HIPAA compliance and regulation
Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for safeguarding protected health information. Maintaining HIPAA compliance is essential to protecting patients and avoiding penalties and fines. Get the latest HIPAA news and learn strategies for compliance with HIPAA and other healthcare privacy and security regulations.
Top Stories
-
News
16 Sep 2025
GAO calls on HHS CIO to address cybersecurity deficiencies
GAO's latest report identified 82 open recommendations for the HHS CIO to implement in order to better secure government IT systems. Continue Reading
-
News
10 Sep 2025
OCR, ASTP release version 3.6 of Security Risk Assessment Tool
The Security Risk Assessment Tool can help small and mid-sized healthcare organizations manage privacy and security risks and maintain HIPAA compliance. Continue Reading
-
Feature
03 Sep 2025
White House health tech initiative sparks data privacy concerns
The federal government's efforts to improve the health tech ecosystem and build an interoperability framework come with potential data privacy and security concerns, experts say. Continue Reading
-
Definition
28 Aug 2025
What is HIPAA (Health Insurance Portability and Accountability Act)?
HIPAA (Health Insurance Portability and Accountability Act) is United States legislation that provides national standards to prevent protected health information (PHI) from being disclosed without the patient's consent or knowledge. Continue Reading
-
Definition
27 Aug 2025
What is the Centers for Disease Control and Prevention (CDC)?
The Centers for Disease Control and Prevention (CDC) is the United States' national public health agency. Continue Reading
-
News
27 Aug 2025
RFK Jr. delegates Part 2 enforcement to OCR
The HHS secretary delegated the enforcement of the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 CFR Part 2 to OCR in alignment with a 2024 final rule. Continue Reading
-
Feature
27 Aug 2025
Key HIPAA compliance considerations for agentic AI tools
Agentic AI tools, like any other AI-powered tools, come with HIPAA compliance considerations to ensure that PHI is protected. Continue Reading
-
Feature
21 Aug 2025
HIPAA compliance in the era of OCR's risk analysis initiative
OCR issued its 10th enforcement action under the risk analysis initiative, signaling to covered entities that compliance with HIPAA's risk analysis provisions should be a focus area. Continue Reading
-
News
13 Aug 2025
OCR updates HIPAA FAQs following health tech initiative launch
OCR updated some HIPAA Privacy Rule FAQs in support of CMS' recent health tech initiative launch, providing clarity on permitted PHI disclosures. Continue Reading
-
Definition
13 Aug 2025
What is meaningful use stage 3?
Meaningful use stage 3 is the third phase of the Medicare and Medicaid Electronic Health Record (EHR) Incentive Program, commonly called the 'meaningful use' (MU) program. Continue Reading
-
Definition
08 Aug 2025
What is a computer-assisted coding system (CACS)?
A computer-assisted coding system (CACS) is software that analyzes healthcare documents and automatically produces appropriate medical codes, like the International Classification of Diseases, Ninth Revision, Clinical Modification (ICD-9-CM), ICD-10-CM and the American Medical Association's Current Procedural Terminology (CPT) for specific phrases and terms within the document. Continue Reading
-
Definition
29 Jul 2025
What is good automated manufacturing practice (GAMP)?
Good automated manufacturing practice (GAMP) is a set of guidelines for pharmaceutical manufacturers. Continue Reading
-
Feature
09 Jul 2025
How Medicaid cuts could endanger rural hospital cybersecurity
Rural hospital cybersecurity funding may be at risk as Medicaid cuts threaten the viability of already resource-strapped rural healthcare facilities. Continue Reading
-
Feature
07 Jul 2025
How doctors can respond to bad online provider reviews
Clinicians must be mindful of HIPAA compliance and patient privacy as they learn to respond to bad online provider reviews. Continue Reading
-
Definition
24 Jun 2025
What is vendor neutral archive (VNA)?
