HIPAA (Health Insurance Portability and Accountability Act)
U.S. law establishing requirements for protecting patient health information. HIPAA compliance requires securing connected devices and systems that create, receive, store, or transmit PHI.
What is HIPAA (Health Insurance Portability and Accountability Act)?
U.S. law establishing requirements for protecting patient health information. HIPAA compliance requires securing connected devices and systems that create, receive, store, or transmit PHI.
HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996 and establishes national standards for protecting individually identifiable health information. Its Security Rule, enacted in 2003, specifically addresses the protection of electronic Protected Health Information (ePHI) — requiring covered entities (healthcare providers, payers, clearinghouses) and their business associates to implement administrative, physical, and technical safeguards.
The Security Rule is technology-neutral by design — it specifies required outcomes (access control, audit logging, transmission security, encryption) without mandating specific technologies. This flexibility allows organizations to choose appropriate controls for their specific environment, but it also creates interpretation challenges, particularly for connected medical devices that were largely absent from the healthcare IT landscape when the rule was written.
Modern HIPAA compliance programs must grapple with an IoMT estate that the original Security Rule didn't anticipate. The guidance has evolved through HHS enforcement actions and opinion letters to clarify that connected medical devices that transmit ePHI are in scope. Organizations that lack visibility into their IoMT devices cannot demonstrate the access control, audit logging, and integrity protections that HIPAA requires for all ePHI systems.
Key Facts
- HHS's Office for Civil Rights (OCR) has issued fines exceeding $28M in a single HIPAA enforcement action
- HIPAA breach notification requirements apply when ePHI affecting 500+ individuals is exposed
- Connected medical devices that transmit patient data are in scope for HIPAA Security Rule requirements
- The average HIPAA breach costs $10.9M in healthcare — highest of any industry
How ORDR Addresses HIPAA (Health Insurance Portability and Accountability Act)
ORDR supports HIPAA compliance by providing complete inventory of connected medical devices, behavioral monitoring for unauthorized access detection, and segmentation policy enforcement that controls which devices can access systems containing ePHI. ORDR generates compliance reports that document security posture across the IoMT device estate for auditors and risk assessments.
See ORDR in actionFrequently Asked Questions
Secure every medical device in your network.
ORDR gives healthcare security teams complete IoMT visibility, risk scoring, and automated segmentation—without disrupting care delivery.