HomeResourcesGlossaryHIPAA
Cybersecurity Glossary

What is HIPAA (Health Insurance Portability and Accountability Act)?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for protecting patient health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates — including MSPs and technology vendors handling protected health information.

Blocks 99% of password attacks
Required by most cyber insurance
Core to SOC 2, HIPAA, PCI
How It Works

How HIPAA works

Three-step view of how it operates in practice.

1

Classify data

Identify where PHI (Protected Health Information) exists — EHR systems, email, storage, backups, third-party tools.

2

Implement safeguards

Apply administrative, physical, and technical safeguards per the HIPAA Security Rule: access controls, encryption, audit logs, risk analysis.

3

Document & train

Policies, procedures, BAAs with vendors, annual workforce training, and incident response plans — all must be documented.

HIPAA Variants

HIPAA rule components

A clear breakdown of the common variants.

Rule

Privacy Rule

Protects individually identifiable health information — who can see PHI and under what circumstances.

Most common

Security Rule

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

Breach Notification Rule

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Enforcement Rule

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why HIPAA matters for SMBs

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for protecting patient health information.

$10.93 million
average cost of a healthcare data breach in 2024 — highest of any industry
Source: IBM Cost of a Data Breach, 2024
Pitfalls

Common HIPAA mistakes

  • No signed BAAs with vendorsAny vendor handling PHI (cloud, IT, shredding, email) needs a Business Associate Agreement. No BAA means you’re liable for their mistakes.
  • Encryption only at restAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
  • No risk analysisThe Security Rule explicitly requires a risk analysis. Skipping it is the #1 OCR audit finding.
  • Unfocused trainingAnnual HIPAA training that’s identical for everyone misses role-specific risks. Front desk, clinicians, and IT need different training.
Common Questions

HIPAA frequently asked questions

Not explicitly, but the Security Rule requires access controls, and OCR guidance increasingly expects MFA as a baseline. In practice, MFA is table stakes.
Yes, if they have access to PHI. Your MSP needs a signed BAA with you, and they need BAAs with any subcontractors handling PHI.
Any unauthorized use or disclosure of PHI that compromises security or privacy. The threshold is low — lost laptops, emailed PHI to wrong recipient, ransomware.
Affected individuals within 60 days; HHS within 60 days (for breaches of 500+ individuals, HHS and media within 60 days; smaller breaches reported annually).
Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.
Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.
Related Terms

Related glossary terms

SOC 2

Policies that adapt to device, location, and risk signals.

DLP

A security model that verifies every request as if it came from an open network.

Cyber Insurance

Give users only the access they need — nothing more.

Incident Response

FIDO2 keys and passkeys that cannot be proxied or replayed.
Identity & Access

Need HIPAA-aligned IT and security?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services
No commitment · Local engineers · Response within 1 business day