A vendor neutral archive (VNA) is a medical imaging technology that stores medical images in a standard format and utilizes a standard interface, making them accessible to healthcare professionals regardless of what proprietary system was used to create those images. Continue Reading
-
News
23 Jun 2025
Texas court vacates HIPAA reproductive health privacy rule
A Texas U.S. district judge struck down the 2024 modifications to the HIPAA Privacy Rule that aimed to strengthen protections for reproductive healthcare data. Continue Reading
-
News
17 Jun 2025
Lawmakers introduce bipartisan healthcare cybersecurity bill
The Healthcare Cybersecurity Act aims to increase coordination between HHS and CISA, particularly during active cyberattacks. Continue Reading
-
Definition
17 Jun 2025
What is market concentration?
Market concentration refers to how a market is distributed among competing companies. Continue Reading
-
Definition
05 Jun 2025
What is the Department of Health and Human Services (HHS)?
The U.S. Department of Health and Human Services (HHS) is a cabinet-level agency in the executive branch of the federal government, tasked with protecting the health and well-being of all Americans. Continue Reading
-
News
05 Jun 2025
Paula M. Stannard appointed as OCR director
Paula M. Stannard will serve as the new OCR director, leading federal enforcement of HIPAA and civil rights laws within HHS. Continue Reading
-
Feature
04 Jun 2025
How AI is changing telemedicine in 2025
AI is virtually expanding, reshaping and personalizing telehealth practices in triaging, image analysis, patient diagnoses, treatment planning, monitoring and mental health. Continue Reading
-
Feature
29 May 2025
AI in healthcare: A guide to improving patient care with AI
AI is permeating critical healthcare practices, from interpreting mammograms to discovering life-saving drugs, while surgically transforming hospital workflows. Continue Reading
-
Definition
19 May 2025
What is compliance risk?
Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices. Continue Reading
-
Definition
12 May 2025
What is the Patient Protection and Affordable Care Act (PPACA, ACA or Obamacare)?
The Affordable Care Act (ACA), formally known as the Patient Protection and Affordable Care Act, is a landmark healthcare law Congress enacted and former President Barack Obama signed in March 2010. Continue Reading
-
Definition
06 May 2025
What is segregation of duties (SoD)?
Segregation of duties (SoD) is an internal control mechanism designed to prevent errors and fraud by ensuring at least two individuals are responsible for the separate parts of any task. Continue Reading
-
Definition
05 May 2025
What is emergent medical data?
Emergent medical data (EMD) is health information gathered about an individual from seemingly unrelated online user behavior data. Continue Reading
-
Definition
24 Apr 2025
What is risk exposure in business?
Risk exposure is the quantified potential loss from currently underway or planned business activities. Continue Reading
-
Feature
21 Apr 2025
Navigating HIPAA's reproductive healthcare data privacy rule
Compliance with a final rule to support reproductive healthcare data privacy can help entities mitigate risk despite the rule’s various legal challenges. Continue Reading
-
Feature
18 Apr 2025
13 AI healthcare companies to watch in 2025
These AI healthcare companies are using generative AI to enhance efficiency, improve patient care and innovate diagnostics. We also explore types of AI in the healthcare space. Continue Reading
-
Feature
16 Apr 2025
7 challenges of AI integration in healthcare and their remedies
The healthcare sector faces many hurdles when adopting AI. Obstacles include setting an AI strategy, dealing with fragmented data, and addressing ethics, security and compliance. Continue Reading
-
News
11 Apr 2025
OCR settlement: Cracking down on HIPAA risk analysis gaps
Northeast Radiology paid $350,000 and agreed to implement a corrective action plan to resolve OCR's sixth enforcement action under its HIPAA risk analysis initiative. Continue Reading
-
Feature
11 Apr 2025
10 top AI tools in healthcare for 2025
AI tools are transforming healthcare by enhancing efficiency and care quality through predictive analytics and tailored diagnostics. Explore some of the major tools on the market. Continue Reading
-
Feature
08 Apr 2025
10 benefits of AI in healthcare
Healthcare was one of the first and more notable industries to achieve tangible AI benefits, including image analysis, accurate diagnoses, earlier treatments and patient privacy. Continue Reading
-
Feature
07 Apr 2025
10 AI healthcare trends to watch in 2025 and beyond
AI is redefining the healthcare sector, with hospitals, health systems and large medical practices incorporating AI technologies into clinical and administrative workflows. Continue Reading
-
News
01 Apr 2025
HSCC urges consultative process as alternative to HIPAA NPRM
The HSCC urged the administration to initiate a series of consultations with healthcare cybersecurity leaders to inform policy, instead of moving forward with the HIPAA NPRM. Continue Reading
-
Feature
31 Mar 2025
How to prepare for OCR's HIPAA audit program
After a long hiatus, OCR's HIPAA audit program is returning, this time with a focus on HIPAA Security Rule provisions surrounding hacking and ransomware. Continue Reading
-
News
26 Mar 2025
OCR begins reviewing proposed HIPAA Security Rule comments
Reading the thousands of comments on the proposed HIPAA Security Rule updates and reviving the HIPAA audit program are some of OCR's current priorities. Continue Reading
-
News
25 Mar 2025
OCR settles HIPAA risk analysis investigation
OCR announced a settlement with a healthcare business associate, citing HIPAA risk analysis deficiencies. Continue Reading
-
Feature
04 Mar 2025
How does HHS resolve HIPAA complaints?
