HIPAA — Health Insurance Portability and Accountability Act
Protecting health information in the digital age
HIPAA sets the standard for protecting sensitive patient health information in the United States. Australian and New Zealand healthtech companies and service providers handling US patient data must comply.
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that establishes national standards for protecting sensitive patient health information, known as Protected Health Information (PHI). The HIPAA Security Rule focuses specifically on electronic PHI (ePHI), requiring covered entities and business associates to implement administrative, physical, and technical safeguards.
While HIPAA is US legislation, it applies to any organisation that handles PHI of US patients — including Australian and New Zealand healthtech companies, software vendors, and cloud providers who serve US healthcare customers. Business Associate Agreements (BAAs) are contractually required between covered entities and their service providers, making HIPAA compliance a commercial necessity for healthtech operating in or selling to the US market.
Who Needs It
Who Needs HIPAA?
Australian and NZ healthtech and digital health companies serving US healthcare markets
Software vendors and SaaS platforms used by US hospitals, clinics, or health insurers
Cloud providers hosting US patient data or healthcare applications
Business associates — any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity
Telehealth platforms with US patient populations
Health data analytics and AI companies processing US patient records
Key Requirements
What It Covers
Administrative Safeguards
Policies and procedures to manage selection, development, and implementation of security measures, including a security officer, workforce training, and access management.
Physical Safeguards
Controls over physical access to information systems containing ePHI, including facility access controls, workstation use policies, and device disposal.
Technical Safeguards
Technology and policies protecting ePHI, including access controls, audit controls, integrity controls, and transmission security (encryption).
Risk Analysis & Management
Conduct and document a thorough risk analysis of potential threats to ePHI confidentiality, integrity, and availability, with an ongoing risk management programme.
Breach Notification Rule
Policies and procedures for identifying, investigating, and notifying affected individuals, HHS, and media of PHI breaches within required timeframes.
Business Associate Agreements (BAAs)
Written contracts with all business associates ensuring they appropriately safeguard PHI and comply with applicable HIPAA requirements.
Business Value
Benefits of HIPAA
Access the US healthcare market — HIPAA compliance is a commercial prerequisite for selling to US health systems
Mitigate risk of significant OCR fines (up to $1.9 million per violation category per year)
Build trust with healthcare customers who handle sensitive patient data
Reduce breach risk and associated reputational damage in a high-profile sector
Establish security controls that also satisfy Australian Privacy Act and NZ Privacy Act requirements
Our Process
How We Help You Achieve It
PHI Data Mapping
We identify all locations where ePHI is created, received, stored, or transmitted across your systems and workflows.
Risk Analysis
We conduct a comprehensive risk analysis as required by the HIPAA Security Rule, assessing threats to ePHI.
Gap Remediation
We implement required administrative, physical, and technical safeguards to close identified gaps.
Policy Development
We develop HIPAA-required policies, procedures, and workforce training programmes.
BAA Review
We review and advise on Business Associate Agreements to ensure contractual HIPAA obligations are met.
Ongoing Compliance
We establish monitoring and review processes to maintain compliance as your systems and regulations evolve.
FAQ
Frequently Asked Questions
Ready to Start Your HIPAA Journey?
Begin with a free cybersecurity gap assessment to understand where you stand, then let our experts guide you to certification.