HIPAA

US federal law establishing standards for protecting sensitive patient health information (PHI). HIPAA's Privacy Rule governs who can access PHI; the Security Rule requires administrative, physical, and technical safeguards. Business Associates (vendors handling PHI on behalf of covered entities) must sign BAAs and comply independently. Penalties range from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category.