• Employee workforce access: The Minimum Necessary standard (§164.502(b)) requires covered entities to limit PHI access to the minimum needed to accomplish the intended purpose. Role-based access controls and workforce training programs are standard implementation mechanisms.

• Patient access requests: The Privacy Rule grants individuals the right to access their own PHI, with covered entities generally required to respond within 30 days. HHS issued guidance in 2023 reaffirming that fees for record requests must reflect actual labor and supply costs, not flat-rate charges (HHS Right of Access Initiative).

• Incident response: When a potential breach occurs, a four-factor risk assessment (nature of PHI, unauthorized person involved, whether PHI was acquired or viewed, mitigation extent) determines whether notification obligations are triggered. Incident Response Data Breach maps the procedural requirements.

Decision boundaries

HIPAA and state health privacy laws can coexist — HIPAA establishes a federal floor, not a ceiling. Where state law affords greater patient protections or more stringent requirements (as with certain mental health, reproductive health, or substance use disorder records), the more protective standard applies (45 CFR §160.203). The State Data Privacy Laws Comparison reference documents relevant state-level distinctions.

A key classification boundary involves the distinction between covered entities and entities that handle health data outside HIPAA's scope. A wellness app that collects health data but is not a HIPAA-defined covered entity or business associate is not bound by HIPAA — instead, it may fall under FTC Section 5 authority or state consumer privacy laws such as the CCPA/CPRA. See CCPA/CPRA Compliance Reference for the consumer health data treatment under that framework.

Civil monetary penalties under HIPAA are tiered across 4 culpability levels, ranging from $100 to $50,000 per violation, with an annual cap of $1,993,000 per violation category (HHS Civil Money Penalties) — a figure adjusted periodically for inflation under the Federal Civil Penalties Inflation Adjustment Act. Criminal penalties under 42 U.S.C. §1320d-6 extend to fines up to $250,000 and imprisonment up to 10 years for knowing violations.

References

• HHS Office for Civil Rights — HIPAA for Professionals
• HHS — Covered Entities and Business Associates
• 45 CFR Part 164 — Security and Privacy (eCFR)
• 45 CFR Part 160 — General Administrative Requirements (eCFR)
• HHS OCR HIPAA Audit Program
• HHS Right of Access Initiative
• HHS Civil Money Penalties
• NIST Special Publication 800-66 Rev. 2 — Implementing the HIPAA Security Rule