The Health Insurance Portability and Accountability Act establishes national standards for the protection of individually identifiable health information. The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by covered entities, while the Security Rule sets standards for safeguarding electronic PHI.
For platform governance, HIPAA is relevant when technology platforms process, store, or transmit health data on behalf of covered entities. Platforms that serve as business associates — handling PHI under contract with healthcare providers or health plans — must comply with HIPAA requirements including breach notification, minimum necessary standards, and administrative safeguards.
The Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500+ individuals must be reported to HHS and local media. The HHS Office for Civil Rights maintains a public "Wall of Shame" listing all breaches affecting 500+ individuals. Enforcement has intensified significantly, with penalties reaching tens of millions of dollars for systemic violations.
ConductAtlas maps governance language to potentially relevant regulatory frameworks. Regulatory applicability and enforceability may vary by jurisdiction, enforcement context, and individual circumstances. This page is informational and does not constitute legal advice. Methodology
Showing 30 of 310 provisions. View all →
Get alerted when platforms change their policies — including HIPAA-relevant provisions.
Subscribe to Monitor — $19/moConductAtlas tracks HIPAA-relevant provisions across 19 platforms. Each platform's specific provisions are classified by severity and mapped to HIPAA requirements.
ConductAtlas captures policy documents daily, classifies provisions by regulatory framework, and flags changes that affect HIPAA obligations. Every change is archived with cryptographic verification.