content(what-is): expand the HIPAA explainer

[alexleventer]

Summary

Rewrites content/what-is/what-is-hipaa.md from a high-level overview into a more practical reference that a healthcare or healthtech engineering team can use. Body grows from ~120 lines to ~200 well-structured lines.

What changed

• Opening definition — quotable one-paragraph definition followed by a short lead-in covering HITECH, Omnibus, and HHS/OCR.
• Why it matters — patient trust, contractual gating with covered entities, breach economics.
• Covered entities vs. business associates — explicit definitions, what triggers BAA obligations.
• PHI definition — including the 18 statutory identifiers and the de-identification escape hatch.
• Five HIPAA rules table — Privacy, Security, Enforcement, Breach Notification, Omnibus.
• Security Rule safeguards table — administrative / physical / technical, with the required vs. addressable distinction called out.
• Common violations — keyed to OCR breach data patterns (hacking, snooping, device loss, missing risk analysis, missing BAAs).
• Penalty structure — four-tier table by culpability. Dollar amounts are described as a structure rather than fixed numbers because HHS adjusts them annually for inflation.
• Compliance program outline — nine concrete steps from inventory through periodic evaluation.
• HIPAA + cloud infrastructure section — BAAs, HIPAA-eligible services, customer-side configuration patterns. Concrete recommendations using ESC, CrossGuard, IAM, and logging.
• FAQ — ten doubt-removers (BAAs, certification myth, encryption requirement, breach timelines, jurisdiction, framework relationships).
• Learn-more cross-links — cloud security, HITRUST, SOC 2, secrets management, configuration management.

Test plan

• make serve; visit /what-is/what-is-hipaa/ and confirm tables, headings, and internal links render correctly
• Spot-check cross-links (/what-is/what-is-hitrust/, /what-is/what-is-soc-2/, /product/esc/, /docs/insights/policy/)
• CI lint + pinned review

🤖 Generated with Claude Code

[pulumi-bot]

Your site preview for commit c92ba62 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19142-c92ba620.s3-website.us-west-2.amazonaws.com

[alexleventer]

@claude - review this pr please

[pulumi-bot]

Claude finished @alexleventer's task in 6m 20s —— View job

---

PR Review: content(what-is): expand the HIPAA explainer

• Gather context and read changed file
• Analyze diff and review content
• Check cross-links and Pulumi-specific claims
• Post detailed review feedback

---

Overall assessment: This is a strong, well-structured expansion — the new content is meaningfully more useful than what it replaces. All internal links resolve. Factual accuracy is high. Two changes are required before merging: a deprecated product name and a year discrepancy in the rules table. One additional should-fix on the first ESC mention.

---

🔴 Blockers

1. "Pulumi CrossGuard" is a deprecated product name — use "Pulumi Policies"

content/what-is/what-is-hipaa.md line 150:

* **Enforce policy as code.** [Pulumi CrossGuard](/docs/insights/policy/) policies in CI ...

CrossGuard is the old product name. Every other what-is/ page uses "Pulumi Policies" consistently (what-is-hitrust.md, what-is-pulumi.md, what-is-platform-engineering.md, what-is-ci-cd.md). The linked page at /docs/insights/policy/ is itself titled "Pulumi Policies" — CrossGuard only appears in its aliases list (legacy redirects). This file would be the only what-is page still using the old name.

Fix this →

---

2. Security Rule year in table is the compliance deadline, not the publication year

content/what-is/what-is-hipaa.md line 73:

| **Security Rule** | 2005 | ...

The HIPAA Security Rule was published in the Federal Register on February 20, 2003 — the same year as the Privacy Rule. The "2005" listed is the compliance deadline for most covered entities, not the year the rule was issued. The table column is labeled "Year" with no qualifier, so a reader will infer it means "year enacted." This creates a factual inconsistency in the same table where the Privacy Rule correctly shows 2003.

Suggested fix:

| **Security Rule** | 2003 (compliance: 2005) | Requires administrative, physical, and technical safeguards for ePHI. |

Fix this →

---

🟡 Should fix

3. First mention of "Pulumi ESC" should spell out the acronym

content/what-is/what-is-hipaa.md line 149:

Use [Pulumi ESC](/product/esc/), AWS Secrets Manager...

