The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996 to protect the privacy and security of individuals’ health information. It establishes national standards for how healthcare data can be used, stored, and shared by organizations that handle medical information. HIPAA was originally designed to improve the portability of health insurance when people change jobs, but it has become most widely known for its role in safeguarding sensitive health data and setting requirements for the protection of electronic healthcare information.
HIPAA Rules and Regulations lay out three types of security safeguards required for compliance:
- Administrative Safeguards primarily concern the requirement to conduct ongoing risk assessments to identify potential vulnerabilities and risks to the integrity of PHI.
- Physical Safeguards concentrate on the measures that should be implemented to prevent unauthorized access to PHI and to protect data from fire and other environmental hazards.
- Technical Safeguards relate to the controls that must be put in place to ensure data security when PHI is being communicated, stored, or accessed on an electronic network.
Regulation | Active Now
Enacted as a part of the American Recovery and Reinvestment Act (ARRA) of 2009, the HITECH Act expands the HIPAA encryption compliance requirement set, requiring the disclosure of data breaches of “unprotected” (unencrypted) personal health records, including those by business associates, vendors and related entities.
The HIPAA Rules apply to covered entities and business associates:
- Covered Entities encompass all health care providers creating, receiving, maintaining, transmitting, or accessing protected personal health information (PHI), including health plans, health insurance organizations, hospitals, clinics, pharmacies, physicians, and dentists, among others.
- Business Associates encompass third-party service providers that may create, receive, maintain, transmit, or access ePHI on behalf of covered entities. Examples include IT contractors or cloud storage vendors.
HIPAA was enacted by the US congress in 1996. The law has been updated several times since, such as in 2009 with the passing of the Health Information Technology for Economic and Clinical Health Act (HITECH), which added a new penalty structure for violations and made Business Associates directly liable for data breaches attributable to non-compliance with the Security Rule.
The penalties for non-compliance with HIPAA vary based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a maximum penalty of $1.9 million per calendar year. Violations can also result in jail time of one to ten years for the individuals responsible.
The HHS proposed a major modernization of the HIPAA Security Rule through a Notice of Proposed Rulemaking (NPRM) released in late 2024 and published in the Federal Register in January 2025. The final rule is expected around May 2026. The goal of the update is to strengthen cybersecurity protections for electronic protected health information (ePHI) in response to the sharp rise in ransomware attacks and large healthcare data breaches.
One of the most significant proposed changes is the removal of the distinction between “required” and “addressable” security controls in the old Security Rule. Under the pre-existing framework, some safeguards are mandatory while others are “addressable,” meaning organizations can determine how or whether to implement them based on risk. The proposed rule would largely eliminate this flexibility and make nearly all implementation specifications mandatory. The proposed rule also introduces much more prescriptive cybersecurity requirements, including:
- Mandatory encryption of ePHI at rest and in motion.
- Mandatory Multi-Factor Authentication (MFA) and stronger access controls for access to ePHI system.
- Mandatory risk assessment, data inventory, and mapping of movement of ePHI.
- Mandatory anti-malware protections, vulnerability management and continuous monitoring.
- Mandatory oversight of third party and business associates.
- Mandatory incident response, resilience, and recovery requirements.
White Paper
HIPAA Compliance & 2026 Security Rule Updates
Learn how to comply with HIPAA and 2026 Security Rule updates with Thales solutions for encryption, access control, and ePHI protection.
How Thales Helps with HIPAA Compliance
Thales’ solutions can help organizations comply with HIPAA by simplifying compliance and automating security, reducing the burden on security and compliance teams. We help organizations comply with HIPAA by addressing essential requirements for safeguarding protected health information (PHI) under four different sections of the law:
We provide comprehensive cyber security solutions in three key areas of cybersecurity: Application Security, Data Security, and Identity & Access Management.
HIPAA Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self-Protection (RASP).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
HIPAA 164.306 Security standards: General rules
How Thales helps:
- Identify, classify, protect, and monitor sensitive data across hybrid IT, ensuring that data is always secure and in compliance.
Solutions:
HIPAA § 164.308 Administrative Safeguards
How Thales helps:
- Identify flow of sensitive data across multiple systems.
- Identify structured and unstructured sensitive data at risk across Hybrid IT.
- Determine risk scores for data assets to assess potential risks.
- Discover and classify potential risk for all public, private, and shadow APIs and conduct API risk assessment.
How Thales helps:
- Inspect all traffic, detect and prevent web-based attacks with WAF.
- Prevent DDoS attacks with scalable DDoS attack traffic absorption provided by edge servers.
How Thales helps:
- Reduce third party risk by maintaining on-premises control over encryption keys protecting data hosted by in the cloud.
- Enforce separation of roles between cloud provider admins and your organization, restrict access to sensitive data.
- Monitor and alert anomalies to detect and prevent unwanted activities from disrupting supply chain activities.
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
- Enable MFA for third-party users to thwart phishing attacks.
HIPAA § 164.312 Technical Safeguards
How Thales helps:
- Limit the access of internal and external users to systems and data based on roles and context with policies.
- Centralize access control over multiple hybrid environments in a single pane of glass.
- Prevent password fatigue with Smart Single Sign-On with conditional access.
- Apply contextual security measures, terminate session or prevent logon based on risk scoring.
- Enforce granular user access policies to sensitive data and secrets.
- Enable complete separation of roles where only authorized users and processes can view unencrypted data.
- Monitor access and assess risk to sensitive resources, data, and files.
How Thales helps:
- Protect data-at-rest, in use, and secrets across hybrid IT.
- Protect data in motion with high-speed encryption.
- Pseudonymize and mask sensitive information for production or tests.
- Protect cryptographic keys in a FIPS 140-2 Level 4 environment.
- Streamline key management in cloud and on-premises environments.
- Manage and protect all secrets and sensitive credentials.
- Maintain crypto-agility with products designed for postquantum upgrade.
- Secure execution with Confidential Computing.
How Thales helps:
- Use signature, behavioral and reputational analysis to block all malware injection attacks.
- Detect and prevent cyber threats with web application firewall.
- Monitor I/O and block suspicious activity before ransomware can take hold.
- Prevent malicious software and users from accessing sensitive data.
Solutions:
Application Security
Data Security
How Thales helps:
- Enable MFA with the broadest range of hardware and software methods.
- Build and deploy adaptive authentication policies.
- Protect against phishing and man-in-the-middle attacks.
- Risk-Based Authentication and PKI and FIDO Authenticators.
Solutions:
Identity & Access Management
How Thales helps:
- Vulnerability assessment and risk mitigation.
HIPAA § 164.514 Other requirements relating to uses and disclosures of protected health information
How Thales helps:
- Pseudonymize and mask sensitive information for production or tests while maintaining ability to analyse aggregate data without exposing sensitive PHI.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.