HIPAA

Definition

Health Insurance Portability and Accountability Act - US law protecting medical information privacy and ensuring data security for patients.

Use Cases

Frequently Asked Questions

What's the difference between HIPAA and HITRUST?
HIPAA is a US law that sets requirements for protecting patient health information (ePHI). HITRUST is a certifiable security framework that helps organizations demonstrate they have implemented a broad set of controls (often mapped to HIPAA and other standards). HIPAA compliance is a legal obligation; HITRUST certification is optional but can be used to show strong security and compliance posture.
When do I need to be HIPAA compliant in the cloud?
You need HIPAA compliance when your organization is a covered entity (like a healthcare provider or health plan) or a business associate (a vendor handling patient data) and you create, receive, maintain, or transmit ePHI using cloud services. In practice, this includes storing patient records, processing claims, running patient portals, or analyzing identifiable health data in cloud databases, storage, or analytics tools.
How much does HIPAA compliance cost?
HIPAA itself has no licensing fee, but compliance has implementation and operational costs. Common cost drivers include security tooling (logging/monitoring, endpoint protection), encryption and key management, identity and access management, risk assessments, policies and training, incident response readiness, audits/assessments, and potentially higher-cost configurations (e.g., dedicated networking, longer log retention). Cloud providers may charge for the underlying services you use (storage, logs, KMS keys, SIEM ingestion), and some providers or services may require a signed BAA as part of eligibility.

Category: security

Difficulty: intermediate

Related Terms

See Also