HIPAAHealth Insurance Portability and Accountability Act

HIPAA establishes federal standards in the US for the protection of individually identifiable health information. The 1996 statute set the architecture; subsequent rules (Privacy Rule 2000, Security Rule 2003, Enforcement Rule 2006, Breach Notification Rule 2009, Omnibus Rule 2013) operationalised it. HITECH 2009 extended direct enforcement to Business Associates and introduced breach-notification timelines. OCR within HHS enforces, with civil penalties up to USD 1.5 million per violation category per year and the possibility of criminal referral.

• Covered Entities — health plans (insurers), healthcare clearinghouses, and healthcare providers who transmit any health information electronically in connection with a HIPAA-covered transaction. The provider category includes hospitals, physicians, dentists, pharmacies, nursing homes, home-health agencies and many others.
• Business Associates — persons or entities that create, receive, maintain or transmit PHI on behalf of a covered entity to perform a function or activity regulated by HIPAA. Examples: cloud-hosting providers holding ePHI, claims-processing vendors, IT MSPs with PHI access, pharmacovigilance vendors, radiopharmaceutical dispensing services, certain MES/QMS vendors when their system holds patient-linked data.
• Subcontractors of Business Associates — flow-down obligations apply via written agreements.

Pure pharma, food, supplement, cosmetic and medical-device manufacturers without patient-identified data rarely meet the test. The boundary becomes real when patient identifiers cross the manufacturer's systems — for example, a radiopharmacy preparing a unit-dose syringe labelled with a named patient on the hospital's order, or a medical-device manufacturer's connected-device cloud that receives patient-identified telemetry.

Protected Health Information (PHI) is individually identifiable health information transmitted or maintained in any form (paper, oral, electronic). ePHI is the electronic subset. "Individually identifiable" is the key qualifier — and the 18 HIPAA identifiers go well beyond name and date of birth:

• Names; geographic subdivisions smaller than state; all dates (except year) directly related to an individual; phone numbers; fax numbers; email addresses; SSN; medical record numbers; health plan beneficiary numbers; account numbers; certificate/licence numbers; vehicle identifiers; device identifiers and serial numbers; URLs; IP addresses; biometric identifiers; full-face photographs; and any other unique identifying number, characteristic or code.

De-identification under the Safe Harbor method requires removal of all 18 identifiers; under the Expert Determination method, a qualified statistician must conclude the risk of re-identification is very small.

The Privacy Rule (45 CFR 164 Subparts A + E) limits PHI use and disclosure to:

• Treatment, payment and healthcare operations (TPO) — broad permitted use without authorisation.
• Public-interest activities (public health, law enforcement, judicial proceedings, etc.) — narrowly defined with conditions.
• Patient authorisation — explicit, written, time-bounded, revocable.
• Limited datasets and de-identified data — special handling permitted with data-use agreements where applicable.

The Minimum Necessary rule applies to almost everything outside TPO — only the smallest PHI subset required for the purpose may be used or disclosed. Patients have rights to access their PHI, request amendments, receive an accounting of disclosures, and request restrictions.

The Security Rule (45 CFR 164 Subpart C) is specifically about ePHI. It is technology-neutral and risk-based, with required and "addressable" implementation specifications across three safeguard categories:

• Administrative — security management process, risk analysis, risk management, workforce training, contingency planning, periodic evaluation, BAAs.
• Physical — facility access controls, workstation security, device and media controls (encryption, disposal).
• Technical — access control (unique user ID, emergency access, automatic logoff, encryption + decryption), audit controls, integrity, person/entity authentication, transmission security.

NIST SP 800-66 Rev. 2 (Feb 2024) is the canonical practitioner reference for implementing the Security Rule — it maps each implementation specification to NIST SP 800-53 / Cybersecurity Framework controls so a covered entity can demonstrate alignment with both regimes simultaneously.

Following an unauthorised acquisition, access, use or disclosure of unsecured PHI, the covered entity must notify:

• Affected individuals — without unreasonable delay and in no case later than 60 calendar days from discovery.
• HHS Secretary — within 60 days if 500+ individuals affected; annually otherwise.
• Prominent media outlets — if 500+ individuals in a state or jurisdiction.
• Business Associates must notify the Covered Entity without unreasonable delay (no later than 60 days).

A risk assessment determines whether unauthorised disclosure constitutes a breach; encryption per HHS-recognised standards renders PHI "unsecured" exempt from breach notification.

A BAA is the contractual instrument that flows HIPAA obligations from a Covered Entity to a Business Associate (and from Business Associate to subcontractor). 45 CFR 164.504(e) prescribes the required content: permitted uses and disclosures, safeguards, breach reporting, subcontractor flow-down, individual rights support, HHS access, termination and return / destruction of PHI.

HIPAA and Part 11 are commonly confused. They are distinct:

• HIPAA — protects patient health information (privacy + security). Enforced by HHS OCR. Applies to covered entities and business associates.
• Part 11 — establishes criteria for electronic records and electronic signatures used to satisfy FDA regulations (e.g. batch records, complaint files, design history files). Enforced by FDA. Applies to FDA-regulated industry.

A single system can be subject to both — for example, a radiopharmacy MES that issues GMP-regulated batch records (Part 11) and holds patient identifiers on the unit-dose label (HIPAA). The control sets overlap (audit trail, access control, encryption) but the legal bases are independent.

• Treating any cloud system as automatically HIPAA-compliant — no system is HIPAA-compliant in isolation; the BAA + the customer's controls + the vendor's controls together compose compliance.
• Skipping de-identification analysis when sharing "anonymised" data — Safe Harbor requires all 18 identifiers removed; Expert Determination requires statistical evidence.
• BAA missing for cloud hosting, IT MSP, third-party support, courier — any vendor with PHI access needs one.
• Encryption assumed but not implemented to HHS-recognised standards — only specific cryptographic standards qualify PHI as "unsecured".
• Workforce training not refreshed annually.
• Breach risk-assessment shortcut to "low risk of compromise" without documented analysis.
• Failure to separate Part 11 audit-trail expectations from HIPAA access-log expectations — both required, different content.