The 1996 federal statute governing the privacy, security, and breach notification of protected health information held by covered entities and their business associates in the United States.
HIPAA.
The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, was originally enacted to ensure portability of health insurance between employers and to combat health-care fraud. The Administrative Simplification provisions, Title II Subtitle F, established federal standards for electronic transactions, code sets, identifiers, privacy, and security. The implementing regulations sit at 45 CFR Parts 160, 162, and 164. The HHS Office for Civil Rights (OCR) is the primary enforcement authority for the Privacy, Security, and Breach Notification Rules.
Three core rules govern PHI handling. The Privacy Rule (45 CFR Part 164 Subpart E) sets standards for permitted and required uses and disclosures of PHI, minimum necessary, individual rights (access, amendment, accounting of disclosures, restriction), and notice of privacy practices. The Security Rule (Subpart C) sets administrative, physical, and technical safeguards for electronic PHI, including access controls, audit controls, integrity controls, transmission security, and required and addressable implementation specifications. The Breach Notification Rule (Subpart D) requires covered entities to notify affected individuals, HHS, and in larger breaches the media, within 60 days of discovery of a breach of unsecured PHI.
The HITECH Act of 2009, part of the American Recovery and Reinvestment Act, extended direct HIPAA Privacy and Security Rule liability to business associates, introduced mandatory breach notification, and strengthened civil monetary penalty tiers. Penalties scale from 137 dollars to 2.13 million dollars per category annually under the 2024 inflation adjustment at 45 CFR 102.3. The 2024 Reproductive Health Privacy final rule added attestation requirements for certain disclosures of PHI related to reproductive health care. The 2025 HHS proposed Security Rule update would substantially modernize the technical safeguard requirements; the rule is in proposed status pending final adoption.
For a foreign health-tech, telemedicine, medical-device, AI-in-healthcare, clinical-research-services, or healthcare-IT firm entering the United States with a product that handles US-patient data, HIPAA reaches the firm either as a covered entity (rare for foreign firms) or, more commonly, as a business associate of a US covered entity. A business associate is any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity for a function or activity regulated by HIPAA. Common business-associate categories include cloud hosting, software-as-a-service, claims processing, billing, transcription, and analytics. A foreign vendor that handles US PHI must operate under a Business Associate Agreement (BAA) with the covered entity and comply with the Privacy, Security, and Breach Notification Rules at the business-associate level.
Hosting infrastructure matters. Many US covered entities require business associates to host PHI in the United States, sometimes specifying FedRAMP-authorized infrastructure or specific availability zones. The HIPAA rules themselves do not require US hosting, but contractual flow-down often does. Foreign-headquartered SaaS firms typically operate a US-only PHI partition.
HIPAA sits on the health-tech, medical-device, and healthcare-AI trajectories in the Operators entering the US book, on the Answers hub for cross-border health-data flows, and on the GDPR related entry for firms that handle both EU and US health data. The presentation work covers how the firm names its business-associate posture, its BAA framework, its Security Rule program, and its breach-history record on US-facing surfaces. The compliance program design and OCR investigation defense belong with US privacy counsel.
Global Marketing Agency does not provide HIPAA compliance program design, Business Associate Agreement drafting, OCR investigation defense, or breach-notification legal work. Those activities belong to US privacy counsel and the firm's compliance function. GMA works on how the firm's HIPAA posture is presented, sequenced, and read on US-facing surfaces.