What Is HIPAA Compliance: Complete Guide to Requirements

This guide explains who HIPAA applies to, the five core HIPAA rules, key HIPAA compliance requirements, common violations, and how to build a HIPAA compliance program that stays audit-ready.

What Is HIPAA Compliance?

HIPAA compliance is the process of meeting federal requirements that protect patient health information from unauthorized access, use, or disclosure. Organizations that handle health data must implement administrative, physical, and technical safeguards, backed by policies and procedures that protect privacy and security across day-to-day operations.

Quick Overview of HIPAA Compliance

A strong HIPAA compliance program typically includes:

• Understanding who is in scope (covered entities, business associates, and key subcontractors)

• Applying the HIPAA Privacy, Security, Breach Notification, Enforcement, and Omnibus Rules

• Implementing administrative, physical, and technical safeguards for PHI and ePHI

• Managing Business Associate Agreements (BAAs) and third-party risk

• Training personnel on HIPAA and security awareness

• Conducting risk assessments, audits, and ongoing monitoring

What Does HIPAA Stand For?

HIPAA stands for the Health Insurance Portability and Accountability Act, a U.S. federal law enacted in 1996. The U.S. Department of Health and Human Services (HHS) enforces HIPAA through its Office for Civil Rights (OCR).

You may see it misspelled as “HIPPA” or “HIPPAA,” but “HIPAA” is the only correct spelling.

What Is Protected Health Information (PHI)?

Protected Health Information (PHI) is individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits. PHI can appear in medical records, billing information, health plan enrollment data, and any other record that links a person’s identity to their health status or care.

PHI Identifiers Under HIPAA

HIPAA defines 18 identifiers that make health information “individually identifiable,” including:

• Names

• Geographic data smaller than a state

• Dates related to an individual (birth, admission, discharge)

• Phone numbers, fax numbers, and email addresses

• Social Security numbers

• Medical record and health plan beneficiary numbers

• Account, certificate, and license numbers

• Vehicle identifiers and device serial numbers

• Web URLs and IP addresses

• Biometric identifiers (e.g., fingerprints)

• Full-face photos

• Any other unique identifying number or code

Electronic Protected Health Information (ePHI)

Electronic Protected Health Information (ePHI) is PHI in electronic form. Because ePHI is exposed to risks like hacking, network intrusions, and improper access — with healthcare breaches averaging $7.42 million per incident according to IBM — HIPAA's Security Rule creates specific technical safeguards to protect confidentiality, integrity, and availability.

Who Needs to Be HIPAA Compliant?

HIPAA does not apply to every business. It covers specific entities that handle PHI.

Covered Entities

Covered entities are organizations directly regulated under HIPAA:

• Healthcare providers: Hospitals, clinics, physicians, dentists, pharmacies, and nursing homes that transmit health information electronically

• Health plans: Insurance companies, HMOs, employer-sponsored health plans, and government programs like Medicare and Medicaid

• Healthcare clearinghouses: Organizations that process nonstandard health information into standard electronic formats

Business Associates

Business associates are third-party vendors that create, receive, maintain, or transmit PHI on behalf of covered entities. Examples include cloud service providers, billing companies, IT service providers, EHR vendors, and consultants with access to patient data.

Before sharing PHI, covered entities must execute a Business Associate Agreement (BAA) defining how the vendor will protect PHI and meet HIPAA obligations.

Subcontractors and Downstream Vendors

HIPAA’s obligations flow down the chain. Subcontractors that access PHI on behalf of a business associate are also subject to HIPAA and require appropriate contracts and controls.

What Are the Five HIPAA Rules?

Five main rules form HIPAA’s regulatory framework:

HIPAA Privacy Rule

The Privacy Rule establishes national standards for protecting PHI. It:

• Sets limits on how PHI can be used and disclosed

• Grants patients rights over their health information (access, amendments, and accounting of disclosures)

• Requires covered entities to provide a Notice of Privacy Practices

• Embeds the “minimum necessary” standard, limiting PHI access to what’s required for a specific purpose

HIPAA Security Rule

The Security Rule focuses on safeguarding ePHI. It requires:

• Administrative, physical, and technical safeguards

• Protection of the confidentiality, integrity, and availability of ePHI

• Ongoing risk analysis and risk management

HIPAA Breach Notification Rule

The Breach Notification Rule defines what constitutes a breach of unsecured PHI and sets notification requirements. Organizations must:

• Notify affected individuals

• Report certain breaches to HHS

• Notify the media if a breach affects more than a set number of individuals in a state or jurisdiction

HIPAA Enforcement Rule

The Enforcement Rule defines how HHS investigates potential violations, conducts compliance reviews, and imposes civil monetary penalties.

HIPAA Omnibus Rule

The Omnibus Rule expands many requirements to business associates, enhances patient rights, and increases penalties for non-compliance.

HIPAA Compliance Requirements

HIPAA compliance requirements fall into several categories. How each organization implements them depends on its size, complexity, and risk profile.

