HIPAA

HIPAA — the Health Insurance Portability and Accountability Act of 1996 — is the US federal law that governs Protected Health Information (PHI). It is enforced by the HHS Office for Civil Rights (OCR) under the Department of Health and Human Services. For security buyers, the operative parts are the Privacy Rule (45 CFR Part 164 Subpart E) and especially the Security Rule (45 CFR Part 164 Subpart C), which sets administrative, physical, and technical safeguards for electronic PHI.

HIPAA applies to two categories of organizations:

• Covered entities — health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically.
• Business associates — any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. SaaS vendors selling to US HealthTech almost always sign a Business Associate Agreement (BAA) and are themselves directly liable under HIPAA.

Where awareness matters:

• §164.308(a)(5) — Security Awareness and Training is one of the four required administrative safeguards. It mandates a “security awareness and training program for all members of the workforce, including management.”
• The implementation specifications include security reminders, protection from malicious software, log-in monitoring, and password management — written in 1996, but easily read in 2026 as a description of contextual nudges and behavior monitoring.
• Breach Notification Rule (45 CFR §§164.400-414) sets a 60-day clock for notifying affected individuals and HHS after a breach of unsecured PHI — a clock that often gets triggered by exactly the behaviors awareness programs are meant to prevent.

Distinct from HDS, HIPAA is a US federal statute, not a certification — there is no “HIPAA-certified” stamp from HHS. Compliance is demonstrated through documentation: risk analysis, policies, training records, and increasingly behavioral evidence of how the workforce actually handles PHI day to day.