Skip to content

Why is HIPAA important? Brief explanation of when HIPAA regulations do not apply


Answering some of the most popular questions about the Health Insurance Portability and Accountability Act.


Answering some of the most popular questions about the Health Insurance Portability and Accountability Act.

Medical software regulations = endless discussions. Perhaps that’s why we have been writing about this in Untitled Kingdom since 2017.

But only lately have I started sharing knowledge about meeting requirements from specific institutions and regulatory, governmental bodies. After global guidelines for developing software as a Medical Device, let’s zoom in on HIPAA. A Health Insurance Portability and Accountability Act – a law that regulates the handling and protection of patient health information in the United States.

I promise to keep it brief, but I cannot promise to keep it exciting. After all, beauty is in the eye of the beholder.

Choose your HIPAA question

What does HIPAA mean?

As per the Centers for Disease Control and Prevention, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law for providing national standards to protect patient health information.

The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to protect a subset of information covered by the Privacy Rule from being disclosed without the patient’s consent or knowledge. 

The covered entities (individuals and organizations that are subject to HIPAA’s Privacy Rule) are patients, healthcare providers, health plans, healthcare clearinghouses, and business associates.

In a country where the General Data Protection Regulation (GDPR) does not apply, data privacy acts apply locally (such as the CCPA - California Consumer Privacy Act) or to specific industries. It’s one of the most strict and stringent laws in the world concerning medical software development. And for a good reason — aiming to unify and standardize cybersecurity best practices and to guard and protect patient information while holding providers accountable.

Why is HIPAA important?  Benefits & consequences


For any party collecting, processing, or transmitting patient’s health data (especially cloud-hosted businesses), HIPAA is a set of framework requirements to comply with. But for patients, HIPAA’s Privacy Rule gives rights to control their data – who can access, how much they can see, and when it can be amended.

Here are 4 benefits and key aspects that make HIPAA important for patients.

  1. HIPAA Right of Access → patients have the right to ask to see and/or procure a copy of their health records upon request, including whether to receive it on paper or electronically and to send medical records to an alternate healthcare provider or designated individuals.

  2.  Right to Make Corrections → with  specifically detailed exceptions, if the patient and the medical institution agree that the patient's data is inaccurate or incomplete, the hospital must change it. The institution may disagree, but then they must do so with an explanation to the patient and give details of how to submit a written statement of disagreement and file a complaint to the Secretary of Health and Human Services (HHS).

  3. Need to take Patients’ Consent before sharing data with any Third Party → usually through a HIPAA release form shared with a patient.

  4. Right to File a Complaint if Data is Misused or Shared without Consent → if a patient feels that their data is misused or shared without consent or if there is contention regarding the violation, they have the right to file a complaint with the Office for Civil Rights.


Noncompliance with HIPAA rules can lead to penalties, data theft, reputation damage, financial loss, and a risk to patient safety. If you break HIPAA Rules as a member of a covered entity´s or business associate´s workforce, there are 3 potential outcomes:

  1. Penalties
    Determining the amount is based on the nature and extent of the violation and the nature and extent of the harm it causes. Penalties range from $100 to $50,000 per incident, with a different annual maximum for repeat violations ($25,000 - $1.5 million).

  2. Criminal penalties
    Covered entities and specified individuals who "knowingly'' obtain or disclose individually identifiable health information may face imprisonment for up to 1 year. Whereas offenses committed under false pretenses allow penalties to be increased to 5 or even 10 years in prison.

  3. Exclusion from specific healthcare providers and institutions
    HHS has the authority to exclude specific companies and providers from their health plans.
    Exclusion from specific healthcare providers and institutions
    HHS has the authority to exclude specific companies and providers from their health plans.

    Do HIPAA regulations apply to all medical facilities?

Yes, as per the HIPAA Journal, these regulations apply to all medical facilities in the United States. Beyond covered entities and subjects discussed earlier, HIPAA consists of more titles covering medical liability reform to taxes on expatriates who give up U.S. citizenship. 

When does HIPAA not apply?

The text of the Healthcare Insurance Portability and Accountability Act is full of exceptions, which only adds to the complexity of complying with the Act. But as per (you guessed it) the HIPAA Journal the most common exceptions are:


  • Entities providing standard treatment → fitness and health clubs; cosmetic service providers (when not processing healthcare transactions).

  • Entities providing workers' compensation → HIPAA usually does not apply to using software for verifying an employee's claim or coordinating benefits. That includes entities such as workers' compensation insurers, administrative agencies, and employers.

  • Researchers (when not obtaining PHI from a covered entity) → HIPAA has separate rules for research purposes. Yet, even these conditions specify that the healthcare information needs to be "de-identified" and to utilize a limited data set. This includes schools and school districts not providing healthcare services.



If you're reading this, I assume you're developing or are interested in developing medical or healthcare software. In which case, I don't need to convince you to adopt best practices for safeguarding health data and your users' (patients) sensitive information. Cybersecurity is the key. To fulfill ethical obligations, to maintain a good reputation (for you, for your organization, and the whole industry!), but above all: to build trust.

If users trust your app, they are more likely to reuse it. And as they use it more often, it benefits their health. If you stay informed and diligent in your privacy and security efforts, you already contribute to a more secure healthcare environment.


This is the end of this article, but you do not have to leave empty-handed. 
If you want to read more about developing medical or healthcare software, you can download a free copy of Untitled Kingdom’s Security Checklist: 60 questions you should answer to maintain cybersecurity in business.

And if you’re already developing a project, you can book a free online consultation.

By Piotr Zając

CEO at Untitled Kingdom. A guardian of Quality, Transparency and Family values. Responsible for showing his colleagues the meaning of life, what personal development is and how to be deeply joyful during work-work balance. A young daddy of Argus, The Polish Greyhound.