Per the docs style conventions, the first mention of ESC in a standalone file should expand to "Pulumi ESC (Environments, Secrets, and Configuration)". Every other recent what-is page follows this pattern (what-is-platform-engineering.md line ~120, what-is-hitrust.md).

Fix this →

---

⚪ Advisory (no action required)

4. HITECH described as an "amendment"

content/what-is/what-is-hipaa.md line 162 (FAQ): HITECH (2009) is an amendment that strengthened it

Technically, HITECH is not an amendment — it's Title XIII of the American Recovery and Reinvestment Act (ARRA), separate legislation. "Amendment" is widely used industry shorthand and most readers will understand it. Call it out for author awareness; change at your discretion.

5. IBM Cost of Data Breach report — no link

Line 33 references the IBM report without a link. Not blocking, but a citation would strengthen it.

---

✅ What's working well

• PHI identifier list — correctly consolidates the 18 Safe Harbor identifiers without factual loss
• Penalty table — smart decision to describe the structure without dollar amounts since HHS adjusts them annually for inflation
• Breach notification timelines — 60-day deadlines correctly stated and correctly distinguished by breach size
• Cloud + HIPAA section — shared responsibility model framing is accurate; cloud provider BAA guidance is correct for AWS/Azure/GCP
• All internal links resolve — /what-is/what-is-hitrust/, /what-is/what-is-soc-2/, /what-is/what-is-cloud-security/, /docs/insights/policy/, /product/esc/, /docs/get-started/ all verified
• Heading case — all H2+ correctly in sentence case; H1 in Title Case ✓
• Ordered lists — correctly use 1. throughout ✓
• HHS enforcement link — canonical URL matches the official HHS HIPAA enforcement page ✓

---

· Branch

[CamSoper]

@claude #new-review

[github-actions]

Pre-merge Review — Last updated 2026-05-19T17:20:00Z

Tip

Summary: This PR substantially expands the /what-is/what-is-hipaa/ explainer (paralleling what-is-hitrust, what-is-soc-2, what-is-cloud-security) with new sections on rules, Security Rule safeguards, common violations, penalty tiers, cloud applicability, and an FAQ. All four factual issues from the initial review are resolved. Author updated to alex-leventer. One low-confidence item (Pulumi ESC/HIPAA claim) remains for author judgment. Deprecated "CrossGuard" term replaced with "Pulumi Policies" per @CamSoper.

Review confidence:

Dimension	Level	Notes
mechanics	HIGH
facts	HIGH	All four previously-contradicted/mismatched claims corrected; re-verified after force-push. CrossGuard term updated to Pulumi Policies (c92ba62).

Investigation log

• Cross-sibling reads: not run (not in a templated section)
• External claim verification: 43 of 48 claims verified (1 unverifiable, 4 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 13 Pass 1, 0 Pass 2, 35 Pass 3 (verified 31, contradicted 4, unverifiable 0).
• Cited-claim spot-checks: not run (no cited claims)
• Frontmatter sweep: ran on body + meta_desc
• Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
• Code execution: not run (no static/programs/ change)
• Code-examples checks: not run (no fenced code blocks in content files)
• Editorial-balance pass: not run (not under content/blog/)

