HIPAA PHI Privacy & Security
United States
1996
Privacy
Cybersecurity
Key Obligations
- Implement privacy policies governing PHI use and disclosure
- Provide patients with notice of privacy practices and rights to access, amend, and restrict PHI use
- Secure ePHI through administrative, physical, and technical safeguards (encryption, MFA, access controls)
- Enter into Business Associate Agreements (BAAs) with vendors handling PHI
- Conduct risk assessments and implement corrective actions for security gaps
- Maintain a breach notification process to notify affected individuals, regulators, and in some cases, the media
- Train employees on HIPAA privacy and security requirements
Stay ahead of risk with Signzy
Explore tools that help you onboard, monitor, and verify with confidence
One Touch KYC
Launch global KYC flows with built-in document OCR, liveness checks, deepfake detection, and AML, all through a single, customizable dashboard.
AML Screening
Screen users against Politically Exposed Persons (PEP), watchlists, sanctions lists, adverse media, and more through one-time screening and advanced monitoring.
Transaction Monitoring
Monitor transactions in real-time and analyse past behaviour to identify suspicious activities and ensure regulatory compliance across the user journey.
Related Regulations
FAQ
Who enforces HIPAA?
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Who must comply?
Covered entities (providers, plans, clearinghouses) and business associates (IT vendors, billing firms, cloud providers).
What industries are most affected?
Healthcare, insurance, health IT, cloud services, and third-party vendors supporting PHI processing.
What are the penalties for non-compliance?
Civil penalties up to $1.9 million per year per violation category, potential criminal charges, and reputational harm.