HIPAA — The Whole Picture
A plain-language summary of every HIPAA rule that matters for Starlight, with direct links to the actual regulation and HHS guidance so we always work from the source, not from a vendor's checklist.
First principle (Erik's stance): HIPAA is not a certification. It is a continuous risk-management posture that you maintain and document. Anyone selling you a "HIPAA compliance package" is selling you the comfort of a stamp. The work is the work. — see Starlight's compliance plan.
Why HIPAA applies to us
Starlight Practice handles electronic protected health information (ePHI) on behalf of clinicians like Dr. P. That makes us a Business Associate (BA) of every covered-entity practice we serve. Even though we never see patients ourselves, we are directly liable under HIPAA — Business Associates have been on the hook for full enforcement since the 2013 Omnibus Rule.
Two roles to keep straight in any conversation:
| Role | Who is it | Examples on our stack |
|---|---|---|
| Covered Entity (CE) | Healthcare provider, health plan, or clearinghouse that creates / receives / transmits PHI | Starlight Pediatrics (Dr. P's practice) |
| Business Associate (BA) | A vendor performing functions on behalf of a CE that involve PHI | Starlight Practice (us), AWS (the BAA they sign with us), DoseSpot, Twilio (when SMS contains PHI), etc. |
The four rules at a glance
HIPAA is actually five federal rules layered together. The four you'll touch every day:
| Rule | What it does | The Code | HHS landing |
|---|---|---|---|
| Privacy Rule | Defines PHI and governs uses and disclosures — when you may share, when you must share, and minimum necessary. | 45 CFR 164 Subpart E | HHS · Privacy |
| Security Rule | Mandates Administrative, Physical, and Technical safeguards for ePHI. | 45 CFR 164 Subpart C | HHS · Security |
| Breach Notification Rule | If unsecured PHI is breached, notify individuals + HHS + (sometimes) media within 60 days. | 45 CFR 164 Subpart D | HHS · Breach |
| Enforcement Rule | Procedures for investigation, hearings, and civil monetary penalties (up to ~$2.1M per violation type per year). | 45 CFR 160 Subparts C–E | HHS · Enforcement |
The Omnibus Rule (2013) is not a separate body of regulation — it's the rulemaking that, among other things, made Business Associates directly liable and tightened breach-notification standards. We're already operating in the post-Omnibus world.
1 · The Privacy Rule
Plain-English: You can't use or disclose someone's health information without their permission, with specific carved-out exceptions. Patients have rights over their own data. You must give them a notice explaining all of this.
What it protects: Protected Health Information (PHI) — any individually identifiable health info in any form. Electronic PHI (ePHI) is the subset we care about.
Permitted uses and disclosures (no authorization needed):
- Treatment, Payment, and Healthcare Operations — the "TPO" triad. Covers most day-to-day clinical work.
- To the individual themselves.
- Public health activities, victim-of-abuse reporting, health oversight, judicial proceedings, law enforcement, decedents, organ donation, research with safeguards, threat to health/safety, specialized government functions, workers' comp. — see 45 CFR 164.512.
- Anything else generally requires a HIPAA-compliant Authorization (45 CFR 164.508).
The Minimum Necessary Standard (45 CFR 164.502(b), 164.514(d)): use or disclose only the minimum PHI needed for the purpose. Doesn't apply to disclosures to the individual or for treatment.
Patient rights you must honor:
| Right | Citation | What it means for our product |
|---|---|---|
| Right of Access | 45 CFR 164.524 · HHS guidance | Provide a copy of the chart within 30 days of request, in the form and format requested if readily producible — including structured electronic export. Fees must be reasonable, cost-based. This is the regulatory hook for our "strong egress" feature. |
| Right to Amend | 45 CFR 164.526 | Patient can request correction of records they believe are wrong. We must respond in 60 days. |
| Right to Accounting of Disclosures | 45 CFR 164.528 | Patient can ask for a list of non-TPO disclosures over the prior 6 years. Implies a queryable disclosure log. |
| Right to Request Restrictions | 45 CFR 164.522(a) | Patient can ask us to restrict certain uses. We're not always required to agree, but if a patient pays out-of-pocket in full, we must honor a request to not share with their health plan. |
| Right to Confidential Communications | 45 CFR 164.522(b) | "Don't text me, only email" — must accommodate reasonable requests on alternate channels. |
Notice of Privacy Practices (NPP): Each CE must give patients a written notice of how their PHI is used. 45 CFR 164.520. The Starlight onboarding flow already e-signs this — that signature must be retained.
