:PROPERTIES: :ID: auto-hipaa :CREATED: [2026-05-23 Sat] :END: #+title: HIPAA (Health Insurance Portability and Accountability Act) #+filetags: :passepartout:compliance:framework:hipaa: * HIPAA (Health Insurance Portability and Accountability Act) ** What it is US federal law enacted 1996. Governs how protected health information (PHI) is stored, transmitted, and accessed. Two relevant rules: - **Privacy Rule:** controls use and disclosure of PHI. Patients have rights to access, amend, and request accounting of disclosures. Minimum necessary standard — only the minimum PHI needed for the task may be used. - **Security Rule:** administrative, physical, and technical safeguards for electronic PHI (ePHI). Requires access controls, audit controls, integrity controls, person/entity authentication, and transmission security. ** Who must comply Covered entities (health plans, healthcare clearinghouses, healthcare providers who transmit any ePHI) and business associates (any vendor handling PHI on behalf of a covered entity). Business Associate Agreements (BAAs) are mandatory. ** Penalties Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per violation category. Criminal penalties for knowing misuse (up to 10 years imprisonment). State AGs can also bring civil actions. ** Why it matters for the triad HIPAA is the largest single compliance market in US healthcare — every hospital, clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]] ($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate constraints. Every PHI access attempt passes through the gate stack, producing a machine-checkable audit trail that satisfies the Security Rule's audit control requirement automatically. No separate logging infrastructure needed. Over a five-year deployment, the accumulated fact store and proof history create [[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.