What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is the U.S. federal law governing the protection of Protected Health Information (PHI). It applies to Covered Entities (healthcare providers, health plans, healthcare clearinghouses) and their Business Associates — vendors and subcontractors that create, receive, maintain, or transmit PHI on behalf of Covered Entities.
HIPAA's core requirements are organised into three rules: the Privacy Rule (2003) governing the use and disclosure of PHI; the Security Rule (2005) requiring administrative, physical, and technical safeguards for electronic PHI (ePHI); and the Breach Notification Rule (HITECH Act 2009, expanded by the Omnibus Rule 2013) requiring notification to affected individuals, HHS, and in some cases the media following a breach of unsecured PHI.
For Qatar-based organisations, HIPAA is most relevant when providing services to U.S. healthcare clients, operating in the healthtech / digital health space with U.S. customers, or processing PHI as part of medical tourism operations. Compliance requires Business Associate Agreements (BAAs) with all Covered Entity clients and Subcontractor BAAs with any vendors that handle PHI on your behalf.
Who must comply with HIPAA?
- 01U.S. healthcare providers, health plans, and healthcare clearinghouses (Covered Entities)
- 02Business Associates — vendors and subcontractors handling PHI on behalf of Covered Entities
- 03Cloud service providers, SaaS vendors, and managed service providers serving U.S. healthcare
- 04Qatar-based healthtech companies with U.S. customers or partnerships
- 05Medical tourism operators handling U.S.-resident patient health information
HIPAA structure at a glance
The HIPAA framework is organised into the following control areas. Vantage GRC pre-maps each one so evidence collected once contributes to your compliance picture across overlapping frameworks.
Privacy Rule
Security Rule — Administrative Safeguards
Security Rule — Physical Safeguards
Security Rule — Technical Safeguards
Breach Notification Rule
What HIPAA requires you to do
- 1Conduct and document an annual Security Risk Analysis (SRA) covering all systems handling ePHI.
- 2Implement administrative, physical, and technical safeguards proportionate to the risk analysis.
- 3Execute Business Associate Agreements (BAAs) with all subcontractors handling PHI.
- 4Train workforce members on HIPAA Privacy and Security Rules.
- 5Maintain breach notification procedures with documented timelines.
- 6Provide patients with Notice of Privacy Practices and honour patient rights requests.
HIPAA questions
Does HIPAA apply to organisations outside the U.S.?
HIPAA itself is U.S. federal law, but its requirements flow contractually to non-U.S. organisations through Business Associate Agreements. If you provide services to U.S. Covered Entities (or to other Business Associates) and handle Protected Health Information, you will be required to sign a BAA committing to comply with the relevant HIPAA Security Rule and Breach Notification Rule provisions.
What is the maximum HIPAA penalty?
Civil monetary penalties are tiered by culpability and capped per violation category per calendar year. The 2024 inflation-adjusted maximum is approximately USD 2.13 million per violation category per year. Criminal penalties are also available for wilful violations, including imprisonment up to 10 years.
What is the difference between PHI and ePHI?
PHI (Protected Health Information) is any individually identifiable health information held by a Covered Entity or Business Associate, in any form. ePHI is the electronic subset of PHI specifically subject to the Security Rule's administrative, physical, and technical safeguards.
Ready to operationalise HIPAA compliance?
Talk to a Vantage GRC consultant about your HIPAA programme — pre-mapped controls, evidence management, and audit-ready dashboards. Doha-based.