Any organization that handles or stores protected health information (PHI) must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This includes not only hospitals, medical practices, and other healthcare facilities but also most companies that do business with clients in the healthcare industry, including CPAs, law firms, collection agencies, and IT service providers, such as SaaS developers and data centers. HIPAA mandates that organizations protect PHI from access by any unauthorized party, whether that party is a hacker or simply an employee who doesn’t need to access PHI to do their job.

​

HIPAA is a complex law, and compliance can be time-consuming and costly. However, the penalties for not complying are very steep, ranging from from $100 to $50,000 per violation (or per record), with a maximum annual penalty of $1.5 million per violation. These fines are assessed based on culpability. Organizations that exercise due diligence to comply with HIPAA face a much smaller maximum penalty than those who are found neglectful. Additionally, some state-level data privacy laws allow patients whose PHI was breached to file civil lawsuits seeking monetary compensation.