The HHS Office for Civil Rights evaluates every HIPAA complaint it receives and resolves each with an appropriate resolution, from technical assistance to corrective actions. Continue Reading
-
News
25 Feb 2025
MGMA, CHIME ask Trump to rescind proposed HIPAA Security Rule
Several industry groups signed a letter to the Trump administration asking it to rescind the proposed HIPAA Security Rule updates, citing high costs and regulatory burden. Continue Reading
-
News
20 Feb 2025
OCR: Warby Parker to pay $1.5M penalty for violating HIPAA
Warby Parker faces a $1.5 million penalty for violating HIPAA, OCR determined after launching an investigation into a 2018 credential stuffing cyberattack against the eyewear retailer. Continue Reading
-
Feature
11 Feb 2025
How HHS enforces the HIPAA Security Rule, Privacy Rule
The HHS Office for Civil Rights enforces the HIPAA Security Rule and HIPAA Privacy Rule through investigations, compliance reviews and education. Continue Reading
-
News
29 Jan 2025
New York legislature passes health data privacy law
Much like Washington State's My Health, My Data Act, New York's legislation aims to give consumers additional rights related to the sale of their health information. Continue Reading
-
Feature
24 Jan 2025
3 things to know about proposed HIPAA Security Rule updates
New processes, cost of implementation and whether the proposed updates to the HIPAA Security Rule will stick are top-of-mind for industry experts. Continue Reading
-
News
15 Jan 2025
HHS reaches HIPAA settlement with Solara Medical Supplies
Solara Medical Supplies agreed to pay $3 million to resolve potential HIPAA violations stemming from a phishing attack. Continue Reading
-
News
08 Jan 2025
HIPAA risk analysis gaps lead to 2 HHS enforcement actions
HHS settled two ransomware investigations concerning HIPAA risk analysis deficiencies, marking OCR's second and third enforcement actions under its risk analysis initiative. Continue Reading
-
News
02 Jan 2025
HHS proposes HIPAA Security Rule changes
The proposed HIPAA Security Rule updates provide specific instructions for safeguarding ePHI, preventing data breaches and maintaining compliance. Continue Reading
-
Feature
19 Dec 2024
Top healthcare cybersecurity, privacy predictions for 2025
Healthcare cybersecurity and privacy experts predict a renewed focus on cyber-resilience, advancements in AI and additional privacy legislation going into 2025. Continue Reading
-
News
11 Dec 2024
OCR settles with Inmediata Health over HIPAA violations
Inmediata Health paid $250K to OCR to settle potential HIPAA violations relating to a breach in which PHI was made publicly available online. Continue Reading
-
News
04 Dec 2024
OCR issues $1.19M HIPAA penalty against Florida provider
OCR imposed a $1.19 million HIPAA penalty against Gulf Coast Pain Consultants after a former contracted employee improperly accessed PHI to submit fraudulent Medicare claims. Continue Reading
-
News
03 Dec 2024
New legislation aims to strengthen healthcare cybersecurity
The Health Care Cybersecurity and Resiliency Act of 2024 aims to strengthen healthcare cybersecurity and improve coordination between HHS and CISA. Continue Reading
-
Feature
02 Dec 2024
Breaking down New York's hospital cybersecurity regulations
New York's hospital cybersecurity regulations include 72-hour incident reporting and other requirements to bolster cybersecurity programs in the state's general hospitals. Continue Reading
-
News
27 Nov 2024
OIG: OCR should expand scope of HIPAA audit program
OIG recommended that OCR expand the scope of the HIPAA audit program and define metrics for evaluating the effectiveness of its audits. Continue Reading
