HIPAA
Definition
Health Insurance Portability and Accountability Act - US law protecting medical information privacy and ensuring data security for patients.
Use Cases
- Cerner (Oracle Health): Hosting and processing electronic health records (EHR) and related clinical systems while meeting HIPAA requirements for protecting patient data. — Uses cloud infrastructure with encryption, access controls, audit logging, and contractual safeguards (e.g., BAAs) to protect electronic protected health information (ePHI). (Enables scalable healthcare IT operations and supports security and compliance needs for handling sensitive patient information.)
- Philips: Operating connected health platforms that collect and analyze patient and device data, requiring HIPAA-aligned safeguards for ePHI. — Implements security controls such as strong identity and access management, encryption in transit and at rest, monitoring/auditing, and compliance processes aligned to HIPAA obligations. (Supports delivery of digital health services while maintaining required protections for patient data privacy and security.)
Frequently Asked Questions
- What's the difference between HIPAA and HITRUST?
- HIPAA is a US law that sets requirements for protecting patient health information (ePHI). HITRUST is a certifiable security framework that helps organizations demonstrate they have implemented a broad set of controls (often mapped to HIPAA and other standards). HIPAA compliance is a legal obligation; HITRUST certification is optional but can be used to show strong security and compliance posture.
- When do I need to be HIPAA compliant in the cloud?
- You need HIPAA compliance when your organization is a covered entity (like a healthcare provider or health plan) or a business associate (a vendor handling patient data) and you create, receive, maintain, or transmit ePHI using cloud services. In practice, this includes storing patient records, processing claims, running patient portals, or analyzing identifiable health data in cloud databases, storage, or analytics tools.
- How much does HIPAA compliance cost?
- HIPAA itself has no licensing fee, but compliance has implementation and operational costs. Common cost drivers include security tooling (logging/monitoring, endpoint protection), encryption and key management, identity and access management, risk assessments, policies and training, incident response readiness, audits/assessments, and potentially higher-cost configurations (e.g., dedicated networking, longer log retention). Cloud providers may charge for the underlying services you use (storage, logs, KMS keys, SIEM ingestion), and some providers or services may require a signed BAA as part of eligibility.
Category: security
Difficulty: intermediate
Related Terms
See Also