United States

Healthcare

HIPAA

Health Insurance Portability and Accountability Act

The cornerstone of U.S. healthcare data protection. HIPAA establishes national standards to protect sensitive patient health information (PHI).

HHS.gov — HIPAA

Max Penalty

$1.9M per violation category per year

Manual Implementation

3 to 5 months for full HIPAA compliance implementation

With VertiComply

Minutes — encryption, audit logging, RBAC, and BAA support generated automatically

HIPAA became law in 1996 and remains the most important regulation for any software that touches patient data in the United States. It applies to covered entities (hospitals, clinics, insurance companies) and their business associates (any vendor that handles PHI). The law has three key rules: the Privacy Rule governs how PHI can be used and disclosed, the Security Rule mandates technical safeguards for electronic PHI, and the Breach Notification Rule requires timely reporting when PHI is compromised. Since the January 2025 update, encryption and multi-factor authentication are mandatory with no exceptions.

What It Covers

Privacy Rule — controls on use and disclosure of Protected Health Information

Security Rule — administrative, physical, and technical safeguards for ePHI

Breach Notification Rule — notify individuals within 60 days, HHS within 72 hours for large breaches

Enforcement Rule — compliance investigations and civil monetary penalties

Omnibus Rule — extended requirements to business associates and subcontractors

Penalties & Enforcement

Tier 1 — Did not know: $100 to $50,000 per violation (max $25,000/year)

Tier 2 — Reasonable cause: $1,000 to $50,000 per violation (max $100,000/year)

Tier 3 — Willful neglect, corrected: $10,000 to $50,000 per violation (max $250,000/year)

Tier 4 — Willful neglect, not corrected: $50,000 per violation (max $1,900,000/year)

Criminal penalties: up to $250,000 fine and 10 years imprisonment for intentional violations

Over $137 million in penalties collected since enforcement began

Real Enforcement Examples

$16M

2018

Anthem Inc.

Largest HIPAA settlement ever — data breach affecting 78.8 million individuals due to failed access controls.

$6.85M

2020

Premera Blue Cross

Breach exposed 10.4 million records. Inadequate risk analysis and insufficient hardware/software controls.

$1.55M

2016

North Memorial Health

Failed to have a BAA with a business associate that had access to ePHI of 289,904 individuals.

How VertiComply Helps

AES-256 encryption at rest and TLS 1.2+ in transit for all data

Role-based access controls with principle of least privilege

Comprehensive audit logging with 6-year retention (45 CFR 164.312)

Automatic Business Associate Agreement (BAA) support

PHI field-level encryption with EncryptedString column types

Session management with 15-minute auto-logoff

Password policy enforcement (complexity, expiry, lockout)

Breach detection monitoring and failed login alerting

Frequently Asked Questions

Who needs to comply with HIPAA?

Any organization that handles Protected Health Information (PHI) in the US — hospitals, clinics, insurance companies (covered entities) and their vendors (business associates). If your app stores, transmits, or processes PHI, HIPAA applies.

What is PHI under HIPAA?

PHI includes 18 specific identifiers (names, dates, phone numbers, email addresses, SSN, device IDs, etc.) when they appear alongside health information. When in doubt, treat it as PHI.

Is HIPAA compliance mandatory?

Yes. HIPAA is federal law. Non-compliance results in fines up to $1.9M per violation category per year, plus criminal penalties for intentional violations.

Do I need a BAA for cloud providers?

Yes. AWS, Google Cloud, and Azure all offer BAAs for HIPAA-eligible services. You must sign the BAA before storing PHI on their infrastructure.

Can I build a HIPAA-compliant app without code?

Yes — on healthcare-specific platforms. VertiComply generates code with encryption, audit logging, RBAC, and BAA support built in automatically.

HIPAA Compliance Checklist for Healthcare App Developers (2026)

BAA vs HIPAA: Know the Difference (2026 Guide)

HIPAA for Startups: What Actually Matters in 2026

How to Build a HIPAA-Compliant Healthcare App Without Code in 2026

Build HIPAA-compliant from day one

VertiComply generates production-ready code with HIPAA safeguards built in automatically.

Quick Facts

Region