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
0	1	0	4

🔍 Verification trail

48 claims extracted · 43 verified · 1 unverifiable · 4 contradicted

• L3 in content/what-is/what-is-hipaa.md "HIPAA is described in the meta_desc as 'the US law that sets national standards for protecting health information.'" → ✅ verified (framing: strengthened — claim narrows the broader set of HIPAA national standards (covering privacy, security, transactions, etc.) to the single phrase 'protecting heal…; evidence: Multiple authoritative US government sources confirm HIPAA is a US law that sets national standards for protecting health information. HHS states: "This Rule set national standards for the protection of individually identifiable health inf…; source: https://www.hhs.gov/hipaa/for-professionals/index.html; https://www.cms.gov/about-cms/information-systems/privacy/health-insurance-portability-and-accountability-act-1996)
• L9 in content/what-is/what-is-hipaa.md "HIPAA stands for the Health Insurance Portability and Accountability Act of 1996." → ✅ verified (evidence: Multiple authoritative U.S. government sources confirm the full name and year. The HHS ASPE page quotes the act's own short title: "This Act may be cited as the 'Health Insurance Portability and Accountability Act of 1996'."; source: https://aspe.hhs.gov/reports/health-insurance-portability-accountability-act-1996)
• L9 in content/what-is/what-is-hipaa.md "HIPAA is a US federal law that sets national standards for the privacy, security, and breach notification of protected health information (PHI)." → ✅ verified (evidence: The file at L9 states: "HIPAA (the Health Insurance Portability and Accountability Act of 1996) is the US federal law that sets national standards for the privacy, security, and breach notification of protected health information (PHI).")
• L9 in content/what-is/what-is-hipaa.md "HIPAA governs how healthcare providers, insurers, clearinghouses, and vendors handling health data on their behalf may use, disclose, transmit, and store that…" → ✅ verified
• L9 in content/what-is/what-is-hipaa.md "HIPAA carries civil and criminal penalties for organizations that fall short of its requirements." → ✅ verified
• L11 in content/what-is/what-is-hipaa.md "HIPAA is administered by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR)." → ✅ verified
• L11 in content/what-is/what-is-hipaa.md "The HITECH Act was enacted in 2009 and expanded HIPAA's reach to vendors, increased penalties, and added mandatory breach notification." → ✅ verified
• L28 in content/what-is/what-is-hipaa.md "The HHS Office for Civil Rights posts every breach affecting 500 or more people to a public list, often called the 'wall of shame.'" → ✅ verified
• L32 in content/what-is/what-is-hipaa.md "Healthcare consistently ranks as the highest-cost industry for data breaches in the IBM Cost of a Data Breach report, well above retail or financial services." → ✅ verified
• L32 in content/what-is/what-is-hipaa.md "A single healthcare data breach incident routinely runs into the millions in remediation, notification, and litigation costs." → ✅ verified
• L50 in content/what-is/what-is-hipaa.md "The HIPAA Privacy Rule lists 18 identifiers that, combined with health information, make a record PHI." → ✅ verified
• L63 in content/what-is/what-is-hipaa.md "A dataset that is fully de-identified per the Safe Harbor or Expert Determination methods is no longer PHI and falls outside HIPAA." → ✅ verified
• L71 in content/what-is/what-is-hipaa.md "The HIPAA Privacy Rule was issued in 2000 (modified 2002; compliance 2003)." → ✅ verified (resolved in dbeca1a)
• L72 in content/what-is/what-is-hipaa.md "The HIPAA Security Rule was published in 2003 (compliance 2005)." → ✅ verified (resolved in dbeca1a)
• L73 in content/what-is/what-is-hipaa.md "The HIPAA Enforcement Rule was issued in 2006 and covers procedures for HHS investigations, hearings, and penalty calculations." → ✅ verified
• L74 in content/what-is/what-is-hipaa.md "The HIPAA Breach Notification Rule was issued in 2009 via HITECH and mandates notification to individuals, HHS, and (for breaches affecting 500 or more people)…" → ✅ verified
• L75 in content/what-is/what-is-hipaa.md "The HIPAA Omnibus Rule was issued in 2013 and extended direct liability to business associates, raised penalty tiers, and tightened use of PHI for marketing an…" → ✅ verified
• L89 in content/what-is/what-is-hipaa.md "The HIPAA Security Rule classifies individual requirements as either 'required' (must be implemented exactly) or 'addressable' (must be implemented or, if not,…" → ✅ verified
• L89 in content/what-is/what-is-hipaa.md "Addressable Security Rule requirements are not optional; auditors expect a written rationale for any addressable requirement that isn't fully implemented." → ✅ verified
• L95 in content/what-is/what-is-hipaa.md "1. Hacking and IT incidents. The largest category by number of records exposed: phishing, ransomware, unauthorized access, compromised credentials." → ✅ verified
• L105 in content/what-is/what-is-hipaa.md "HHS adjusts HIPAA civil monetary penalty dollar amounts annually for inflation." → ✅ verified
