You are on United States website. Change region to view location-specific content:
Global
English
Select another region
Choose region and language
- Americas
- Asia-Pacific
- Europe, Middle East and Africa
- Worldwide
How does HIPAA relate to cybersecurity?
HIPAA ensures the privacy and protection of patients’ PHI across the United States. This regulation not only helps individuals gain control of their information but also standardizes how health data is handled.
HIPAA cybersecurity pillars
Privacy and security rules
Administrative, physical and technical safeguards are required to protect electronic PHI. Patients have the right to access and control their information.
Breach notification
Entities must notify affected individuals, the Secretary of HHS and sometimes the media, following a breach of unsecured PHI.
Enforcement
The U.S. HHS will investigate and enforce compliance violations, including imposing civil monetary penalties.
Workforce training
Human error is a leading cause of breaches. HIPAA mandates regular workforce training on privacy, security, phishing, and handling PHI to reduce insider threats and accidental disclosures.
HIPAA fines and penalties
Noncompliance with HIPAA can result in heavy fines, regulatory investigations and legal action. Beyond the financial impact, it can damage a health care organization’s reputation and erode patient trust. Managed service providers (MSPs) may also face added pressure, as health care entities may look to them to ensure systems and patient data stay compliant.
- Up to $71,000 per violationTier 1 – Tier 3
- Up to $2.1 million per violationTier 4
How does Acronis help with HIPAA?
Acronis helps organizations meet core HIPAA requirements with natively integrated protection with compliance-enabling solutions.
Acronis Compliance Navigator
See the full mapping to discover how Acronis can help you meet HIPAA compliance
Looking for help?
Frequently Asked Questions
What is HIPAA?
HIPAA, the Health Insurance Portability and Accountability Act, is a U.S. law that sets standards for protecting sensitive patient data. It applies to covered entities, which are health care providers, health plans and health care clearinghouses, as well as their business associates, which are organizations that perform services on behalf of covered entities and handle protected health information (PHI). HIPAA is composed of key rules, including the Privacy Rule, which sets national standards for the protection of PHI; the Security Rule, which establishes standards for protecting electronic PHI (ePHI); and the Breach Notification Rule, which requires reporting of breaches of unsecured PHI. These regulations are also applicable to IT providers, managed service providers (MSPs), and cloud vendors who handle PHI, as they are considered business associates under the law.
Why should you care about HIPAA?
You should care about HIPAA because it's a critical regulation with significant financial and legal ramifications. Violations can lead to severe penalties, with fines reaching up to $1.5 million per year for each category of violation. The law imposes strict rules on how electronic protected health information (ePHI) is stored, accessed and transmitted, meaning you must have robust security measures in place. This includes not just your internal operations but also any third-party vendors you work with.
Furthermore, MSPs and other vendors are held liable as business associates under HIPAA, so if a breach occurs because of a vendor's negligence, they can be directly fined. The health care industry is an increasingly attractive target for cybercriminals due to the sensitive and valuable nature of medical data. This growing attack surface — which includes everything from electronic health records to networked medical devices — makes compliance and strong cybersecurity practices more important than ever to protect both your business and your patients.
HIPAA is a federal law that establishes national standards to protect the privacy and security of a person's medical information. Compliance with this law is mandatory for certain entities that handle this sensitive data.
What is protected health information (PHI)?
PHI includes any information about an individual's health status, provision of health care, or payment for health care that can be linked to that specific person. This includes:
- Names, addresses and other contact information.
- Social Security numbers and medical record numbers.
- Health insurance information.
- Patient photographs.
- Dates related to the individual (e.g., birthdate, date of admission).
- Any past, present or future physical or mental health condition data.
Who must comply with HIPAA?
HIPAA compliance applies to two main groups:
- Covered entities: These are health care providers, health plans and health care clearinghouses. Examples include doctors, clinics, hospitals, dentists and health insurance companies.
- Business associates: These are third-party organizations that perform services for a covered entity that involve the use or disclosure of PHI. This can include billing companies, data storage providers and IT services.
If an organization or individual falls into either of these categories and handles PHI, they must comply with HIPAA's rules.
Sorry, your browser is not supported.
It seems that our new website is incompatible with your current browser's version. Don’t worry, this is easily fixed! To view our complete website, simply update your browser now or continue anyway.