Overview
The Health Insurance Portability and Accountability Act (HIPAA) sets security standards for protecting personal health information in the United States. The goal is to ensure that personal health information (PHI) is not shared unless the patient has given consent, and mandates that any entity interacting with PHI must enact security measures ensuring HIPAA compliance.

Protected information includes the patient’s:
- Physical or mental health conditions and related care or treatment. This covers lab reports, medical records, billing information, etc.
- Personally identifiable information (PII) such as name, birth date, social security number, etc.
HIPAA does NOT cover data that cannot identify an individual. For example, aggregated data that does not include any PII does not fall under this law.
Organizations that MUST follow HIPAA requirements:
- Healthcare providers
- Health insurers (except for group plans with fewer than 50 participants administered solely by the employer)
- Healthcare clearinghouses
Organizations that are generally, but not always, exempt from HIPAA laws:
- Workers compensation program
- Life insurance companies
- Law enforcement agencies
- Employers
- Certain state agencies (e.g., child protective services)
- Municipal offices
Exceptions
Under HIPAA, PHI may be used or disclosed by a covered entity under the following circumstances:
- When a patient consents to the disclosure
- For healthcare operations such as treatment and billing
- When disclosure is in the public interest. Some examples include threats to public health, domestic violence, judicial proceedings, law enforcement, identification of the deceased, organ donation, workers compensation, and essential government functions
- Private citizens who have nothing to do with a covered entity as a staff member or patient. Any private citizen may share their own health information at their discretion
Violations and Penalties

- Stolen devices ((laptop, phone, USB, etc.)
- Malware, ransomware, and hacking
- Breach of electronic health records
- Office break-in
- Accidentally sharing PHI with the wrong patient
- Accidentally sharing PHI with the wrong patient
- Social media posts
HIPAA penalties are levied by the Office of Civil Rights of the U.S. Department of Health and Human Services. Fines are as follows:
- Unintentionally violating HIPAA: $100 fine per violation; annual maximum of $25,000 for recurring violations
- Violations that are not deemed willful neglect: $1,000 per violation; annual maximum of $100,000 for recurring violations
- Willful neglect of the law, if corrected within a given time: $10,000 per violation; annual maximum of $250,000 for recurring violations
- Willful neglect of the law, if corrected within a given time: $10,000 per violation; annual maximum of $250,000 for recurring violations
Implementing a HIPAA Compliance Program

Effective HIPAA compliance programs have many similar components to procedures addressing other cybersecurity laws and threats, and which may:
- Enact policies and procedures for following HIPAA rules
- Implement thorough staff training on HIPAA laws and organizational practices for compliance
- Limit access to PHI to employees who need information to do their job
- Regularly review HIPAA updates
- Designate a HIPAA compliance officer and a compliance committee
- Enact policies and procedures for following HIPAA rules
- Implement thorough staff training on HIPAA laws and organizational practices for compliance
- Limit access to PHI to employees who need information to do their job
- Regularly review HIPAA updates
- Designate a HIPAA compliance officer and a compliance committee
- Perform annual self-audits
- Draw up remediation plans to address gaps in compliance
- Document all efforts aimed at HIPAA compliance
- Ensure that organizations with which PHI is shared are also HIPAA compliant
- Implement policies and procedures for notifying patients if PHI has been compromised
- Standard cybersecurity procedures, including having only one unique ID per user, not sharing logins, using two-factor authentication, employing strong passwords that are changed regularly, etc.
Summary
HIPAA compliance is necessary to conform to the law, avoid penalties and bad press, and assure clients that their sensitive, personal health information will remain confidential. If your organization is responsible for PHI and is required to follow HIPAA mandates, ensure a robust compliance program and a workplace culture that values and prioritizes an individual’s right to privacy of their personal health information.
For companies handling digital information, a Trust Center is essential in helping your customers understand how you are keeping their data private and secure.
You may contact one of our trust center experts to find out how to get started with a reliable trust center.
Please email us at success@trustcenter.io to schedule a no-pressure, free consultation.
TRUST CENTER BETA
DO YOU WANT TO CREATE A TRUST CENTER BUT NOT SURE WHERE TO START?
We offer a free turn-key solution to create a world-class trust center. Sign up for our beta and create your very own Trust Center at no-cost!