Regulatory
HIPAA
Health Insurance Portability and Accountability Act. Federal law requiring healthcare providers to protect patient health information (PHI) through administrative, physical, and technical safeguards.
Definition
Health Insurance Portability and Accountability Act. Federal law requiring healthcare providers to protect patient health information (PHI) through administrative, physical, and technical safeguards.
What This Means for Your Facility
HIPAA's compliance requirements are organized into three main rules. The Privacy Rule (45 CFR Part 164, Subpart E) governs the use and disclosure of PHI, establishes patient rights (access, amendment, accounting of disclosures), and requires a Notice of Privacy Practices. The Security Rule (45 CFR Part 164, Subpart C) mandates administrative, physical, and technical safeguards specifically for electronic PHI (ePHI). The Breach Notification Rule (45 CFR Part 164, Subpart D) requires notification to individuals, HHS, and potentially the media following a breach of unsecured PHI.
Enforcement has intensified significantly since the HITECH Act of 2009. The HHS Office for Civil Rights (OCR) conducts investigations based on complaints and data breaches, and since 2016 has also conducted random compliance audits. Penalty tiers range from $137 to $68,928 per violation, with calendar-year caps of $2,067,813 per violation category. State attorneys general, including California's, can bring additional actions under HITECH. In California, the CMIA provides even stronger protections that layer on top of HIPAA.
BayArea Compliance's HIPAA|360 program addresses all three HIPAA rules plus California's CMIA requirements. We conduct the Security Rule's required risk assessment, develop and maintain your privacy and security policies, deliver annual workforce training, manage business associate agreements, and maintain your breach response procedures. The program is designed for California healthcare providers who must navigate both federal and state privacy requirements simultaneously.
Related BAC Services
HIPAA Compliance (HIPAA|360)
Privacy and security training, gap analysis, federal and state policy compliance including California CMIA. Part of the COMPLIANCE|360 bundle.
Learn moreCompliance Training
Annual OSHA, HIPAA, bloodborne pathogen, and DOT hazmat training with certification tracking through your NETZERO|360 dashboard. CPR/First Aid classes also available.
Learn moreRelated Terms
Aerosol Transmissible Diseases (ATD)
Diseases that can be transmitted through airborne particles. Cal/OSHA's ATD standard (Title 8, Section 5199) requires healthcare facilities to implement exposure control plans, employee training, and respiratory protection programs.
Bloodborne Pathogens
Infectious microorganisms present in human blood that can cause disease. Includes hepatitis B (HBV), hepatitis C (HCV), and human immunodeficiency virus (HIV). OSHA requires annual BBP training.
Breach Notification
The process of notifying affected individuals, HHS, and potentially the media when unsecured protected health information (PHI) is accessed, used, or disclosed in a way not permitted by HIPAA. California's CMIA requires notification within 15 business days.
Cal/OSHA
California's Division of Occupational Safety and Health. Enforces workplace safety standards that are often stricter than federal OSHA, including the Aerosol Transmissible Diseases standard and specific requirements for healthcare, laboratory, and agricultural workplaces.
CMIA (California Confidentiality of Medical Information Act)
California state law (Civil Code §56–56.37) that provides stronger patient privacy protections than federal HIPAA. Includes a private right of action for patients, broader definitions of medical information, and shorter breach notification timelines.
Covered Entity
Under HIPAA, any health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. All covered entities must comply with HIPAA Privacy, Security, and Breach Notification Rules.
Ready to Simplify Your Compliance?
One vendor for waste disposal, training, and regulatory compliance across the Bay Area, led by the 2025 NRC Recycler of the Year. Get a free assessment today.