Regulatory grid

Every framework that shows up on a cyber-insurance application.

Not exhaustive — focused. We list the frameworks that move outcomes for small practices, in the order they appear on insurer questionnaires, hospital referral surveys, and OCR information requests.

United States — federal (HIPAA core)

HIPAA Security Rule

45 CFR Part 164 Subpart C — administrative, physical, technical safeguards.

HIPAA Privacy Rule

45 CFR Part 164 Subpart E — use and disclosure of PHI, minimum necessary, patient rights.

HIPAA Breach Notification Rule

45 CFR §§164.400–414 — 60-day patient notification, HHS notification, media at 500+.

HITECH Act

Tiered civil money penalties; statutory home for the Breach Notification Rule.

HHS 405(d) HICP (Small track)

The de-facto 'reasonable security' reference OCR points to for small practices.

HHS Cybersecurity Performance Goals (CPGs)

Voluntary, two tiers, Jan 2024 — the language hospital systems use when surveying referral partners.

CMS Medicare MIPS — Promoting Interoperability

Annual Security Risk Analysis is a required measure; failing it triggers payment adjustment.

42 CFR Part 2

Substance-use-disorder records — stricter than HIPAA.

DEA EPCS (21 CFR Part 1311)

Multifactor authentication and identity-proofing requirements distinct from HIPAA.

FDA Premarket Cybersecurity Guidance

Relevant when the practice operates connected medical devices.

FTC Health Breach Notification Rule

Applies to non-HIPAA-covered health apps and PHRs.

United States — state

California CMIA

Broader than HIPAA in several respects; strict notification.

New York SHIELD Act

Reasonable-safeguards requirement for NY residents' health data.

Texas Medical Records Privacy Act (HB 300)

Texas-specific training requirement and stronger penalties.

Washington My Health My Data Act (2024)

Consumer health data outside HIPAA's scope; relevant to wellness offshoots.

FL, IL, CT, MD breach laws

Variations on the federal timeline.

State medical-board cybersecurity expectations

Increasingly part of license-renewal attestations in several states.

All-50-state breach-notification laws

30-, 45-, or 60-day timelines; AG-notification thresholds vary.

Canada

PIPEDA

Federal — applies to private-sector health practices in most provinces.

Ontario PHIPA

Information and Privacy Commissioner of Ontario as regulator.

Alberta HIA

Health Information Act — Alberta-specific.

BC PIPA + HIA

FOIPPA applies to public-sector health entities.

Quebec Law 25

Strengthened general privacy regime with health-information overlay.

Atlantic — NS PHIA, NB PHIPAA, NL PHIA, PEI HIA

Each with its own commissioner.

Canadian Centre for Cyber Security health-sector guidance

Growing reference set, particularly post-LifeLabs.

United Kingdom

UK GDPR + Data Protection Act 2018

Special-category data: health.

NHS Data Security and Protection Toolkit (DSPT)

Annual self-assessment required for GP and dental practices contracting NHS work.

CQC fundamental standards

Increasingly include digital-record and data-protection elements.

National Data Guardian standards

European Union

GDPR Article 9

Special-category data: health — explicit basis required for processing.

NIS2 Directive

Member-state transposition; many small practices below threshold but referral partners often above.

EHDS — European Health Data Space

Emerging; placeholder; expand as enforcement clarifies.

Cross-cutting

PCI-DSS

Any practice accepting credit-card copays is in scope; SAQ A or SAQ B-IP is the realistic posture.

Cyber-insurer questionnaires

Coalition, At-Bay, Beazley, Travelers, Chubb, AmTrust, MedPro, The Doctors Company, NORCAL, MagMutual.

OSHA bloodborne-pathogen / right-to-know overlays

Increasingly intersect with electronic safety-data sheets and lab-info systems.