-
Podcast
04 Nov 2024
Understanding new NY hospital cybersecurity regulations
Recently enacted New York State general hospital cybersecurity requirements could be a sign of what's to come for the healthcare sector as a whole. Continue Reading
-
News
25 Oct 2024
HHS, NIST conference: OCR identifies top priority areas
Updating the HIPAA Security Rule is one of OCR's current top priorities, OCR Director Melanie Fontes Rainer said during an HHS/NIST conference on safeguarding health information. Continue Reading
-
News
23 Oct 2024
HHS, NIST conference: Collaboration is key in healthcare cyber
HHS Deputy Secretary Andrea Palm emphasized the role of collaboration in tackling healthcare cybersecurity challenges at a conference held in Washington. Continue Reading
-
News
23 Oct 2024
OCR issues 50th HIPAA right of access enforcement action
OCR resolved a HIPAA right of access case involving Gums Dental Care following a complaint that the practice had failed to provide a patient with timely access to their records. Continue Reading
-
News
08 Oct 2024
HHS settles 2 investigations under HIPAA Security Rule
HHS imposed civil monetary penalties against two healthcare organizations following ransomware investigations and potential HIPAA Security Rule violations. Continue Reading
-
Definition
07 Oct 2024
What is PHI (protected or personal health information)?
Protected health information (PHI), also referred to as 'personal health information,' is the demographic information, medical histories, test and laboratory results, physical and mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care. Continue Reading
-
News
26 Sep 2024
Proposed bill calls for minimum healthcare cyber standards
The Health Infrastructure Security and Accountability Act would require HHS to establish minimum healthcare cyber standards and remove the cap on fines under HIPAA. Continue Reading
-
Feature
16 Sep 2024
Top considerations for HIPAA-compliant cloud computing
HIPAA-compliant cloud computing is essential to reducing security, privacy and legal risks within a healthcare organization. Continue Reading
-
News
12 Sep 2024
Texas sues HHS over HIPAA rule on reproductive health data
The Texas attorney general alleged that an HHS rule that protects reproductive health data unlawfully prevents states from using their investigative authority. Continue Reading
-
News
29 Aug 2024
Lawmakers introduce Healthcare Cybersecurity Act in House
Representatives introduced the Healthcare Cybersecurity Act in the House following companion legislation in the Senate. Continue Reading
-
News
15 Aug 2024
Enzo Biochem pays $4.5M for health data security failures
State attorneys general from New York, Connecticut and New Jersey issued a $4.5 million penalty to Enzo Biochem, Inc. following a 2023 ransomware attack that resulted in health data security failures. Continue Reading
-
News
12 Jul 2024
Industry groups express concern over proposed CIRCIA reporting requirements
Industry groups such as the AHA and MGMA suggested that CISA’s proposed CIRCIA reporting requirements are redundant and burdensome for healthcare entities. Continue Reading
-
News
02 Jul 2024
OCR reaches third-ever ransomware settlement
Heritage Valley Health System will pay $950,000 and implement a corrective action plan as part of OCR’s third settlement involving ransomware. Continue Reading
-
News
24 Jun 2024
Court deems OCR’s third-party web tech bulletin unlawful
A Texas court ruled that OCR’s third-party web technology bulletin “was promulgated in clear excess of HHS’s authority under HIPAA." Continue Reading
-
Feature
17 Jun 2024
What is the Health Breach Notification Rule, Who Does It Apply To?
