01/Glossary · Clinics
HIPAA — Health Insurance Portability and Accountability Act
US federal law that regulates the privacy and security of medical information. Applies if you handle data from US patients.
02/Full definition
HIPAA (Health Insurance Portability and Accountability Act) is the US law that protects personal health information (PHI). It requires encryption at rest and in transit, audit logs of accesses, formal agreements (BAA — Business Associate Agreement) with every vendor that touches the data, and documented breach notification processes. HIPAA non-compliance has fines from USD 100 to USD 50,000+ per incident.
03/In Costa Rica context
In Costa Rica HIPAA does NOT apply to Tico patients — the local equivalent is Law 8968. But if your clinic serves US patients (cross-border telemedicine, medical tourism) or works with a US insurer, HIPAA is mandatory. Implementing HIPAA in a custom system adds USD 2,000–4,000 to the project: BAA with Supabase/AWS/Stripe, E2E encryption for sensitive data, audit logs.
04/Related reading on the site
05/Related terms
06/Frequently asked questions
Frequently asked questions
Do I need HIPAA if I only serve Tico patients?▾
No. For Costa Rican patients, Law 8968 on Data Protection applies. HIPAA is only mandatory if you handle US patient clinical data or if a US insurer requires it.
Ready to get a quote?
4 questions, 30 seconds. We give you the USD range + WhatsApp with your scope pre-filled.