HIPAA privacy rule: what it means for health tech brands

Digital health platforms have transformed the modern healthcare industry. For health tech brands that process protected health information (PHI) nowadays, federal laws state that protecting sensitive patient data is a must-do.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is the central pillar of this responsibility. The HIPAA Privacy Rule is a national standard for protecting PHI across all electronic, paper, and oral formats. It states how that data is to be accessed, shared, and stored.
This article explores what the HIPAA Privacy Rule means for health tech providers in 2025. It also explores the Rule’s relation with the HITECH Act, and what health tech brands need to do to comply with HIPAA.
What is the HIPAA Privacy Rule?
Effective since 2003, the HIPAA Privacy Rule is a U.S. federal regulation that protects patient information, and gives patients rights over their health records. It limits how that data can be used or disclosed without patient authorization, and sets expectations for how organizations must protect it.
Why does the Privacy Rule exist?
The Rule exists as a result of growing concern over health data. Health technology and digital records are expanding – for example, with innovations like wearable technology. Without the Privacy Rule, health data could be exposed, sold to third parties, used for discrimination, or monetized without someone’s explicit consent.
As privacy and data breaches grew in number over the years, the healthcare industry – including health tech brands and their business associates – needed a foundational data protection and privacy standard while still allowing necessary data sharing for patient care.
Who does the Privacy Rule apply to?
The Privacy Rule applies to – as HIPAA officially calls them – “covered entities” and “business associates.” Covered entities include hospitals, health plans, and clearinghouses. Business associates include vendors, Software-as-a-Service (SaaS) platforms, telehealth tools, and any other entity that handles PHI on behalf of a covered entity.
Both covered entities and business associates must sign Business Associate Agreements (BAAs) to guarantee that both parties satisfy HIPAA regulations. Additionally, if a vendor – for example, a medical billing organization – is performing services involving PHI for or on behalf of a covered entity or its business associate, HIPAA could see that organization as a business associate, and also require a BAA. Below is a quick table showing how HIPAA applies:
| Organization type | Covered by HIPAA Privacy Rule | Must sign BAA |
| Hospital or clinic | Yes (covered entity) | N/A – they sign BAAs with vendors |
| Telehealth platform | Yes, if handling PHI for a covered entity | Yes |
| Cloud storage vendor | Yes, if storing PHI for a covered entity or business associate | Yes |
| EHR provider | Yes, if processing PHI for a covered entity | Yes |
| Stand-alone wellness apps | No, unless working with a covered entity | Not required (but signs BAA if working with a healthcare provider) |
What does the Privacy Rule protect?
The Privacy Rule is about protecting PHI. PHI is defined as any individually identifiable health information – electronic, paper, or oral – that is:
- Related to a person’s physical or mental health condition (past, present or future)
- Related to the provision of healthcare
- Related to the payment for healthcare services
Furthermore, such data also includes the 18 HIPAA identifiers, such as name, email, Social Security number (SSN), or a medical record number. Sometimes, even non-clinical details might be PHI if they reasonably identify someone when combined with health data. For example, a support animal’s name could be PHI if it could lead to a patient being identified.
What digital health platforms must do
Digital health platforms must comply from the start – meaning building compliance into their product, or service. Remember, HIPAA is not a set checklist – it evolves. Regulated entities must implement administrative, technical, and physical protection mechanisms to protect PHI and ePHI – a subset of PHI.
Start by understanding where PHI is created, stored, shared, and deleted across your systems – including across any third-party vendor connections you may have. If you signed a BAA, you’re accountable for the PHI accessed by vendors. Once that’s clear, it’s time to understand HIPAA’s protection requirements – or, as HIPAA’s Security Rule calls them: “safeguards.”
Administrative safeguards
Administrative safeguards are about internal governance. These include:
- Designating a privacy or security officer
- Maintaining well written security policies
- Performing regular risk analyses and documenting how you handled any risks
- Training employees on privacy and security awareness
- Creating an incident response and breach notification plan
- Signing BAAs with anyone that handles PHI on your behalf
These safeguards insert privacy and security into your workflow. They affect all departments, not just IT.
Technical safeguards
Technical safeguards are for PHI security at the system and data level. These are:
- Ensuring role-based or least-privilege access controls
- Applying strong authentication, like multi-factor authentication (MFA)
- Enabling automatic timeouts and session locks
- Encrypting stored PHI and when sending/receiving PHI
- Having detailed access logs and audit trails
- Implementing integrity checks
These safeguards lock down security and access. Only authorized personnel should be able to access PHI.
Physical safeguards
Physical safeguards exist because PHI data is stored or transits through physical devices. These safeguards comprise:
- Restricting access to facilities and hardware
- Securing workstations and storage media
- Implementing policies for how media is disposed of and reused
In remote work and hybrid workflows especially, PHI travels through networks and hardware outside of a clinical environment. Locking this flow down adds even more security.
Patient rights under the HIPAA Privacy Rule
Under the HIPAA Privacy Rule, patients have the right to access their health records and request corrections when records are inaccurate or incomplete.
Any use of the patient’s data for marketing, research, or third-party sharing purposes not related to health treatment or payment requires the patient’s written authorization. Patients can also request – as HIPAA calls it – an “accounting of disclosures” to know who accessed their PHI and why.
Additionally, patients can change how providers communicate with them – for example, requesting contact only by email or via private phone number – to avoid unwanted disclosure.
Why the HITECH Act matters for health tech brands
For health tech brands, the HITECH Act of 2009 matters because it made business associates – like digital health platforms – directly liable under HIPAA for protecting PHI. Before this act was made effective, there were minimal consequences (small fines) or none at all for mishandling patient data – such as not encrypting stored data, logging access, or sharing PHI without consent.
