HIPAA (Health Insurance Portability and Accountability Act)

Who must comply with HIPAA?

Per 45 CFR 160.103, HIPAA covers: (1) health plans (insurers, HMOs, ERISA group plans, government programs); (2) healthcare clearinghouses (billing services, repricing companies); (3) healthcare providers who transmit health information electronically in connection with covered transactions. Business associates (vendors handling PHI on behalf of covered entities) are also directly liable under HIPAA, including subcontractors.

What are the four HIPAA rules?

(1) Privacy Rule (45 CFR 164 Subpart E) — governs use and disclosure of PHI; (2) Security Rule (Subpart C) — administrative, physical, and technical safeguards for ePHI; (3) Breach Notification Rule (Subpart D) — notification requirements for unauthorized PHI disclosures; (4) Enforcement Rule (45 CFR 160 Subparts C, D, E) — investigation procedures and civil money penalty schedules.

What documents prove HIPAA compliance?

Required documentation: written policies and procedures (Privacy and Security), risk analysis under 164.308(a)(1)(ii)(A), risk management plan, security incident response plan, business associate agreements (BAAs) with all vendors, training records, sanction policy and applied sanctions, accounting of disclosures, and breach incident logs. Records must be retained for 6 years from creation or last effective date (45 CFR 164.530(j)).

What are 2026 HIPAA penalty amounts?

Civil money penalties are tiered by culpability: Tier 1 (no knowledge) — $137 to $68,928 per violation; Tier 2 (reasonable cause) — $1,379 to $68,928 per violation; Tier 3 (willful neglect, corrected) — $13,785 to $68,928 per violation; Tier 4 (willful neglect, not corrected) — $68,928 to $2,067,813 per violation. Annual cap per identical provision: $2,067,813.