Business Associate Agreements (BAAs): Required between a CE and any BA, and between a BA and any subcontractor BA. Required clauses are spelled out at 45 CFR 164.504(e) — see also the HHS BAA sample provisions. We need a BAA executed with every practice we onboard, and we need BAAs from every PHI-touching vendor in our stack (AWS, Anthropic, DoseSpot, Twilio, Stripe-where-applicable, etc.).
2 · The Security Rule
Plain-English: Three categories of safeguards — Administrative (policies and people), Physical (locks and devices), Technical (encryption and access control). Each category has Standards (mandatory) and Implementation Specifications (Required or Addressable). "Addressable" doesn't mean optional — it means you must do it OR document why you implemented an equivalent measure.
The three safeguard categories:
| Category | Citation | What it covers |
|---|---|---|
| Administrative | 45 CFR 164.308 | Risk analysis, risk management, sanction policy, information system activity review, designated Security Officer, workforce security, access management, awareness & training, security incident procedures, contingency plan, evaluation, BAA contracts. |
| Physical | 45 CFR 164.310 | Facility access controls, workstation use, workstation security, device and media controls (disposal, re-use, accountability, backup). |
| Technical | 45 CFR 164.312 | Access control (unique IDs, emergency access, automatic logoff, encryption/decryption), audit controls, integrity (mechanism to authenticate ePHI hasn't been altered), person/entity authentication, transmission security (integrity + encryption). |
Plus the cross-cutting requirements:
- Organizational Requirements — 45 CFR 164.314: contract requirements with BAs, group health plan requirements.
- Policies, Procedures, and Documentation — 45 CFR 164.316: maintain written policies, retain documentation 6 years, make available to those responsible, review and update periodically.
The Risk Analysis is the keystone (45 CFR 164.308(a)(1)(ii)(A)). HHS has called this out as the most-cited deficiency in enforcement actions. Every safeguard decision flows from it. See HHS · Guidance on Risk Analysis.
The implementation reference we'll actually live in: NIST SP 800-66 Revision 2 — Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide (Feb 2024). Download · csrc.nist.gov/pubs/sp/800/66/r2/final. This is the canonical, free, government-authored map from each Security Rule standard to NIST's broader cybersecurity guidance. Read this once cover-to-cover; reference it forever.
Audit log retention policy
Starlight's application audit_log table (issue #40) is the system of record for §164.312(b) audit controls. Retention is governed by §164.316(b)(2) (Time limit): we retain every audit row for 7 years minimum from occurred_at. 7 years is the conservative ceiling across all state record-retention statutes that affect a pediatric practice; HIPAA itself only requires 6 years on policy documentation, but the audit trail is treated as a clinical-grade record.
Append-only at the application layer. The table has RLS that grants only INSERT and SELECT to the app_user role; UPDATE, DELETE, and TRUNCATE are explicitly REVOKEd. The application physically cannot mutate or delete audit rows — even with a compromised tenant context, the worst case is reading rows the RLS policy lets through, never destroying them.
Hard-deletion is out-of-band. When a row crosses the 7-year boundary, hard-deletion happens via a quarterly operator-run SQL job, not through the application. The operator connects as the master Postgres user (which bypasses RLS) and runs:
DELETE FROM audit_log WHERE occurred_at < now() - interval '7 years';
The operator records the deletion (row count + window) in a separate manual log retained alongside the SOC 2 evidence binder. No application user — including platform admins — has the database privileges to perform this delete.
Partitioning is deferred. Until row count justifies it, the table is a single heap. Partitioning by month becomes mandatory above ~10M rows; the retention job already maps cleanly onto DROP PARTITION once we cross that threshold.
Out of scope for now. The retention job itself is not implemented — by construction, the first audit row cannot approach 7 years until well after MVP. File a follow-up issue when the oldest row crosses the 6-year mark.
