What HIPAA Laws Protect and How to Stay Compliant

In January 2024, OCR settled with a New England dermatology practice for $300,000 after a breach exposed the electronic protected health information of nearly 60,000 patients. The root cause wasn't a sophisticated cyberattack — it was a stolen, unencrypted thumb drive and a workforce that didn't understand what HIPAA laws protect or how to safeguard it. This kind of enforcement action is preventable, but only when your organization takes a granular approach to compliance.

Exactly What HIPAA Laws Protect — Beyond the Basics

Most healthcare professionals know HIPAA has something to do with patient privacy. Far fewer can articulate the specific categories of information the law actually covers. Under the Privacy Rule (45 CFR §164.500–534), HIPAA laws protect individually identifiable health information — referred to as protected health information, or PHI — held or transmitted by a covered entity or its business associates.

PHI includes 18 specific identifiers defined under 45 CFR §164.514. These range from the obvious — names, Social Security numbers, medical record numbers — to the less intuitive, such as device identifiers, biometric data, and even full-face photographs. If a data element can identify a patient and relates to their health condition, treatment, or payment for care, it's PHI.

Electronic protected health information, or ePHI, receives additional safeguards under the Security Rule (45 CFR §164.302–318). Your organization must implement administrative, physical, and technical safeguards to protect ePHI at rest and in transit. That means encryption standards, access controls, audit logs, and contingency planning — not just a firewall and a hope.

The Three Pillars: Privacy, Security, and Breach Notification

Understanding what HIPAA laws protect requires understanding how the three major rules work together. The Privacy Rule governs who can access and disclose PHI and under what conditions. It establishes the minimum necessary standard, which requires your workforce to access only the PHI needed to perform a specific job function — no more.

The Security Rule addresses the technical and organizational mechanisms that keep ePHI safe. Every covered entity and business associate must conduct a thorough risk analysis — not a checkbox exercise, but a genuine assessment of threats, vulnerabilities, and the likelihood of exploitation. OCR has cited inadequate risk analysis as a contributing factor in the majority of its enforcement actions.

The Breach Notification Rule (45 CFR §§164.400–414) dictates what happens when protections fail. If an impermissible use or disclosure of PHI compromises its security or privacy, your organization must notify affected individuals, HHS, and in some cases the media — within 60 days of discovery. Delays trigger penalties.

Who Is Responsible: Covered Entities and Business Associates

Since the Omnibus Rule took effect in 2013, HIPAA obligations extend well beyond hospitals and physician practices. Any business associate — a billing company, IT vendor, cloud hosting provider, or shredding service — that creates, receives, maintains, or transmits PHI on behalf of a covered entity is directly liable under HIPAA.

In my work with covered entities, I see the same gap repeatedly: organizations assume their business associate agreements (BAAs) transfer all risk. They don't. A BAA is a legal requirement under 45 CFR §164.502(e), but it doesn't absolve you from conducting due diligence on your vendors' security practices. OCR has penalized covered entities for failures in vendor oversight.

The Workforce Training Requirement Most Organizations Underestimate

The Privacy Rule at 45 CFR §164.530(b) requires that every member of your workforce receive training on your HIPAA policies and procedures. This isn't a one-time orientation slide deck. Training must be provided to new workforce members within a reasonable period and must be updated whenever material changes in policy occur.

OCR enforcement data shows that human error — misdirected emails, improper disposal, verbal disclosures — drives a significant portion of reported breaches. Effective, role-specific HIPAA training and certification directly reduces this risk by teaching your staff what HIPAA laws protect and how their daily actions either uphold or violate those protections.

Generic annual training modules don't cut it. Front-desk staff need to understand the Notice of Privacy Practices and patient rights. IT personnel need to understand encryption and access control requirements. Billing teams need to grasp the minimum necessary standard as it applies to claims processing.

Five Practical Steps to Strengthen What HIPAA Laws Protect in Your Organization

• Conduct an annual risk analysis. Identify every system that touches ePHI, assess vulnerabilities, and document remediation plans. This is the single most important compliance activity under the Security Rule.
• Audit your business associate agreements. Confirm that every vendor with PHI access has a current, Omnibus-compliant BAA. Follow up with security questionnaires.
• Implement role-based access controls. Apply the minimum necessary standard by restricting EHR permissions to what each role actually requires.
• Encrypt ePHI everywhere. On laptops, mobile devices, portable media, and in email. Encryption is an addressable specification under the Security Rule, but failing to implement it — without a documented alternative — is a red flag for OCR.
• Invest in ongoing workforce training. Move beyond annual check-the-box exercises. A robust workforce HIPAA compliance program delivers measurable reductions in human-error breaches and builds a culture of accountability.

OCR Is Watching — And Penalties Are Escalating

OCR collected over $4.1 million in HIPAA penalties in 2023 alone, and the agency's enforcement strategy increasingly targets small and mid-size practices — not just large health systems. The HIPAA violation penalty tiers under the HITECH Act range from $137 to over $2 million per violation category per year, adjusted for inflation.

State attorneys general also have enforcement authority under HITECH, creating a second layer of accountability. Several states have pursued actions independently of OCR, making the compliance landscape even more demanding for organizations operating across state lines.

The Bottom Line for Your Organization

What HIPAA laws protect is sweeping: every piece of identifiable patient information your organization touches, from paper charts to cloud-hosted databases. The regulatory framework is detailed, and OCR's enforcement posture leaves little room for ignorance as a defense. Your compliance program must be specific, documented, and continuously maintained — because the cost of getting it wrong is measured in dollars, reputational damage, and patient trust.