What is the difference between the Privacy Rule and Security Rule?

The Privacy Rule establishes standards for who may access PHI and under what circumstances. The Security Rule specifically addresses electronic PHI (ePHI) and sets standards for administrative, physical, and technical safeguards.

What are the penalties for HIPAA violations?

HIPAA penalties range from $100 to $50,000 per violation, with annual maximums of $25,000 to $1.5 million per violation category. Criminal penalties can include fines up to $250,000 and imprisonment.

Does HIPAA apply to health tech startups?

If a health tech company creates, receives, maintains, or transmits PHI on behalf of a covered entity, it is a business associate subject to HIPAA requirements. Even companies that do not directly handle PHI but provide tools used to process it may fall within scope.

All Frameworks

54 Controls

HIPAA

Health Insurance Portability and Accountability Act

HIPAA establishes US national standards to protect medical records and personal health information. It applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates.

Start Free Trial Request Demo

Ideal For

Healthcare ProvidersHealth PlansBusiness AssociatesHealth Tech

What is HIPAA?

HIPAA establishes US national standards to protect medical records and personal health information. It applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates.

HIPAA applies to covered entities (healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses) and business associates that create, receive, maintain, or transmit Protected Health Information (PHI) on their behalf. This includes hospitals, clinics, insurers, pharmacies, and technology companies handling health data.

Key Requirements

Core areas of HIPAA that organisations must address.

Implement administrative, physical, and technical safeguards

Conduct regular security risk assessments

Ensure confidentiality, integrity, and availability of ePHI

Implement access controls and audit logging

Maintain Business Associate Agreements (BAAs)

Establish breach notification procedures

How GRCTrack Supports HIPAA

Privacy and Security Rule coverage

PHI handling requirements

BAA templates

Breach notification procedures

Risk analysis methodology

Workforce training documentation

Avoid Penalties

HIPAA fines can reach $1.5M per violation category.

Patient Trust

Demonstrate commitment to patient privacy.

Clear Requirements

Plain-language guidance for all requirements.

Frequently Asked Questions

Ready to Simplify HIPAA Compliance?

Join hundreds of organisations using GRCTrack to manage compliance.

Start Free Trial View All Frameworks