Glossary

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) establishes standards for protecting sensitive patient health information in the United States.

Definition

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that establishes national standards for the protection of sensitive patient health information (PHI). The HIPAA Security Rule specifically addresses technical and administrative safeguards for electronic PHI (ePHI).

Context

Healthcare organizations and their business associates must comply with HIPAA when handling protected health information. Security questionnaires in the healthcare industry frequently include HIPAA-specific questions about PHI handling, encryption, access controls, audit logging, breach notification procedures, and Business Associate Agreement (BAA) requirements. Vendors serving healthcare buyers need to demonstrate HIPAA compliance through questionnaire responses and compliance documentation.

Why it matters

The Health Insurance Portability and Accountability Act establishes national standards for protecting individually identifiable health information in the United States. The Security Rule requires administrative, physical, and technical safeguards for electronic protected health information, while the Privacy Rule governs permissible uses and disclosures. Covered entities and their business associates must implement controls including access management, audit logging, encryption, and workforce training proportionate to their risk environment as determined by a documented risk analysis.

A critical and frequently misunderstood aspect of HIPAA is that there is no formal certification or seal of compliance. Unlike SOC 2 or ISO 27001, no accredited body issues a HIPAA certificate. Organizations claiming to be HIPAA certified are either misrepresenting their status or referring to internal self-assessments. During vendor security reviews, buyers evaluating healthcare vendors should request evidence of a current risk analysis, breach notification procedures, business associate agreements, and specific technical controls rather than relying on unverifiable compliance claims.

Enforcement has intensified significantly, with the HHS Office for Civil Rights imposing penalties ranging from thousands to millions of dollars per violation category. The most common enforcement triggers are failure to conduct a comprehensive risk analysis, insufficient access controls, and delayed breach notification beyond the sixty-day reporting window. Organizations handling ePHI in cloud environments must ensure their infrastructure providers execute Business Associate Agreements and that encryption covers data both at rest and in transit across all systems processing health information.

Related terms

SOC 2Compliance PackSecurity QuestionnaireVendor Risk AssessmentPCI DSSBusiness Associate Agreement (BAA)

Learn more

Security Questionnaire SoftwareCompliance Pack Automation

Automate your security questionnaire workflow

VeriRFP uses evidence-backed AI to draft security questionnaire responses with deterministic citations from your approved documentation.
Try VeriRFP freeQuestionnaire automationBack to glossary

Privacy controls

We use essential cookies for sign-in and service operations. With your permission we also load analytics to understand how teams use the product. Analytics stay off until you accept. See our Privacy Policy.