Question 1

Who has to comply with HIPAA?

Accepted Answer

HIPAA applies to covered entities - health plans, health care clearinghouses, and most health care providers - and to their business associates, which are any third parties that create, receive, maintain, or transmit protected health information on behalf of a covered entity. SaaS vendors, cloud providers, billing services, medical transcription companies, and analytics platforms serving healthcare clients are typically business associates.

Question 2

What is the difference between the Privacy Rule and the Security Rule?

Accepted Answer

The HIPAA Privacy Rule governs who can access and disclose protected health information and under what circumstances. It applies to PHI in any form - paper, verbal, or electronic. The Security Rule is more narrowly scoped: it governs the technical, physical, and administrative safeguards that must be in place to protect electronic PHI (ePHI). Most technical security work focuses on the Security Rule, while Privacy Rule compliance is often handled by legal and clinical teams.

Question 3

What is a Business Associate Agreement?

Accepted Answer

A Business Associate Agreement (BAA) is a written contract required by HIPAA between a covered entity and a business associate - or between a business associate and a subcontractor. It defines the permitted uses of PHI, breach notification obligations, and the business associate's security responsibilities. Without an executed BAA, sharing PHI with a vendor is itself a HIPAA violation.

Question 4

What are HIPAA penalties for non-compliance?

Accepted Answer

HIPAA penalties are tiered by level of culpability, ranging from $141 to $71,162 per violation (as of 2024 adjustments), capped at $2.1 million per violation category per year. Criminal penalties apply for knowing violations and can include imprisonment. OCR also requires corrective action plans that frequently cost more than the monetary penalty itself.

Question 5

How often do you need to conduct a HIPAA risk analysis?

Accepted Answer

HIPAA requires an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI - but it does not specify a frequency. OCR guidance and audit experience indicate that annual risk analyses are the expectation, with updates triggered by significant changes to infrastructure, data flows, or the regulatory landscape. Continuous risk assessment - rather than an annual spreadsheet - is increasingly the expected standard.

Question 6

What is the HIPAA breach notification rule?

Accepted Answer

Covered entities must notify affected individuals within 60 days of discovering a breach of unsecured PHI, and must also notify HHS. If a breach affects 500 or more individuals, media notification is also required and HHS is notified within 60 days. Business associates must notify their covered entities within 60 days. Breaches affecting fewer than 500 individuals can be reported in an annual log to HHS.

Question 7

Do startups need to worry about HIPAA?

Accepted Answer

If your product handles ePHI - or if a customer wants to store ePHI in your platform - then yes, HIPAA applies regardless of your company size. Healthcare customers will require a signed BAA before sending PHI, and that BAA cascades obligations including Security Rule safeguards, breach notification, and documented risk analyses. HIPAA compliance is rarely optional for health-tech startups.

HIPAA compliance. Protect patients. Protect your business.

The standard for healthcare data protection

Three safeguard categories

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Breach Notification Rule

Privacy Rule

Business Associate Agreements

HIPAA violations aren't theoretical - they're investigated and fined

HIPAA compliance, continuous

Full Security Rule mapping

Risk analysis workflow

BAA tracking

Access control monitoring

Breach response preparation

Training & awareness tracking

HIPAA questions, answered

See how Alvor works for your role