If your business touches patient health information in any way, HIPAA is the law that governs how you handle, store, and share it — and the penalties for getting it wrong are steep.
Filed under the NerdSquad IT Dictionary — your plain-English guide to the acronyms, frameworks, and jargon that run modern IT.
HIPAA has been around since 1996, which in tech years makes it practically ancient. But don't let the age fool you — it's still the dominant privacy law in U.S. healthcare, it gets updated regularly, and regulators take enforcement seriously. If you work in healthcare (or work with healthcare organizations), understanding what HIPAA actually requires is non-negotiable.
Health Insurance Portability and Accountability Act.
The "portability" part originally referred to health insurance coverage — making it easier for people to keep insurance between jobs. The "accountability" part is where the IT world lives: rules around how health information is protected, who can access it, and what happens when it's breached.
Most IT conversations about HIPAA are really about the accountability provisions — specifically the Privacy Rule and Security Rule.
Imagine every piece of health information as a piece of certified mail. HIPAA is the postal code that dictates who's allowed to open it, how it has to be sealed, who's responsible if it gets lost, and what happens if it ends up in the wrong hands.
The law doesn't just apply to doctors and hospitals. It applies to anyone who handles that mail on their behalf — which includes IT companies, billing services, cloud storage vendors, and more.
HIPAA is a big law with a lot of moving parts. For IT purposes, two rules do most of the heavy lifting:
The Privacy Rule defines what counts as protected health information (PHI) and who's allowed to use or disclose it. Think of it as the "who can see this" rule. PHI includes names, dates, addresses, Social Security numbers, and any other information that could be used to identify a patient — when it's combined with health data.
The Security Rule sets the technical, physical, and administrative safeguards required to protect electronic PHI (ePHI). This is where IT lives. Encryption, access controls, audit logs, backup and recovery, device management, workforce training — all of that flows from the Security Rule.
There's also the Breach Notification Rule, which specifies what you have to do when something goes wrong: who to notify, how fast, and what to document.
HIPAA uses two main categories:
Covered Entities are the primary targets of the law — healthcare providers (doctors, dentists, hospitals, clinics), health plans, and healthcare clearinghouses. If you bill insurance or transmit health data electronically, you're almost certainly a covered entity.
Business Associates are the vendors and service providers that handle PHI on a covered entity's behalf. This is where IT companies, cloud storage providers, billing platforms, and MSPs come in. If an MSP manages infrastructure that touches ePHI — even indirectly — they're a business associate and HIPAA applies to them too.
Business associates are required to sign a Business Associate Agreement (BAA) with their covered entity clients. The BAA is a legal contract that lays out each party's responsibilities for protecting PHI. No BAA = a HIPAA violation before anything even goes wrong.
The Security Rule breaks safeguards into three buckets:
Administrative safeguards — policies, training, risk assessments, designated security officers, access management procedures. The paperwork layer, but it's legally required.
Physical safeguards — controlling who can physically access systems that hold ePHI. Locked server rooms, workstation policies, device disposal procedures.
Technical safeguards — the stuff most IT teams focus on: encryption, unique user IDs and access controls, automatic logoff, audit logs, and integrity controls to detect unauthorized data alterations.
HIPAA doesn't prescribe specific technologies — it defines the outcomes you have to achieve. That gives organizations flexibility, but it also means you can't just buy a product and declare yourself compliant. Implementation and documentation both count.
Here's one that trips people up: there is no such thing as "HIPAA certified."
No government agency, no private certification body, and no vendor can make you HIPAA certified. HIPAA compliance isn't a badge you earn once and keep — it's an ongoing operational posture. Auditors verify compliance. OCR (the Office for Civil Rights at HHS) investigates and enforces violations. But there's no certification exam, no annual cert renewal, and no seal of approval.
Any vendor claiming to be "HIPAA certified" is either confused or marketing creatively. The right phrase is "HIPAA compliant" — and even that's only meaningful if you can show your work.
The Office for Civil Rights (OCR) handles HIPAA enforcement, and they have real teeth. Penalties are tiered by culpability:
Criminal penalties apply in egregious cases. And that's before state attorneys general get involved — Florida has its own data breach notification law that runs alongside HIPAA.
Breach notification requirements kick in within 60 days of discovery for breaches affecting 500 or more individuals in a state. Smaller breaches still require annual reporting to HHS.
An MSP working with a healthcare client isn't just an IT vendor — they're a business associate with legal obligations. That means:
HIPAA also has specific guidance on data retention. The minimum for HIPAA records is 6 years from the date of creation or last effective date — a number that gets confused with the commonly cited 7-year Florida medical records retention rule (which is a separate state requirement). Both may apply depending on the record type.
For IT purposes, this means backup and archival systems have to account for long retention windows, and data can't just be deleted when it's inconvenient. Immutable storage (sometimes called WORM storage) is often part of a compliant backup strategy precisely because it prevents tampering with retained records.
HIPAA doesn't exist in a vacuum. It overlaps with and informs a number of other frameworks:
For healthcare organizations handling payment information, PCI-DSS may also apply if they process credit cards — meaning multiple frameworks run simultaneously.
HIPAA is one of those compliance frameworks that sounds straightforward until you're actually implementing it — then the edge cases multiply fast. Whether you're a practice owner trying to understand your obligations or a vendor figuring out whether a BAA applies to you, the specifics matter.