Administrative Safeguards

Administrative safeguards are policies and procedures for managing PHI security, such as:

• Risk analysis and risk management: Identify threats to PHI and ePHI and implement mitigation plans

• Workforce training: Train employees and contractors on HIPAA, privacy, and security awareness

• Access management: Define roles and enforce role-based access for PHI

• Incident response: Establish a documented incident response plan for detecting, reporting, and responding to security incidents

• Contingency planning: Maintain data backup, disaster recovery, and emergency operation plans

Physical Safeguards

Physical safeguards protect facilities and equipment that store or process ePHI:

• Facility access controls: Limit access to data centers, server rooms, and secure areas

• Workstation security: Define acceptable use and physical placement of devices that access PHI

• Device and media controls: Govern the receipt, removal, reuse, and secure disposal of devices and media that store ePHI

Technical Safeguards

Technical safeguards are technology controls that protect ePHI:

• Access controls: Unique user IDs, strong authentication, automatic logoff, and encryption

• Audit controls: Logging and monitoring of system access to ePHI

• Integrity controls: Mechanisms to prevent improper alteration or destruction of ePHI

• Transmission security: Encryption and secure protocols for ePHI in transit

Organizational Requirements

Organizational requirements include:

• Business Associate Agreements (BAAs): Written contracts with all vendors that handle PHI

• Group health plan requirements: Specific PHI use and disclosure rules for employer-sponsored health plans

Policies, Procedures, and Documentation

Written policies, procedures, and documentation are essential. HIPAA requires organizations to:

• Maintain documentation of policies, procedures, and actions taken

• Retain that documentation for six years from creation or last effective date

• Make policies available and understandable to the workforce

How to Build a HIPAA Compliance Program

HIPAA compliance is not a single project. It is an ongoing program that combines governance, risk, training, and technical controls.

1. Designate a HIPAA Compliance Officer

Assign responsibility for HIPAA to a designated officer or team that:

• Oversees policies and procedures

• Coordinates HIPAA and security training

• Manages incidents and investigations

• Acts as the primary contact for regulators and auditors

2. Conduct a HIPAA Risk Assessment

Perform a HIPAA-specific risk assessment that:

• Maps where PHI and ePHI live (systems, vendors, data flows)

• Identifies threats and vulnerabilities across people, process, and technology

• Evaluates likelihood and impact

• Produces a documented risk register and remediation plan

Update this risk assessment at least annually and when your environment changes significantly.

3. Implement Required Safeguards

Implement administrative, physical, and technical safeguards that match your risk assessment. Larger, more complex environments typically require more formalized controls, but all organizations should address each safeguard category.

4. Develop and Maintain Policies and Procedures

Create and maintain written policies that cover:

• Privacy practices and permitted PHI uses/disclosures

• Access control and authentication

• Breach response and notification

• Device, media, and workstation security

• Sanctions for policy violations

Review and update policies regularly, and capture acknowledgments from personnel.

5. Train Your Workforce

Provide HIPAA and security awareness training for all workforce members who access PHI or ePHI. Training should cover:

• HIPAA basics and Privacy/Security Rule requirements

• Organization-specific policies and procedures

• Role-based responsibilities and acceptable use

Conduct training at onboarding and at regular intervals (often annually) and retain proof of completion.

6. Manage Business Associates and BAAs

Maintain an accurate inventory of business associates and subcontractors with PHI access. For each:

• Execute a Business Associate Agreement before PHI is shared

• Define roles, responsibilities, and breach notification timelines

• Periodically review vendors' security and privacy posture

7. Monitor and Audit Continuously

Move from point-in-time checks to continuous monitoring by:

• Reviewing access logs and alerts

• Testing controls regularly

• Conducting audits of HIPAA controls and documentation

• Tracking findings and remediation actions

This helps ensure your HIPAA compliance program keeps pace with technology and regulatory changes.

Common HIPAA Violations (and How to Avoid Them)

Understanding frequent HIPAA violations can help you prioritize controls.

• Unauthorized access to PHI: Employees viewing records without a legitimate need.

  • Prevention: Enforce role-based access control, strong authentication, audit logs, and “minimum necessary” access.

• Lack of risk analysis: Failing to perform or document a HIPAA-specific risk assessment, cited in over 75% of 2025 penalties.

  • Prevention: Conduct and update risk assessments, document findings, and track remediation plans.

• Insufficient access controls: Weak passwords, shared accounts, or missing multi-factor authentication.

  • Prevention: Enforce unique user IDs, strong password policies, MFA, and automatic session timeouts.

• Unencrypted ePHI: Storing or transmitting ePHI without encryption or equivalent safeguards.

  • Prevention: Use encryption for data at rest and in transit, or document and implement strong compensating controls.

• Missing Business Associate Agreements: Sharing PHI with vendors without a signed BAA.

  • Prevention: Inventory all vendors with PHI access and execute BAAs before onboarding.

HIPAA Violation Penalties

HHS considers factors such as the nature of the violation, level of negligence, and resulting harm when determining penalties. Penalties fall into four tiers: