HIPAA, the Health Insurance Portability and Accountability Act, is a US federal law enacted in 1996 that establishes national standards for the protection of individually identifiable health information. For technology companies and healthcare organizations, the most operationally significant part of HIPAA is the Privacy Rule and the Security Rule, which govern how protected health information (PHI) must be handled, stored, transmitted, and safeguarded.
PHI includes any information that can be used to identify an individual in the context of their health, treatment, or payment for care. This extends to names, dates, addresses, IP addresses, device identifiers, and combinations of demographic data that could link to a health record, in addition to clinical data itself.
Organizations that create, receive, transmit, or maintain PHI on behalf of covered entities (healthcare providers, health plans, and clearinghouses) are considered business associates under HIPAA and must sign a Business Associate Agreement (BAA) with each covered entity they serve. Most major cloud providers, including AWS, Google Cloud, and Azure, will sign BAAs and offer HIPAA-eligible service configurations, but enabling those configurations is the customer's responsibility.
For technology teams building in healthcare, HIPAA is not a checkbox. It shapes system architecture decisions including data residency, encryption standards, access logging, audit trails, breach notification timelines, and data retention policies. The penalties for HIPAA violations range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category, and criminal charges are possible in cases of willful neglect.