Protect patient data.Validate HIPAA controls.Beyond checkbox compliance.
Safeguard ePHI with technical and administrative control validation aligned to HIPAA Security Rule requirements. Risk analysis, workforce training, breach notification programme design, and Business Associate Agreement review.
HIPAA Overview
HIPAA enforcement is at
an all-time high.
The HIPAA Security Rule covers three categories of safeguards — technical, administrative, and physical — across all systems that create, receive, maintain, or transmit electronic protected health information.
Security Rule Safeguards
Three categories. All required.
None optional.
Technology-based controls that protect ePHI and control access to it across all systems, networks, and devices.
Unique user IDs, emergency access procedure, automatic logoff, encryption/decryption of ePHI
Hardware, software, and procedural mechanisms to record and examine system activity accessing ePHI
Mechanisms to authenticate that ePHI has not been altered or destroyed in an unauthorised manner
Verify the identity of any person or entity seeking access to ePHI before granting access
Guard against unauthorised access to ePHI transmitted over electronic communications networks
Protected Health Information
18 PHI identifiers.
All require protection.
Any combination of health data with one or more of these identifiers constitutes PHI under the HIPAA Privacy Rule and requires full Security Rule protections for electronic PHI.
Full name or any part of a name of the individual
OCR Enforcement
Four civil penalty tiers.
Up to $1.9M per category.
HHS Office for Civil Rights (OCR) applies a tiered civil penalty structure based on culpability. Wilful neglect carries the most severe sanctions.
The covered entity did not know, and by reasonable diligence could not have known, of the violation.
Risk Analysis Methodology
The most cited OCR finding.
No risk analysis. Penalised.
HIPAA §164.308(a)(1) requires an ongoing, thorough risk analysis. Spakto's five-step methodology produces a defensible, documented risk register for OCR audit.
Identify all systems, applications, networks, and workforce members that create, receive, maintain, or transmit ePHI. Define the risk analysis boundary.
Business Associates & BAAs
Every vendor touching ePHI
needs a BAA.
A Business Associate Agreement is a mandatory contract under HIPAA. It must specify permitted uses, safeguard obligations, breach notification timelines, and sub-contractor requirements.
Breach Notification Rule
60-day clock. Three notification
channels. No exceptions.
The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media following discovery of a breach of unsecured PHI.
Implementation Lifecycle
Eight phases. Risk-driven.
Evidence at every step.
Comprehensive assessment of potential risks to ePHI across all systems. Threat identification, vulnerability assessment, and documented risk register aligned to HIPAA Security Rule §164.308(a)(1).
Why Spakto
Evidence-led. Technically validated.
OCR-defensible.
Frequently Asked
Frequently asked
questions.
answered
HIPAA applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses that transmit PHI electronically — and their business associates, which are vendors or service providers that create, receive, maintain, or transmit PHI on behalf of a covered entity. Business Associate Agreements are required for all BA relationships. Failure to have a BAA is itself a Security Rule violation.
The HIPAA Security Rule mandates a thorough and accurate assessment of potential risks to ePHI confidentiality, integrity, and availability (§164.308(a)(1)(ii)(A)). Risk analysis must be ongoing and must inform all security programme decisions. Absence of a documented, current risk analysis is the most cited finding in OCR investigations and a predicate violation in most enforcement actions.
The clock starts when the covered entity or business associate discovers the breach — defined as when any workforce member (other than the person committing the breach) has knowledge of the incident. Discovery does not require confirmation that a breach occurred — only knowledge of facts that would have led a reasonable person to investigate. A 10-day forensic investigation period is common but the 60-day clock runs concurrently with the investigation.
PHI is individually identifiable health information — any data that relates to health condition, healthcare provision, or payment, and could identify the individual. HIPAA defines 18 specific PHI identifiers including names, dates, geographic data smaller than state, phone numbers, IP addresses, and biometric identifiers. Any combination of health data and these identifiers constitutes PHI requiring protection.
Civil penalties range from $100 per violation (Tier 1 — did not know) to $50,000 per violation for wilful neglect (Tier 4), with annual caps ranging from $25,000 to $1.9 million per violation category. Criminal penalties can reach $250,000 and 10 years imprisonment for wilful disclosure. OCR enforcement actions have increased 93% since 2020, with recent settlements ranging from $75,000 to over $5 million.
Required safeguards must be implemented as specified — there is no flexibility. Addressable safeguards must be implemented if reasonable and appropriate, or the organisation must document why an equivalent alternative was used instead. Addressable does not mean optional — it means the organisation can use an alternative approach if it achieves the same protection outcome and that rationale is documented. Most addressable safeguards are implemented in practice.