• L105 in content/what-is/what-is-hipaa.md "HIPAA penalties run on a four-tier structure based on culpability, with per-violation amounts and an annual cap for each tier." → ✅ verified
• L111 in content/what-is/what-is-hipaa.md "| 3 | Willful neglect, corrected within 30 days | Higher than tier 2 |" → ✅ verified
• L114 in content/what-is/what-is-hipaa.md "Criminal HIPAA violations: three-tier scheme under 42 U.S.C. § 1320d-6; $250,000/10 years applies only to the highest tier (intent to sell/use for gain)." → ✅ verified (resolved in dbeca1a)
• L116 in content/what-is/what-is-hipaa.md "HHS's [HIPAA Compliance and Enforcement] link." → ✅ verified (resolved in dbeca1a)
• L127 in content/what-is/what-is-hipaa.md "Encryption of ePHI is classified as an addressable specification under the HIPAA Security Rule." → ✅ verified
• L127 in content/what-is/what-is-hipaa.md "Properly encrypted ePHI data that is exposed is exempt from HIPAA breach notification requirements." → ✅ verified
• L129 in content/what-is/what-is-hipaa.md "The HIPAA breach notification reporting deadline is 60 days." → ✅ verified
• L132 in content/what-is/what-is-hipaa.md "HITRUST CSF certification is a way to demonstrate HIPAA controls through a single, structured assessment that customers and auditors recognize." → ✅ verified
• L136 in content/what-is/what-is-hipaa.md "HHS has explicitly confirmed that covered entities and business associates may use cloud infrastructure to handle ePHI, including major providers like AWS, Azure, and Google Cloud." → ✅ verified
• L138 in content/what-is/what-is-hipaa.md "AWS, Azure, and Google Cloud all have standard business associate agreements (BAAs) available for accounts handling PHI." → ✅ verified
• L142 in content/what-is/what-is-hipaa.md "The cloud provider's BAA covers the platform's security; the customer remains responsible for everything they configure on top." → ✅ verified
• L146 in content/what-is/what-is-hipaa.md "TLS 1.2+ is recommended for transit encryption of ePHI." → ✅ verified
• L146 in content/what-is/what-is-hipaa.md "TLS 1.2+ is specified as the standard for ePHI in transit in HIPAA-compliant cloud infrastructure." → ✅ verified
• L148 in content/what-is/what-is-hipaa.md "Pulumi ESC can be used to centralize secrets management for HIPAA-compliant infrastructure." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L149 in content/what-is/what-is-hipaa.md "Pulumi Policies in CI block insecure configurations (public S3, missing encryption, non-HIPAA-eligible service usage) before they merge." → ✅ verified (updated in c92ba62: deprecated "CrossGuard" term replaced with current product name "Pulumi Policies"; underlying capability claim unchanged and verified)
• L161 in content/what-is/what-is-hipaa.md "HITECH (2009) extended HIPAA's reach to business associates, increased penalties, mandated breach notification, and incentivized electronic health record adoption." → ✅ verified
• L169 in content/what-is/what-is-hipaa.md "HHS does not issue HIPAA certifications." → ✅ verified
• L173 in content/what-is/what-is-hipaa.md "HHS has explicitly confirmed that covered entities and business associates may use cloud infrastructure for PHI, provided the cloud provider signs a BAA." → ✅ verified
• L177 in content/what-is/what-is-hipaa.md "Properly encrypted PHI that is lost or exposed is exempt from HIPAA breach notification requirements." → ✅ verified
• L181 in content/what-is/what-is-hipaa.md "For HIPAA breaches affecting fewer than 500 individuals, the covered entity must notify each affected individual within 60 days of discovery and HHS within 60 days of year-end." → ✅ verified
• L185 in content/what-is/what-is-hipaa.md "Criminal HIPAA violations can carry fines up to $250,000 and up to 10 years in prison." → ✅ verified (framing: strengthened — the claim states "can carry … up to $250,000 and up to 10 years in prison" without specifying the tier; sources confirm the maximum criminal HIPAA penalty at the highest tier is up to $250,000 and up to 10 years in prison.)
• L189 in content/what-is/what-is-hipaa.md "HIPAA is US law and applies to PHI handled by US covered entities and their business associates regardless of where the data is processed." → ✅ verified
• L189 in content/what-is/what-is-hipaa.md "A non-US vendor handling PHI for a US healthcare provider is still a business associate and must comply with HIPAA." → ✅ verified
• L189 in content/what-is/what-is-hipaa.md "GDPR's special-category data rules apply in the EU independently of and potentially in addition to HIPAA." → ✅ verified
• L193 in content/what-is/what-is-hipaa.md "Many healthcare vendors maintain SOC 2 + HITRUST certifications specifically to show HIPAA readiness to customers." → ✅ verified
• L197 in content/what-is/what-is-hipaa.md "Pulumi helps engineering teams put the controls behind HIPAA into version-controlled infrastructure: encrypted storage by default, least-privilege IAM, secrets…" → ✅ verified
• L201-205 in content/what-is/what-is-hipaa.md "The page cross-references 'What is Configuration Management?' at /what-is/what-is-configuration-management/." → ✅ verified

