Back to Blog

What is HIPAA in simple words

2840 words
14 min read
Published on March 27, 2025

Table of Contents

What is HIPAA in simple words

HIPAA is a law in the United States that protects health information. Its full name is Health Insurance Portability and Accountability Act. It dates back to 1996. HIPAA is all about keeping patient information private and secure. It sets rules for doctors, hospitals, clinics, and other health-related companies. HIPAA also forces anyone who helps these covered entities with health data to follow strict privacy rules. This is key to protecting personal health data.

flowchart TD A[Patient] --> B[Doctor or Hospital] B --> C[Health Data or Medical Records] C --> D[HIPAA Requirements]

This article explains HIPAA in depth. It shares who must follow it, what type of data is protected, and what measures are expected. You will also see how a startup might need to comply, how much it costs, and what it takes to stay compliant (like with email). It is a big read, but it aims to be clear for beginners. Let's start.

Why HIPAA matters

HIPAA matters because health information is private. It is unique to each person. Before HIPAA, there were no uniform federal standards on who could share your medical records. HIPAA put in place a system so that no one can casually share your medical data without permission. This includes personal details in your health records, like diagnoses, lab results, prescriptions, and notes from healthcare providers. HIPAA also ensures you can ask for copies of your records. This helps you stay informed about your own health data.

flowchart TD A[Patient Health Info] --> B[Privacy Rule] B --> C[Limits Access] A --> D[Security Rule] D --> E[Keeps Data Safe]

HIPAA covers two main areas. The Privacy Rule: it outlines who can see your data. The Security Rule: it outlines how to secure the data. Together, they protect something called PHI (protected health information). PHI is any health info that can identify an individual. That could be your name plus medical details, or your address plus a diagnosis, or any similar combination that reveals who you are and what your health condition is. HIPAA sets requirements for organizations who handle this type of data to keep it private and safe.

Who must comply with HIPAA

Not every company dealing with "health" information is bound by HIPAA. It only applies to:

  • Covered Entities: Such as doctors, clinics, hospitals, health insurers, Medicare, Medicaid, or healthcare clearinghouses.
  • Business Associates: A company or person that works with or for these covered entities and has access to PHI. For example, a software vendor that stores patient data on behalf of a hospital. Or an email service that sends patient billing details on behalf of a clinic.

Below is a table with examples of common startups or industries and whether they must comply. Check the notes for details.

Type of Startup / Service HIPAA Required? Notes / Examples
Health Tech (Medical Apps & EHR systems) Yes (if handling patient info) Platforms used by doctors or hospitals to store or send PHI, like electronic health record software, scheduling apps with medical details, or patient portals.
Fitness Tech (Workout or Diet Apps) No (if personal use)
Yes (if connected to provider)		 If the app is for personal use and not linked to a provider, no HIPAA. If a doctor or insurer provides that app to you and receives your data, then it is HIPAA.
Insurance Platforms (Health Insurance Apps/Websites) Yes Health insurers must follow HIPAA. A platform that helps users manage plan details, claims, or coverage for health insurance also has to comply.
Telemedicine Services (Online Doctor Visits) Yes Virtual healthcare or therapy sessions involve PHI, so everything from the video chat to the messages must be secured per HIPAA.
Mental Health Apps (Therapy/Counseling) Yes (if professional providers) If the app connects you with a licensed therapist, that is healthcare. If it is just self-help tips or no real providers, HIPAA may not apply.
Employee Wellness Platforms Depends Sometimes these are just fun step counters. Sometimes they collect serious health data for an insurer. If the latter, HIPAA rules apply.
Remote Patient Monitoring (RPM) Yes These devices or apps send your readings (like heart rate) to a doctor. Since that is PHI, HIPAA definitely applies.
Medical Billing & Health SaaS Yes Any service that processes or stores PHI for a covered entity is considered a business associate, so must comply.
Any Startup Handling PHI for Providers Yes If you store or handle identifiable health info for a clinic or insurer, you must sign a BAA and follow HIPAA security measures.

Key point: HIPAA only kicks in if a covered entity (or their business associate) is involved with personally identifiable health data. If you track your steps with a watch at home and it never syncs to a doctor, that is not HIPAA. If you share that watch data with an insurer or clinic, it becomes HIPAA territory.

flowchart TD A[Personal Use App] --> B[No HIPAA] A --> C[Unless Insurer or Doctor is Involved] C --> D[Then HIPAA Applies]

Common scenarios: HIPAA or not

Here are a few everyday scenarios:

  • Logging food intake on a calorie counter at home: Not HIPAA. It is private logging. No clinic or insurer is receiving that data.
  • Getting medical test results from a doctor by email: HIPAA. Because the clinic is a covered entity and is sending PHI to you.
  • Sharing your own health details on a public forum: Not HIPAA. You are choosing to share your info. HIPAA governs what covered entities do with data, not what you do with your own data.
  • An employer asking for a note from your doctor: The note is created by the doctor, who must follow HIPAA. But the employer itself is not typically a covered entity. HIPAA does not generally apply to the employer's use of that data, but the doctor must handle it safely on their side.