3 · The Breach Notification Rule
Plain-English: If unsecured PHI is acquired, accessed, used, or disclosed in a way that violates the Privacy Rule, you have to tell the affected individuals, HHS, and sometimes the media — and you're presumed to have a reportable breach unless your risk assessment shows a low probability of compromise.
The 4-factor risk assessment (45 CFR 164.402 — definition of "breach"):
- The nature and extent of the PHI involved.
- The unauthorized person who used or received it.
- Whether PHI was actually acquired or viewed.
- The extent to which the risk has been mitigated.
Notification timelines (45 CFR 164.404–164.410):
| Audience | Deadline | Trigger |
|---|---|---|
| Affected individuals | Without unreasonable delay, within 60 calendar days of discovery | Always |
| HHS (Office for Civil Rights) | Within 60 days of discovery if breach affects 500+ individuals; annually for smaller breaches | Volume |
| Prominent media outlets | Within 60 days of discovery | Breach affects 500+ residents of a state or jurisdiction |
| The Covered Entity we serve, if we're the BA | Without unreasonable delay, within 60 days of discovery | We're the BA |
The OCR breach portal is at HHS · Submit Breach Notice. The public "Wall of Shame" of 500+ breaches lives at HHS · Breach Portal.
Encryption is the safe-harbor. PHI is "unsecured" only if it's not rendered unusable, unreadable, or indecipherable. PHI encrypted to NIST standards is not "unsecured" — meaning a stolen encrypted backup is not a breach. See HHS · Guidance to Render PHI Unusable. This is why we encrypt everything in transit and at rest, always.
4 · The Enforcement Rule
Civil monetary penalties scale by culpability tier (45 CFR 160.404):
| Tier | Knowledge | Per-violation range (2024 dollars, indexed annually) | Annual cap per violation type |
|---|---|---|---|
| 1 | Did not know (and would not have known with reasonable diligence) | ~$137 – $68,928 | ~$2,067,813 |
| 2 | Reasonable cause, not willful neglect | ~$1,379 – $68,928 | ~$2,067,813 |
| 3 | Willful neglect, corrected within 30 days | ~$13,785 – $68,928 | ~$2,067,813 |
| 4 | Willful neglect, not corrected | ~$68,928 – $2,067,813 | ~$2,067,813 |
OCR's enforcement decisions are public: HHS · Enforcement Highlights and Resolution Agreements. Read 5 of these before architecting — pattern-matching across actual enforcement actions teaches more than any vendor checklist.
Authoritative source list (always work from these)
| Source | What it gives you | URL |
|---|---|---|
| eCFR Title 45 Parts 160, 162, 164 | The actual binding text of HIPAA's regulations. | ecfr.gov/current/title-45 |
| HHS Office for Civil Rights — For Professionals | Plain-English overviews, FAQs, sample BAAs, guidance documents. | hhs.gov/hipaa/for-professionals |
| NIST SP 800-66 Rev. 2 | Implementation guidance for the Security Rule. The doc you'll actually use day-to-day. | csrc.nist.gov/pubs/sp/800/66/r2/final |
| NIST SP 800-53 Rev. 5 | Catalog of security and privacy controls referenced by HIPAA-aligned frameworks (FedRAMP, etc.). | csrc.nist.gov/pubs/sp/800/53/r5/upd1/final |
| HHS Breach Portal | Submit OCR breach notice; view public 500+ breaches. | ocrportal.hhs.gov/ocr/breach |
| AWS HIPAA Eligible Services Reference | The list of AWS services covered by AWS's BAA — anything ePHI must stay on this list. | aws.amazon.com/compliance/hipaa-eligible-services-reference |
| AWS HIPAA on AWS | The BAA, AWS Artifact access, alignment overview. | aws.amazon.com/compliance/hipaa-compliance |
Where to go next
- SOC 2 Overview — what SOC 2 is and where it overlaps with HIPAA. (We need both, anyway, for invoicing/financing.)
- Regulated SDLC Guardrails — what regulated software development looks like in practice.
- Starlight's Compliance Plan — how we actually do this without consultant theater.
- AWS HIPAA Stack — the existing detailed mapping of B4M / Lumina5 services to HIPAA-eligible AWS components.