hipaa

HIPAA

Health Insurance Portability and Accountability Act (1996)

United States | Amended by HITECH Act

HIPAA governs how covered entities (healthcare providers, health plans, clearinghouses) and their business associates protect Protected Health Information (PHI) — both physical and electronic (ePHI). RAIL Score checks content against 10 HIPAA requirements spanning the Privacy Rule, Security Rule, Breach Notification Rule, and Business Associate obligations.

Official Resources

hhs.gov/hipaa — HHS HIPAA overview
OCR Enforcement Actions — Resolution agreements and civil monetary penalties
Enforcement Highlights — HHS enforcement data

Penalty Tiers

2026 rates reflecting 2025 inflation multiplier (1.02598)

Tier	Violation Type	Per Violation	Annual Cap
1	Did not know	$100 – $50,000	$25,000
2	Reasonable cause	$1,000 – $50,000	$100,000
3	Willful neglect (corrected)	$10,000 – $50,000	$250,000
4	Willful neglect (not corrected)	$50,000+	$2,190,294

Criminal penalties (DOJ): knowingly obtaining/disclosing PHI — up to $50K + 1 year. With false pretenses — $100K + 5 years. Intent to sell/harm — $250K + 10 years.

Requirements Checked by RAIL Score

ID	Rule	Requirement	What RAIL Evaluates
HIPAA-001	Privacy Rule	Minimum necessary standard	Is only the minimum necessary PHI used or disclosed?
HIPAA-002	Privacy Rule	Patient access rights	Are patient rights to access records mentioned?
HIPAA-003	Privacy Rule	Authorized disclosures only	Are disclosures limited to authorized purposes?
HIPAA-004	Security Rule	Security Risk Assessment	Is a Security Risk Assessment referenced?
HIPAA-005	Security Rule	Risk management	Are risks identified and actively managed?
HIPAA-006	Security Rule	Access controls	Are ePHI access controls described?
HIPAA-007	Security Rule	Audit controls	Is audit logging for ePHI access mentioned?
HIPAA-008	Security Rule	Encryption and integrity	Is encryption of ePHI in transit and at rest addressed?
HIPAA-009	Breach Notification	Breach notification process	Is breach detection and 60-day notification process described?
HIPAA-010	Business Associate	BAA requirements	Are third-party (BA) obligations addressed?

2025–2026 Enforcement Snapshot

OCR closed 21 enforcement actions in 2025 — the second highest annual total ever. As of January 2026, OCR has settled or imposed civil monetary penalties in more than 50 HIPAA cases under its Right of Access and Risk Analysis enforcement initiatives combined.

Recent Settlements with Disclosed Amounts

Date	Entity	Settlement	Violation
Dec 2024	Children's Hospital Colorado	$548,265	Privacy + Security Rule violations
Dec 2024	Gulf Coast Pain Consultants	$1,190,000	Security Rule violations
Nov 2024	Mental Health Center	$100,000	Failure to provide timely record access

Multiple additional 2025 enforcement actions (ransomware, cybersecurity, data breach) settled with undisclosed amounts. Full list at hhs.gov.

2026 OCR Enforcement Priorities

Risk Analysis + Risk Management — OCR now requires proof that identified risks were actively reduced (documented remediation, not just identification)
HIPAA Right of Access — patients must receive timely access to their records (60-day deadline); more than 50 penalties issued to date
Part 2 regulations — OCR has new authority to enforce substance use disorder record confidentiality
Ransomware as Security Rule violations — the majority of 2025 OCR actions involved ransomware traced to inadequate risk management

Key Lessons for AI in Healthcare

Risk analysis is table stakes, not a checkbox — OCR investigates whether vulnerabilities were identified and acted upon
BAAs are mandatory for any third-party AI vendor processing PHI on behalf of a covered entity
Audit trails matter — OCR specifically calls out unpatched software and device firmware gaps
Small practices are not exempt — fines from $100K to $548K have been levied against small clinics and mental health providers

RAIL Dimension Mapping

RAIL Dimension	HIPAA Rule	Focus
Privacy	Privacy Rule	Minimum necessary, authorized disclosures, patient rights
Safety	Security Rule	Technical, physical, and administrative safeguards
Accountability	Security + Breach Rule	Risk analysis, audit controls, breach response
Transparency	Privacy Rule	Notice of Privacy Practices, access obligations
Reliability	Security Rule	Availability, backup, disaster recovery

API Example

See the Compliance API reference for full endpoint documentation, parameters, and response schema.

Python — HIPAA compliance check

from rail_score_sdk import RailScoreClient

client = RailScoreClient(api_key="YOUR_RAIL_API_KEY")

result = client.compliance_check(
    content="""
    Our AI diagnostic assistant analyzes patient medical records, lab results,
    and treatment history to recommend care pathways. Data is stored on
    cloud infrastructure with encryption at rest.
    """,
    framework="hipaa",
    context={
        "domain": "healthcare",
        "system_type": "diagnostic_ai",
        "processes_personal_data": True,
        "high_risk_indicators": ["health_data", "automated_decisions"]
    },
    strict_mode=True,
    include_explanations=True
)

print(f"HIPAA Score: {result.compliance_score.score}/10 ({result.compliance_score.label})")
print(f"Requirements: {result.requirements_passed} passed / {result.requirements_failed} failed")

for issue in result.issues:
    print(f"[{issue.severity.upper()}] {issue.description}")
    print(f"  Requirement: {issue.requirement}")
    print(f"  Remediation effort: {issue.remediation_effort}")

Sources: HHS HIPAA · OCR Resolution Agreements · HIPAA Journal