42 U.S.C. §§ 1320d-1320d-9; 45 CFR Parts 160, 162, 164

Health Insurance Portability and Accountability Act

Statute — United States Federal

Effective: August 21, 1996 16 platforms tracked 170 provisions indexed Enforced by: U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), State Attorneys General Last reviewed Apr 22, 2026

Overview

The Health Insurance Portability and Accountability Act establishes national standards for the protection of individually identifiable health information. The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by covered entities, while the Security Rule sets standards for safeguarding electronic PHI.

For platform governance, HIPAA is relevant when technology platforms process, store, or transmit health data on behalf of covered entities. Platforms that serve as business associates — handling PHI under contract with healthcare providers or health plans — must comply with HIPAA requirements including breach notification, minimum necessary standards, and administrative safeguards.

The Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500+ individuals must be reported to HHS and local media. The HHS Office for Civil Rights maintains a public "Wall of Shame" listing all breaches affecting 500+ individuals. Enforcement has intensified significantly, with penalties reaching tens of millions of dollars for systemic violations.

Penalties

Four-tier penalty structure: Tier 1 (no knowledge): $100-$50,000 per violation. Tier 2 (reasonable cause): $1,000-$50,000. Tier 3 (willful neglect, corrected): $10,000-$50,000. Tier 4 (willful neglect, not corrected): $50,000 per violation. Annual cap of $1.5 million per identical violation category. Criminal penalties up to $250,000 and 10 years imprisonment.

Key Articles & Sections

45 CFR 164.502 Uses and Disclosures of PHI

General rules for when covered entities may use or disclose PHI — treatment, payment, health care operations, with patient authorization, or under specific exceptions.
Read full text →
45 CFR 164.504 Business Associate Contracts

Covered entities must have written contracts with business associates specifying permitted uses of PHI and requiring safeguards.
Read full text →
45 CFR 164.508 Authorization Requirements

Uses and disclosures beyond treatment/payment/operations require valid written authorization from the individual.
Read full text →
45 CFR 164.512 Permitted Disclosures Without Authorization

Twelve categories of permitted disclosures without authorization including public health, law enforcement, judicial proceedings, and research.
Read full text →
45 CFR 164.308 Administrative Safeguards (Security Rule)

Required administrative safeguards including risk analysis, workforce training, access management, and incident response procedures.
Read full text →
45 CFR 164.404 Breach Notification to Individuals

Covered entities must notify affected individuals within 60 days of discovering a breach of unsecured PHI.
Read full text →

Platforms We Track Subject to HIPAA

23andMe

11 relevant provisions

Amazon

34 relevant provisions

Ancestry

0 relevant provisions

Apple

34 relevant provisions

Calm

11 relevant provisions

Fitbit

10 relevant provisions

Garmin

0 relevant provisions

GoodRx

0 relevant provisions

Google

26 relevant provisions

Headspace

11 relevant provisions

MyFitnessPal

0 relevant provisions

Noom

9 relevant provisions

Oscar Health

0 relevant provisions

Peloton

12 relevant provisions

Strava

11 relevant provisions

Teladoc

1 relevant provision

Recent Changes Related to HIPAA

Apr 19, 2026 23andMe Medium

On April 19, 2026, 23andMe updated their Privacy Statement to clarify that it applies to '23andMe Research Institute' rather than just '23andMe,' and added a notice that users who choose Telehealth S…
View change record →
Apr 19, 2026 23andMe High

On April 19, 2026, 23andMe updated its Terms of Service to narrow its geographic scope so that this version now applies only to US users, whereas before it applied to users outside the US, Canada, EE…
View change record →
Apr 19, 2026 Amazon Low

Amazon updated the navigation menus, footer links, and sidebar content on their Conditions of Use page on April 19, 2026. The changes include an expanded product department list, updated 'Make Money …
View change record →
Apr 19, 2026 Google Medium

Google updated its Privacy Policy on April 19, 2026, adding a new section specifically addressing U.S. state privacy law requirements. The new text explicitly states that Google does not sell your pe…
View change record →
Apr 19, 2026 Google High

Google updated its Terms of Service on April 19, 2026, making several notable changes to how it describes its obligations to users. The country version shifted from Cambodia to United States, the war…
View change record →
Apr 18, 2026 Google Medium

Google updated its privacy policy on April 18, 2026, with changes that affect how it describes data collection and sharing, particularly around Google Analytics and ad services. Key shifts include re…
View change record →
Apr 18, 2026 Google Low

Google updated its Terms of Service on April 18, 2026 to change the specified country version from Thailand to Cambodia. This means the terms now apply to users in Cambodia rather than Thailand for t…
View change record →
Apr 11, 2026 Headspace Low

Headspace made a minor update to their privacy policy on April 11, 2026, removing two navigation links labeled 'Site Sitemap' and 'Blog Sitemap' from the footer section of the document. The content o…
View change record →
Apr 11, 2026 Headspace Low

Headspace made a small update to the footer navigation of their Terms and Conditions page on April 11, 2026. The only visible change was the removal of two sitemap links ('Site Sitemap' and 'Blog Sit…
View change record →
Apr 7, 2026 Headspace Low

Headspace reformatted their list of prohibited uses and user content warranties by adding alphabetical labels (a, b, c, etc.) to each item. The actual rules themselves did not change — the same restr…
View change record →

Official Source

View official regulation text →

Get alerted when platforms change their policies — including HIPAA-relevant provisions.

Subscribe to Watcher — $9.99/mo