🚨 Outstanding in this PR

No outstanding issues. This PR is ready to merge.

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

• [L148] content/what-is/what-is-hipaa.md — "Pulumi ESC can be used to centralize secrets management for HIPAA-compliant infrastructure." The product page at /product/esc/ exists and ESC is positioned as Pulumi's environments/secrets/configuration service, so the generic capability claim is sound on its face; the verifier ran out of turns rather than finding a contradiction. Not a blocker. Author question: is there a specific Pulumi ESC + healthcare/HIPAA case study or doc you want this to point at (e.g., a customer story or an ESC reference architecture), or is the current phrasing — ESC as a generic secrets-centralization option alongside Vault and Key Vault — the intended scope?

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

• [L71] Privacy Rule year cell corrected: was 2003 (compliance deadline); now 2000 (issuance year), with (Modified 2002; compliance 2003.) note. (present in dbeca1a)
• [L72] Security Rule year cell corrected: was 2005 (compliance deadline); now 2003 (publication date February 20, 2003), with (Compliance 2005.) note. (present in dbeca1a)
• [L114] Criminal-tier sentence rewritten to separate all three tiers under 42 U.S.C. § 1320d-6 with their respective maximums; $250K/10yr now correctly attributed to the highest tier (intent to sell/use for gain). (present in dbeca1a)
• [L116] Anchor text changed from "Annual Adjustments to Civil Monetary Penalties" to "HIPAA Compliance and Enforcement" to match the actual page, with a descriptive note that it links to the most recent inflation adjustments. (present in dbeca1a)

📜 Review history

• 2026-05-19T15:57:36Z — Four factual issues: two rule-table year cells (Privacy/Security) mix compliance dates with publication dates; criminal-tier sentence misattributes the $250K/10-yr max to the lowest tier; one HHS anchor-text/URL mismatch. (172f419)
• 2026-05-19T16:30:00Z — re-reviewed after fix push (1 new commit, 64e1641); all 4 outstanding items resolved by @alexleventer on request.
• 2026-05-19T16:55:00Z — history rewritten since last review (force-push by @CamSoper); re-reviewed against HEAD (dbeca1a). Author updated to alex-leventer; content body unchanged; 0 outstanding, 1 low-confidence unchanged.
• 2026-05-19T17:20:00Z — re-reviewed after fix push (1 new commit, c92ba62); deprecated "CrossGuard" term replaced with "Pulumi Policies" per @CamSoper mention; no outstanding findings introduced or resolved.

---

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

[github-actions]

🤖 Review regenerated on @CamSoper's request.

[alexleventer]

@claude - fix all the outstanding items and then #update-review

[github-actions]

🤖 Review updated on @alexleventer's request.

[CamSoper]

@claude rebase this branch, change the author to alex-leventer, and #update-review

[github-actions]

🤖 Review updated on @CamSoper's request.

[CamSoper]

@claude Remove all references to CrossGuard (deprecated term) and #update-review

[github-actions]

🤖 Review updated on @CamSoper's request.