In February 2024, OCR settled with a Louisiana medical group for $480,000 after a phishing attack exposed the protected health information of over 34,000 patients. The investigation revealed failures not in intent, but in basic safeguards — inadequate risk analysis, missing policies, and a workforce that didn't understand what they were protecting or why. It's a scenario I see repeatedly in my work with covered entities, and it always starts with the same gap: organizations don't fully grasp what do HIPAA laws protect and how far those protections actually reach.

What Do HIPAA Laws Protect — And Why It's Broader Than You Think

At its core, HIPAA protects protected health information (PHI) — any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or its business associates. But PHI is far more expansive than most people realize.

PHI includes obvious data points like medical records, diagnoses, treatment plans, and lab results. It also encompasses less obvious identifiers: Social Security numbers, email addresses, dates of birth, health plan beneficiary numbers, full-face photographs, and even IP addresses when linked to health information. Under 45 CFR §160.103, there are 18 specific identifiers that, when combined with health data, create PHI.

The critical point your workforce needs to understand: PHI exists in every format — paper charts in a filing cabinet, electronic records in your EHR, verbal conversations at the nurses' station, and faxes sitting in a shared tray. HIPAA's protections follow the information, not the medium.

The Three Rules That Create HIPAA's Protective Framework

HIPAA's protections aren't housed in a single regulation. They're distributed across three interlocking rules, each addressing a different dimension of how patient information must be safeguarded.

The Privacy Rule (45 CFR Part 164, Subpart E)

The Privacy Rule establishes who can access PHI and under what circumstances. It requires every covered entity to implement a Notice of Privacy Practices, informing patients of their rights and how their information will be used. It also enshrines the minimum necessary standard — the requirement that your organization limit PHI access, use, and disclosure to only the amount needed to accomplish the intended purpose.

Patients gain specific rights under this rule: the right to access their records, request amendments, receive an accounting of disclosures, and request restrictions on certain uses. These aren't suggestions — they're enforceable obligations.

The Security Rule (45 CFR Part 164, Subpart C)

The Security Rule specifically protects electronic protected health information (ePHI). It mandates administrative, physical, and technical safeguards — including access controls, audit logs, encryption mechanisms, and facility access procedures. Most importantly, it requires a thorough and documented risk analysis, which OCR has cited as the single most common deficiency in enforcement actions.

The Breach Notification Rule (45 CFR Part 164, Subpart D)

When protections fail, this rule dictates what happens next. Covered entities must notify affected individuals within 60 days of discovering a breach. Breaches affecting 500 or more individuals require notification to OCR and prominent media outlets in the affected state. Since 2009, OCR's breach portal has logged over 5,800 large breaches — each one a public record.

Who Bears the Obligation to Protect PHI

HIPAA's protections don't enforce themselves. The law places direct compliance obligations on two categories of organizations:

  • Covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with HIPAA-standard transactions.
  • Business associates: any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Think billing companies, cloud storage vendors, IT contractors, and shredding services.

The 2013 Omnibus Rule made business associates directly liable for HIPAA violations — a shift many organizations still haven't fully absorbed. If your organization shares PHI with a vendor and lacks a compliant Business Associate Agreement, you're both exposed.

The Workforce Training Requirement Most Organizations Underestimate

Section 164.530(b) of the Privacy Rule requires that every member of your workforce receive training on your organization's HIPAA policies and procedures. This includes employees, volunteers, trainees, and anyone under your organization's direct control — not just clinical staff.

OCR enforcement actions consistently reveal that untrained workforces are the root cause of preventable HIPAA violations. Phishing attacks succeed because staff don't recognize them. Impermissible disclosures happen because employees don't understand the minimum necessary standard. Snooping in medical records occurs because workforce members don't grasp the consequences.

Investing in structured HIPAA training and certification is not a checkbox exercise — it's the most cost-effective risk mitigation strategy available to your covered entity. Training must be documented, role-appropriate, and updated whenever regulations or organizational policies change.

Where Organizations Fail: Common Protection Gaps

In my years of working with healthcare organizations, I see the same protection failures surface repeatedly:

  • Incomplete risk analysis: Organizations either skip it entirely or treat it as a one-time project rather than an ongoing requirement.
  • Verbal disclosures: Staff discussing patient cases in elevators, cafeterias, or shared workspaces without applying the minimum necessary standard.
  • Unsecured devices: Laptops, USB drives, and mobile phones containing ePHI without encryption — the cause of dozens of major breach settlements.
  • Missing Business Associate Agreements: PHI flowing to vendors with no contractual safeguards in place.
  • Outdated Notice of Privacy Practices: Patients receiving notices that don't reflect current uses of their information, including patient portal access and telehealth.

Build a Culture That Actually Protects Patient Information

Understanding what HIPAA laws protect is the foundation — but knowledge without action is a liability. OCR's enforcement record proves that penalties scale with negligence. Tier 1 penalties for violations where the entity was unaware start at $137 per violation, while Tier 4 penalties for willful neglect reach up to $2,067,813 per violation (as adjusted for inflation).

Your organization's compliance posture starts with leadership commitment, flows through documented policies and a current risk analysis, and is sustained by ongoing workforce education. Platforms like HIPAA Certify exist specifically to help healthcare organizations build and maintain that compliance infrastructure — from initial workforce training through annual refreshers and policy documentation.

PHI protection isn't a single action. It's an organizational discipline. And the organizations that treat it that way are the ones that stay off OCR's breach portal.