The Federal Trade Commission’s Health Breach Notification Rule applies to vendors of personal health records, including health apps and other non-HIPAA-covered entities. Continue Reading
-
News
22 May 2024
Industry groups seek clarity from HHS on Change Healthcare breach reporting
More than 100 industry groups asked OCR to clarify breach reporting obligations and publicly state that its investigation will focus on Change Healthcare, not the affected providers. Continue Reading
-
Feature
02 May 2024
How updated third-party tech guidance affects compliance efforts
In its updated bulletin on third-party tracking tech, OCR doubled down on its stance that an IP address of a device accessing certain parts of a covered entity’s website constitutes PHI. Continue Reading
-
News
30 Apr 2024
FTC finalizes updates to Health Breach Notification Rule
The FTC underscored the Health Breach Notification Rule's applicability to health apps and emerging technologies outside the scope of HIPAA. Continue Reading
-
News
29 Apr 2024
Physician groups seek clarity on Change Healthcare breach notification requirements
In a letter to OCR, the MGMA expressed concerns about Change Healthcare breach notification obligations for the many physician practices impacted by the incident. Continue Reading
-
News
24 Apr 2024
Third-party tracking tech lawsuits surge in healthcare
From class action lawsuits to regulatory pushback, third-party tracking tech remains a focus area in the healthcare privacy landscape. Continue Reading
-
News
17 Apr 2024
Cerebral faces $7M FTC penalty over alleged health data security failures
The FTC’s proposed order prohibits Cerebral from disclosing consumer health data to third parties for advertising purposes and requires it to implement a comprehensive data security program. Continue Reading
-
News
16 Apr 2024
FTC bans Monument from disclosing health data to third-party advertisers
In addition to being barred from disclosing personal health data to third-party advertisers without consent, the alcohol addiction treatment service is facing a $2.5M civil penalty. Continue Reading
-
News
02 Apr 2024
HHS imposes $100K penalty on NJ facility over HIPAA right of access violations
Hackensack Meridian Health agreed to pay $100,000 to resolve HIPAA right of access failures. Continue Reading
-
News
01 Apr 2024
HHS reaches HIPAA right of access settlement with Phoenix Healthcare
Phoenix Healthcare agreed to pay $35,000 and revise its HIPAA policies to resolve OCR’s 47th right of access enforcement action. Continue Reading
-
News
21 Mar 2024
OCR updates HIPAA guidance on online tracking technologies
The HIPAA guidance prohibits regulated entities from using online tracking tech to disclose PHI to vendors for marketing and other purposes without consent. Continue Reading
-
Feature
13 Mar 2024
3 ways to prepare for impending HIPAA Security Rule updates
Covered entities and business associates should prepare for changes as HHS plans to update the HIPAA Security Rule this spring. Continue Reading
-
News
05 Mar 2024
Indiana AG Sues Healthcare Organization Over Data Breach
Indiana Attorney General Todd Rokita filed a lawsuit against Apria Healthcare regarding a data breach that impacted nearly two million individuals. Continue Reading
-
News
26 Feb 2024
HHS Delivers Reports to Congress on HIPAA Compliance, Enforcement
OCR stressed the need for additional funding to support its HIPAA compliance and enforcement efforts across the healthcare sector. Continue Reading
-
News
23 Feb 2024
HHS Settles Ransomware Investigation With Behavioral Health Provider
This marks the second-ever ransomware settlement that OCR has reached with a covered entity over potential HIPAA violations following a ransomware attack. Continue Reading
-
News
20 Feb 2024
HHS, NIST Finalize Joint HIPAA Security Rule Guidance
The revised publication, issued by NIST and OCR, aims to help covered entities and business associates comply with the HIPAA Security Rule and manage risks to PHI. Continue Reading
-
News
08 Feb 2024
HHS Finalizes Changes to Substance Use Confidentiality Regulations
The final rule modified the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 CFR part 2 to better align with HIPAA. Continue Reading
-
News
07 Feb 2024
US Fertility Reaches $5.75M Data Breach Settlement
US Fertility resolved a class action lawsuit following a 2020 ransomware attack and data breach that impacted nearly 900,000 individuals. Continue Reading