So, it is not just about the nature of the data. It is also about who is involved in sharing or storing it. HIPAA requires that any covered entity or business associate keep PHI confidential and secure.

How to comply with HIPAA

If your company or startup is under HIPAA, you must put a range of safeguards in place. HIPAA mandates technical, physical, and administrative measures to protect ePHI. Here are some common steps:

  • Encryption: This scrambles data so only someone with the decryption key can read it. HIPAA strongly advises encrypting PHI at rest (in storage) and in transit (over the network).
  • Access Controls: Restrict access to only those who need it. Everyone who views PHI has a unique login. Use strong passwords, multi-factor login if possible.
  • Audit Logs: Keep track of who accessed or changed patient records. Review these logs to catch unauthorized access.
  • User Authentication: Confirm each person's identity before granting PHI access, like requiring a password or other factor.
  • Physical Safeguards: Lock doors, secure servers, and control who can enter areas with sensitive data. For cloud servers, confirm your hosting provider also has such safeguards.
  • Administrative Safeguards: Write policies on handling PHI. Train staff to avoid mistakes, phishing, or gossip. Have a Privacy Officer and Security Officer. Conduct regular risk assessments.
  • Breach Notification: If data is compromised, notify affected individuals and HHS within 60 days (sometimes also the media if large-scale). This is required by the Breach Notification Rule.
  • Continuous Monitoring: HIPAA compliance is not a one-time project. You must regularly test security, update policies, retrain staff, and stay vigilant.
flowchart TD A[HIPAA Compliance] --> B[Encryption] B --> E[Protect Data in Storage and Transit] A --> C[Administrative Safeguards] C --> F[Policies, Training, Risk Analysis] A --> D[Physical Safeguards] D --> G[Locks, Secure Devices, Restricted Areas]

HIPAA aims for confidentiality (no unauthorized access), integrity (data not altered improperly), and availability (authorized users can see data as needed). A strong HIPAA program in a startup or any covered entity often involves teamwork between IT, legal, and management.

Is there a HIPAA certificate

There is no official HIPAA certificate from the U.S. government. HHS does not recognize any private certification as official proof of compliance. Some vendors sell "HIPAA certification" programs, but these are not recognized by HHS. HIPAA compliance is about your everyday practice, not a paper you hang on your wall. If a breach happens, you cannot point to a certificate and say you are fine. Regulators will want to see real measures, logs, policies, and encryption in place.

flowchart TD A[HIPAA Compliance?] --> B[No Official Government Certificate] B --> C[Self-Audits or External Audits] C --> D[Document Policies, Technical Safeguards]

To show compliance, many companies document their security steps, run internal or external audits, and keep everything on record. That way, if something goes wrong or an investigation happens, they can show they tried to meet the rules.

How much does HIPAA compliance cost

Costs vary. A small startup might spend a few thousand dollars to implement encryption, do a risk assessment, and write policies. Bigger organizations can spend tens of thousands or more. Common expenses include:

  • Risk assessment and gap analysis: Hiring a consultant or using a tool to find where you fall short on HIPAA requirements.
  • Technology upgrades: Buying encryption tools, secure email solutions, or using HIPAA-compliant cloud services like AWS or Azure with a BAA.
  • Writing policies and training staff: Possibly paying for staff courses or using online training modules.
  • Legal fees: Reviewing Business Associate Agreements and privacy notices. This can be moderate or large cost depending on complexity.
  • Maintenance: Ongoing training, periodic risk assessments, software updates, and re-checking policies each year.
flowchart TD A[HIPAA Compliance Cost] --> B[Consulting / Gap Analysis] A --> C[Encryption & Tech Tools] A --> D[Legal & Policy] A --> E[Annual Maintenance]

Industry sources say small practices could spend from \$10,000 to \$50,000 implementing the necessary measures. Larger entities might spend \$80,000 to \$120,000 or more. Fines for non-compliance can be much steeper though, up to \$50,000 per violation, with an annual cap of \$1.5 million for repeat violations. The reputational harm can also be severe if a data breach happens. So for many startups, HIPAA compliance is worth the upfront cost.