The HITECH Act also mandated the Breach Notification Rule, requiring covered entities – and their business associates to notify them – to report data breaches within 60 days of discovery. Furthermore, the Act expanded patient rights to digital access and incentivized electronic health record (EHR) systems – so providers were pushed to adopt more private, compatible, and secure data sharing practices.
For health tech brands, the HITECH Act is why HIPAA compliance is now legally enforceable. Penalties now surpass $2 million per violation category, per year.
The Minimum Necessary Rule Standard
HIPAA’s “Minimum Necessary Rule Standard” is a core privacy principle – and a core part of the Privacy Rule – that limits exposure and breach risk. It requests that organizations access, use, or disclose only the PHI needed for a specific task. The rule applies to (excluding when PHI is shared for treatment):
- Internal workflows, like job-based access controls
- Requests from insurers, researchers, or law enforcement
- Public health reporting and data sharing
- Disclosure between covered entities and business associates
Any uses required by law or authorized by the patient are exempt from this Standard. For health tech platforms, the Standard means:
- Configuring systems to stop unnecessary PHI exposure
- Applying clear, role-based controls
- Restricting API and vendor access to the minimum required
- Logging and auditing data access
- Training teams on how much PHI is appropriate to share
Where HIPAA draws the line
Without written patient consent, PHI should generally not be used for purposes outside treatment, payment, and healthcare operations – such as most marketing purposes. There are some areas where the Privacy Rule allows PHI use – such as when required by law, and for certain types of research – but HIPAA draws a hard line the moment PHI is for sale. Crossing this line can quickly trigger a HIPAA violation.
Some common mistakes include sending promotional emails based on diagnoses, improperly sharing identifiable patient lists with researchers – like without de-identification – and using emails or health data for donation campaigns. If any money is involved in data use, that must be disclosed. A good rule of thumb is to keep marketing, fundraising, and research activities separate from systems that handle PHI.
Why health tech brands are concerned (2020-2025)
Between 2020 and 2025, HIPAA has become central again for health tech brands because of new risks, added enforcement, and technological innovation. Between 2024-2025, the Department of Health and Human Services (HHS) proposed major changes to the HIPAA Security Rule. It proposed that MFA and encryption should become mandatory, and tightening annual risk assessments, vulnerability scanning, and vendor oversight.
2024 was one of the worst breach years ever – with over 700 major healthcare incidents reported. Experts believe the Change Healthcare breach alone has exposed PHI and affected over 190 million individuals, which was followed by lawsuits – and risk was at a record high.
Therefore, hospitals, providers, and payers won’t sign deals without security audits, BAAs, and proof of access controls. That’s why lack of compliance today is unacceptable – and often means lost business. In fact, 2025 has set a new record for HIPAA penalties.
According to industry reports, health tech brands are also adapting to the situation. Telehealth leaders like Teladoc, Amwell, and MDLive now use real-time monitoring, access controls, and encrypted communications. AI health startups like Deepmind Health and AliveCor are now “business associates” under HIPAA – as soon as they touch PHI – even during AI model training. Major cloud platforms like AWS HealthLake and Microsoft Azure Healthcare are also aligning themselves to be fully HIPAA-compliant.
The impact of HIPAA also affects the wearables and wellness apps industry. For instance, Apple Health, Fitbit, Oura, Whoop, Peloton, and Noom are adjusting to increasingly tight regulation – since they process health data that blurs the line between consumer and clinical. Unlike in the past, a health tech brand can’t simply market itself as “HIPAA compliant” anymore without strong evidence.
Conclusion
According to IBM and Avatier, data breach costs exceed $10 million per incident – evidence of why strict data privacy enforcement is both a security and strategic business imperative today. If you’re a tech health brand – telehealth, wearables, or you handle PHI in any way – you now understand that the HIPAA Privacy Rule makes or breaks your business.
The most important move you could make is to build and design your products with data privacy in mind from the start. At a surface level, that means encryption, access controls, and partners you can trust. To understand what you really need to do, simply refer to this guide whenever you aren’t sure and make sure you tick all of your compliance requirements across your business ecosystem.
If you need HIPAA-compatible hosting, providers like Liquid Web provide solutions. With supported hosting, you’ll spend less time and resources configuring a HIPAA-compliant infrastructure.
FAQ
What is the HIPAA Privacy Rule in healthcare?
It’s a federal regulation that safeguards protected patient data (PHI and ePHI). It defines how PHI can be used or disclosed without explicit patient consent. It also gives individuals rights like requesting corrections to their information. Platforms like Liquid Web help, since their hosting is HIPAA-compatible.
Who does HIPAA apply to?
It applies to “covered entities” – as defined by HIPAA – including hospitals and insurers, and “business associates” such as telehealth vendors, cloud platforms, and EHR providers. Any entity handling PHI data (using, disclosing, maintaining, or transmitting) on behalf of a covered entity is considered a business associate.
Are medical device companies subject to HIPAA?
Yes, but only if they touch PHI on behalf of a covered entity – including storage, processing, and transmission. Otherwise, they might follow Food and Drug Administration (FDA) laws.
Does HIPAA include the HITECH Act?
No, but the HITECH Act reinforces HIPAA by adding enforcement, breach notification requirements, and fines/penalties. It’s what made vendors directly liable for compliance.
What qualifies as a HIPAA violation?
A HIPAA violation is when PHI is not handled per the Privacy Rule, for example when a healthcare provider or employee shares, discusses, or sends patient data to others without the patient’s explicit consent. A violation could be posting the PHI online, using it for marketing and monetizing it, or even sending it to the wrong person.