-
News
06 Feb 2024
OCR Reaches $4.75M Settlement With NY Health System
OCR reached a settlement with Montefiore Medical Center over potential HIPAA Security Rule violations that occurred over a decade ago. Continue Reading
-
News
03 Jan 2024
NY AG Fines NewYork-Presbyterian Hospital Over Tracking Tech Use
NewYork-Presbyterian Hospital’s tracking tech use resulted in patient information being shared with third-party tech companies, the New York Attorney General’s Office found. Continue Reading
-
News
19 Dec 2023
OCR Settles Multiple HIPAA Right of Access Complaints With Optum Medical Care
Optum Medical Care agreed to pay $160,000 to resolve OCR’s investigation, marking the 46th enforcement action under its HIPAA Right of Access Initiative. Continue Reading
-
News
13 Dec 2023
NY AG Reaches $400K Settlement With Healthplex Over Data Breach
Healthplex suffered a phishing attack that resulted in a data breach in 2021, impacting tens of thousands of New Yorkers. Continue Reading
-
News
08 Dec 2023
HHS Settles First Phishing Attack Investigation With Louisiana Medical Group
Lafourche Medical Group agreed to pay $480K to HHS and implement a corrective action plan following a phishing attack that impacted nearly 35,000 individuals. Continue Reading
-
News
21 Nov 2023
HHS Settles HIPAA Investigation With St. Joseph’s Over PHI Disclosure to Media
HHS launched a HIPAA investigation into St. Joseph’s Medical Center and determined that the organization had disclosed three patients’ protected health information to the Associated Press. Continue Reading
-
Feature
20 Nov 2023
Understanding the Nuances of the Healthcare Cybersecurity Regulatory Landscape
A patchwork of key healthcare cybersecurity and privacy regulations aim to keep cyber threats at bay, but compliance can be challenging. Continue Reading
-
News
06 Nov 2023
AHA Sues Federal Government Over OCR Tracking Technology Guidance
The AHA’s lawsuit suggests that OCR’s tracking technology bulletin disturbs the balance between privacy and information sharing under HIPAA. Continue Reading
-
News
01 Nov 2023
HHS Reaches Settlement With Healthcare Business Associate Following Ransomware Attack
Doctors’ Management Services will pay $100,000 to resolve an investigation stemming from a ransomware attack that impacted more than 206,000 individuals. Continue Reading
-
News
31 Oct 2023
OCR Releases Educational Video on HIPAA Security Rule
OCR produced a video on how the HIPAA Security Rule can help covered entities defend against cyberattacks. Continue Reading
-
News
19 Oct 2023
Inmediata Health Resolves Multi-State Data Breach Investigation With $1.4M Settlement
More than 30 state attorneys general joined forces to investigate potential HIPAA violations connected to a data breach that spanned nearly three years and impacted 1.5 million individuals. Continue Reading
-
Feature
11 Oct 2023
Communicating With a Patient’s Family Under the HIPAA Privacy Rule
Providers must ensure that they are following the HIPAA Privacy Rule when choosing to disclose a patient’s protected health information with the patient’s family and friends. Continue Reading
-
News
04 Oct 2023
AHA: OCR Tracking Technology Rule Violates HIPAA Regulations
AHA said the rule violates HIPAA regulations and is a bad public policy as many hospitals use third-party technologies in their information-sharing efforts. Continue Reading
-
Answer
28 Sep 2023
How Digital Health Companies Navigate the Patchwork of State Data Privacy Laws
As new state-level data privacy laws go into effect, digital health companies will have to navigate unforeseen compliance complexities. Continue Reading
-
Answer
21 Sep 2023
Navigating the SEC Cyber Incident Disclosure Rule, How It Impacts Healthcare
The Securities and Exchange Commission’s (SEC) cyber incident disclosure rule requires publicly traded companies to disclose material cyber incidents within four business days. Continue Reading
-
News
15 Sep 2023
ONC, OCR Release Security Risk Assessment Tool Version 3.4
The latest version of the Security Risk Assessment (SRA) Tool contains updated references to HICP and a remediation report to help users track responses within the tool. Continue Reading
-
News
12 Sep 2023
Senator Seeks Stakeholder Feedback on Improving Health Data Privacy
US Senator Bill Cassidy, ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, is seeking feedback on how to modernize HIPAA and safeguard health data privacy. Continue Reading