Skip to content

Explain HIPAA basics: PHI, the Security Rule safeguards, and who must comply.

Short answer

HIPAA (the US Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI). The Privacy Rule governs use and disclosure of PHI; the Security Rule applies to electronic PHI (ePHI) and requires three categories of safeguards — administrative, physical, and technical. It applies to covered entities (providers, health plans, clearinghouses) and to business associates that handle PHI on their behalf, bound by Business Associate Agreements. The Breach Notification Rule sets obligations to notify individuals, HHS, and sometimes the media.

HIPAA is the cornerstone US regulation for healthcare data. Security teams in any organisation touching health data — including SaaS vendors and cloud processors — get pulled into it. Interviewers ask this to see whether you can map the rules to concrete controls.

What HIPAA protects

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or business associate. When it is in electronic form it is ePHI, and the Security Rule kicks in.

Who must comply

  • Covered entities — healthcare providers, health plans, and healthcare clearinghouses.
  • Business associates — vendors and partners that create, receive, maintain, or transmit PHI on a covered entity's behalf. They are bound by a Business Associate Agreement (BAA).

The Security Rule safeguards

The Security Rule requires three categories of safeguards for ePHI:

  • Administrative — risk analysis, workforce training, access management, contingency planning.
  • Physical — facility access controls, device and media controls, workstation security.
  • Technical — access control, audit controls, integrity controls, transmission security (encryption).

Many specifications are "addressable" — meaning you assess whether the safeguard is reasonable and document your decision — not optional.

Breach notification

The Breach Notification Rule requires notifying affected individuals and the Department of Health and Human Services; breaches affecting 500+ residents of a state also require notifying prominent media.

Why this matters

Strong candidates note that business associates are directly liable, that a risk analysis is the foundational administrative safeguard, and that "addressable" does not mean "ignore." That shows real operating knowledge rather than a memorised acronym list.

Likely follow-ups

  • What is a Business Associate Agreement and when is one required?
  • Give an example of an administrative vs a technical safeguard under the Security Rule.
  • What triggers the media notification requirement under the Breach Notification Rule?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.