2.0 KiB
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA (Health Insurance Portability and Accountability Act)
What it is
US federal law enacted 1996. Governs how protected health information (PHI) is stored, transmitted, and accessed. Two relevant rules:
- Privacy Rule: controls use and disclosure of PHI. Patients have rights to access, amend, and request accounting of disclosures. Minimum necessary standard — only the minimum PHI needed for the task may be used.
- Security Rule: administrative, physical, and technical safeguards for electronic PHI (ePHI). Requires access controls, audit controls, integrity controls, person/entity authentication, and transmission security.
Who must comply
Covered entities (health plans, healthcare clearinghouses, healthcare providers who transmit any ePHI) and business associates (any vendor handling PHI on behalf of a covered entity). Business Associate Agreements (BAAs) are mandatory.
Penalties
Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per violation category. Criminal penalties for knowing misuse (up to 10 years imprisonment). State AGs can also bring civil actions.
Why it matters for the triad
HIPAA is the largest single compliance market in US healthcare — every hospital, clinic, insurer, and health-tech vendor must comply. The HIPAA gate package ($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate constraints. Every PHI access attempt passes through the gate stack, producing a machine-checkable audit trail that satisfies the Security Rule's audit control requirement automatically. No separate logging infrastructure needed. Over a five-year deployment, the accumulated fact store and proof history create infrastructure lock-in — switching to a competitor means discarding all of it.