Doing HIPAA compliance yourself

It is possible to handle HIPAA compliance on your own if you have technical knowledge and time to read regulations. HHS publishes summaries, FAQs, and checklists. You can do a self-audit, write policies, and train your staff without hiring expensive consultants. However, you must be careful not to miss details. The Security Rule has addressable specifications, but skipping them without valid reasons can be a problem.

Many startups try a blended approach. They do some tasks themselves and bring in a lawyer or consultant to review. This can be cheaper than having a consultant do everything from scratch. Either way, the responsibility remains with you, not with any external body or certificate. So keep good documentation and stay on top of security changes. That is how you show HIPAA compliance over time.

flowchart TD A[Startup HIPAA Path] --> B[DIY Attempt] B --> C[Read HHS Guidance, Self-Audit] B --> D[Train Staff, Write Policies] B --> E[Use Encryption, Access Controls] E --> F[Possible Consultant Review?]

HIPAA and email: sending PHI safely

Email is common in healthcare. Doctors send test results, or patients ask questions. HIPAA does not ban email. It only requires that you protect PHI. This often means encrypting messages. If a patient insists on unencrypted email, they should be warned of risks and the provider should document the patient's choice.

  • Encryption recommended: If you send health data to a patient or another provider, encrypt it or use a secure messaging portal.
  • Patient preference: Patients can request normal email. The provider can honor that, but must note that it is not fully secure. The patient must be informed.
  • Business Associate Agreement (BAA): If you use an email service like Gmail or Outlook for PHI, sign a BAA with Google or Microsoft and configure your account for HIPAA compliance. There are specialized email providers too.

Internal emails within a covered entity also need security. Often, organizations encrypt messages at the server level. Some large providers use email gateways that automatically encrypt or block messages containing PHI. The main idea is not to send sensitive data as plain text because it can be intercepted. If a breach occurs (like an email goes to the wrong address), HIPAA's Breach Notification rule applies.

Conclusion

HIPAA might feel overwhelming. But in simple words, it is about respecting patient privacy. If you handle or create health data for a doctor or insurer, you have to follow HIPAA's rules. That means restricting who can access data, encrypting it, logging all access, training your team, and being ready to notify everyone if something goes wrong. There is no official government certificate for compliance. You prove it by ongoing effort, good documentation, and proper security. It can cost money and time, but ignoring HIPAA can cost much more in fines or lost trust. If you are new, start with the basics: read the rules, do a risk assessment, and build a culture that respects patient data. That is the best way to keep health information safe.

Frequently Asked Questions

1. Does HIPAA protect all health-related data?

Not all data. It must be identifiable and managed by a covered entity or their business associate. Personal data you track at home is not usually HIPAA, unless a provider collects it.

2. Who is a covered entity under HIPAA?

Doctors, hospitals, clinics, pharmacies, insurers, and healthcare clearinghouses. They must comply with HIPAA rules when they handle PHI.

3. What is a business associate agreement (BAA)?

A contract between a covered entity and a vendor that handles PHI on their behalf. It spells out how the vendor will protect that data and follow HIPAA rules.

4. Can I get officially certified by HHS?

No. HHS does not provide or recognize any HIPAA certification. You stay compliant by following the Security and Privacy Rules. Audits and good documentation help prove compliance.

5. Is email allowed under HIPAA?

Yes, but it should be encrypted when containing PHI. Patients can request normal email, yet they must be informed of the risks first.

6. How much money will HIPAA compliance cost for a startup?

It differs. A small startup might spend a few thousand. Larger ones can spend tens of thousands. You might need new tech, staff training, legal advice, and ongoing maintenance.

7. Can I just do HIPAA compliance on my own?

You can try. Many resources exist online. Some do self-audits and policy writing themselves. But it is wise to get expert help if you are unsure. The final responsibility still falls on you.

Keywords

HIPAA HIPAA compliance HIPAA explained healthcare privacy security measures PHI covered entities HIPAA costs

About The Author

Ayodesk Team of Writers

Ayodesk Team of Writers

Experinced team of writers and marketers at Ayodesk

Continue Reading:

SOC 2 Compliance Guide for Startups

Learn about SOC 2, why it matters, who must comply, costs, and practical steps to...

GDPR Explained in Simple Terms for B2B/B2C SaaS Startups

A beginner-friendly guide to GDPR for startup founders and SaaS product developers. Explains what GDPR...

Top Security To-do for Your Vibe-coded App

Top Security To-do for Your Vibe-coded App. Learn how to protect your vibe-coded app from...