What is HIPAA?
The federal law that governs how your medical practice handles patient information — and what happens when it goes wrong.
The Short Version
HIPAA stands for the Health Insurance Portability and Accountability Act. In plain English: if your business creates, stores, or transmits patient health information, the US federal government requires you to protect it in specific ways. This includes your computers, your email, your cloud storage, your backups — everything.
If you don't comply and a breach occurs, civil penalties scale with how culpable you were — from minor oversights up to a statutory annual maximum that is adjusted for inflation every year (the 2026 figure is reached only at the most severe tier). Repeat and willful violators can also face criminal charges.
Who Needs to Comply?
If you are any of the following, HIPAA applies to you:
- Medical practice of any size — solo practitioner to large group
- Dental office
- Mental health practice
- Physical therapy or chiropractic practice
- Pharmacy
- Any business that handles billing, coding, or scheduling for a healthcare provider
- Any IT company, cloud provider, or software vendor with access to patient data
The last point matters: your IT company is required to sign a Business Associate Agreement (BAA) with you. If yours hasn't, you're already non-compliant.
What Does HIPAA Require From Your IT?
The Security Rule — the part of HIPAA that covers technology — requires you to implement specific safeguards:
- Access controls: Only the right people can see patient records
- Audit logs: A record of who accessed what, and when
- Encryption: Patient data must be encrypted when stored and when transmitted
- Backup and recovery: You must be able to restore patient data after a disaster
- Device security: Laptops, tablets, phones with patient data must be secured and remotely wipeable
- Email security: Patient information sent by email must be encrypted
- Risk assessments: You must regularly document your security risks and how you address them
- Employee training: Your staff must be trained on HIPAA requirements
What Happens When You Don't Comply?
The Office for Civil Rights (OCR) at the Department of Health and Human Services enforces HIPAA. Penalties are tiered:
- Tier 1 — Did not know: lowest per-violation penalties; the smallest annual cap.
- Tier 2 — Reasonable cause: higher minimums; a larger annual cap.
- Tier 3 — Willful neglect, corrected: higher still.
- Tier 4 — Willful neglect, not corrected: the most severe tier — penalties run up to the statutory annual maximum.
These dollar figures are adjusted for inflation every year (the latest adjustment took effect 28 January 2026), and under OCR's 2019 enforcement-discretion policy the lower tiers carry materially smaller annual caps than the headline maximum — so the top number is not what most violations cost. The real point: the obligations above are what keep you out of this table entirely.
A "violation" is each individual record that was exposed. A breach affecting 500 patients is 500 violations.
How Digital Armor Helps
We implement and maintain all the technical safeguards HIPAA requires, including:
- Encrypted storage and email for patient data
- Access controls and user management
- Audit logging across all systems
- Secure backup and disaster recovery
- Device management and remote wipe capability
- Annual risk assessment documentation
- Business Associate Agreement on file
- Staff security awareness training
We don't just set it up — we maintain it and document it, so when an auditor asks, you have the paperwork to prove compliance.
Is Your Practice HIPAA Compliant?
Most small medical practices aren't — not because they're careless, but because nobody told them what was required from a technology perspective. We can tell you exactly where you stand.
Book Your IT Assessment →