Understanding HIPAA
HIPAA establishes national standards for protecting patient health information. The law applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and business associates (vendors with access to PHI). HIPAA includes three primary rules: the Privacy Rule (governs use and disclosure of PHI), the Security Rule (requires administrative, technical, and physical safeguards for ePHI), and the Breach Notification Rule (mandates notification following a breach of unsecured PHI).
The Security Rule is the most technically relevant for cybersecurity, requiring risk analysis, access controls, audit logging, encryption, integrity controls, and transmission security. The rule uses “required” and “addressable” implementation specifications -- addressable does not mean optional, but rather that organizations must implement the specification or document why an equivalent alternative is appropriate.
HIPAA Enforcement and Penalties
The Office for Civil Rights (OCR) enforces HIPAA through investigations and audits. Penalties range from $137 per violation for unknowing violations to over $2 million per violation category for willful neglect. OCR has increased enforcement activity, and settlements for breaches regularly exceed $1 million. Beyond federal penalties, California’s Confidentiality of Medical Information Act (CMIA) adds additional requirements and state-level enforcement that exceed HIPAA’s minimum standards.
HIPAA in San Diego Healthcare
San Diego’s healthcare ecosystem spans major hospital systems, hundreds of specialty practices, biotech clinical trials, telehealth platforms, and a large military medical community. Each handles ePHI and must comply with HIPAA. Cross-border healthcare with Mexico and the region’s biotech research corridor add compliance complexity. Our team provides HIPAA risk assessments, remediation support, and ongoing compliance management specifically tailored to San Diego healthcare organizations.