Is HIPAA the same as HITECH?

HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009) amended HIPAA to strengthen breach-notification requirements and extend HIPAA enforcement to business associates directly.

Does HIPAA apply outside the US?

HIPAA itself is US law. However, Canadian or other foreign organisations handling US patient PHI under contract with a US covered entity are typically business associates and subject to HIPAA via the BAA.

Is encryption required by HIPAA?

Encryption is an addressable specification under §164.312. "Addressable" does not mean optional — it means the covered entity must either implement it or document a reason for not implementing and adopt an equivalent alternative.

What is a covered entity vs business associate?

A covered entity is a healthcare provider, health plan, or healthcare clearinghouse. A business associate is an organisation acting on behalf of a covered entity that handles PHI. MSPs serving healthcare are usually business associates.

What is HIPAA (Health Insurance Portability and Accountability Act)? Definition, components, and why it matters

Definition

HIPAA is enforced by the US Department of Health and Human Services Office for Civil Rights (OCR). Penalties for violations range from US$100 to US$50,000 per violation up to a US$1.5 million annual cap per identical-violation type, with criminal penalties for wilful neglect.

The Security Rule (45 CFR Part 164 Subpart C) is the technical and operational core that affects MSPs most directly. It requires covered entities and business associates to perform a Risk Analysis, implement administrative safeguards, physical safeguards, technical safeguards, and document policies and procedures.

Business Associates are organisations (or individuals) acting on behalf of a covered entity that handle PHI. MSPs serving healthcare clients are typically Business Associates and must sign a Business Associate Agreement (BAA) with each covered entity client.

Core components

Security Rule. Administrative, physical, and technical safeguards plus policies, procedures, and documentation requirements (45 CFR §§164.308–164.316).
Privacy Rule. Rules governing the use and disclosure of PHI, patient access rights, and minimum-necessary requirements (45 CFR Part 164 Subpart E).
Breach Notification Rule. 60-day notification timeline for breaches affecting 500+ individuals; additional rules for smaller breaches.
Covered Entity. Healthcare providers transmitting health information electronically, health plans, and healthcare clearinghouses.
Business Associate. Organisations or individuals acting on a covered entity's behalf that handle PHI. Includes most MSPs serving healthcare clients.
Business Associate Agreement (BAA). The contract between a covered entity and a business associate that establishes the business associate's HIPAA obligations.
Risk Analysis (§164.308(a)(1)(ii)(A)). An accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI. Required documentation.
Risk Management (§164.308(a)(1)(ii)(B)). Implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Why it matters

For US healthcare organisations, HIPAA compliance is non-optional. OCR audits and breach-driven enforcement actions have produced multi-million-dollar settlements. State Attorneys General can also enforce HIPAA under the HITECH Act amendments.

For MSPs serving US healthcare, HIPAA exposure flows through the Business Associate Agreement. Inadequate technical safeguards on the MSP side become the covered-entity client's problem and the MSP's liability.

For Canadian healthcare organisations, HIPAA itself does not apply — Canadian privacy law (PIPEDA, plus provincial regimes including BC HIA, Alberta HIA, Quebec Law 25, BC PIPA, and Alberta PIPA) governs. Canadian MSPs serving cross-border healthcare or US-based healthcare clients work with both regimes.

How Lavawall® helps with HIPAA (Health Insurance Portability and Accountability Act)

Lavawall® treats the HIPAA Security Rule as a first-class framework with direct mapping to 45 CFR §§164.308 (administrative), 164.310 (physical), 164.312 (technical), 164.314 (organizational), and 164.316 (policies and procedures) safeguards.

Continuous endpoint and cloud evidence: encryption posture, audit logging, access control, password policies, MFA enforcement, automatic logoff, integrity controls, transmission security, workstation security, and removable-media handling are collected from actual Windows / macOS / Linux endpoints and M365 / Google Workspace tenants.

Multi-tenant by design lets an MSP serving 30 dental practices and 5 primary-care clinics manage all of them from one console with per-client isolation. Risk Analysis and Risk Management workflow templates support the documentation requirement. ThreeShield, the audit firm that built Lavawall®, has direct healthcare-compliance experience.

Frequently asked

Is HIPAA the same as HITECH?: HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009) amended HIPAA to strengthen breach-notification requirements and extend HIPAA enforcement to business associates directly.
Does HIPAA apply outside the US?: HIPAA itself is US law. However, Canadian or other foreign organisations handling US patient PHI under contract with a US covered entity are typically business associates and subject to HIPAA via the BAA.
Is encryption required by HIPAA?: Encryption is an addressable specification under §164.312. "Addressable" does not mean optional — it means the covered entity must either implement it or document a reason for not implementing and adopt an equivalent alternative.
What is a covered entity vs business associate?: A covered entity is a healthcare provider, health plan, or healthcare clearinghouse. A business associate is an organisation acting on behalf of a covered entity that handles PHI. MSPs serving healthcare are usually business associates.