Saying you're 'HIPAA compliant' means your organisation has implemented the administrative, physical, and technical safeguards required by the Health Insurance Portability and Accountability Act of 1996 and its subsequent rules. HIPAA doesn't issue compliance certificates. There's no federal checklist you submit and no government approval you receive. Instead, HIPAA compliance is a continuous operational state โ a set of policies, procedures, and practices that your organisation maintains on an ongoing basis to protect the privacy and security of protected health information (PHI).
The term 'HIPAA compliant' is widely used in healthcare, technology, and business contexts, sometimes loosely. A vendor claiming its software is 'HIPAA compliant' means the software has features that can support HIPAA-covered operations โ it does not mean the software has been certified by HHS or that using it automatically makes you compliant. Compliance is an organisational responsibility, not a product feature. You can use HIPAA-compliant software tools and still fail compliance if your policies, access controls, training, and breach response procedures aren't also in place.
True HIPAA compliance spans four federal rules โ Privacy, Security, Breach Notification, and the Omnibus Rule โ each with specific requirements that covered entities and their business associates must meet. Together, these rules govern who can access PHI, how it must be secured, what patients must be told about their rights, and what happens when PHI is impermissibly disclosed. Understanding what compliance actually requires helps organisations build real protection rather than the appearance of it.
PHI โ protected health information โ is defined broadly under HIPAA. It includes any individually identifiable health information: diagnoses and medical conditions, treatment records and clinical notes, prescriptions and pharmacy records, lab results, billing and insurance information, appointment records, and any other information that relates to a person's past, present, or future physical or mental health and that could be used to identify the individual.
PHI is protected in all formats โ electronic records (ePHI), paper records, and verbal communications. The 18 HIPAA identifiers that turn health information into PHI include names, dates (birth, admission, death), geographic subdivisions smaller than a state, phone numbers, email addresses, Social Security numbers, device identifiers, and several others. Properly de-identified health information โ from which all 18 identifiers have been removed or statistically processed โ is no longer PHI and falls outside HIPAA's scope.
The concept of 'minimum necessary' is foundational to how PHI must be handled day-to-day. Under the Privacy Rule, covered entities must make reasonable efforts to limit the use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose. This doesn't apply to disclosures for treatment purposes โ a consulting physician can share the full record needed to treat a patient โ but it applies to disclosures for operations, payment, and many other purposes.
Implementing minimum necessary practices means setting access controls so that administrative staff see only the PHI their role requires, not every element of a patient's record, and ensuring that PHI isn't shared more broadly than necessary even within the organisation.
Establishes patients' rights over their health information and defines when PHI may be used or disclosed without patient authorisation. Requires covered entities to provide Notice of Privacy Practices, honour patient requests to access and amend their records, and document all policies governing PHI use. The Privacy Rule applies to PHI in all formats โ paper, electronic, and verbal. It's the foundation of patients' healthcare privacy rights under federal law.
Requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic PHI (ePHI) specifically. Administrative safeguards include risk analysis, risk management, workforce training, and contingency planning. Physical safeguards cover facility access controls, workstation security, and device controls. Technical safeguards require access controls, audit controls, integrity controls, and transmission security. The Security Rule requires a documented annual risk analysis as its cornerstone requirement.
Requires covered entities to notify affected individuals, HHS, and (in some cases) the media within 60 days of discovering a breach of unsecured PHI. Business associates must notify their covered entity partners within 60 days of discovering a breach. The rule defines breach as any impermissible use or disclosure of PHI that poses a significant risk of financial, reputational, or other harm to the individual. A four-factor risk assessment determines whether an incident constitutes a reportable breach.
The 2013 Omnibus Rule extended HIPAA compliance obligations directly to business associates (and their subcontractors), strengthened breach notification requirements, expanded patients' rights (including the right to restrict disclosures to health plans when paying out-of-pocket), and increased penalties. The Omnibus Rule also addressed the use of PHI for marketing and fundraising, and established new restrictions on the sale of PHI. Business associates became directly liable for HIPAA violations under the Omnibus Rule โ not just contractually obligated through Business Associate Agreements.
HIPAA's compliance requirements apply to two categories of entities: covered entities and business associates. Understanding which category you fall into โ and what obligations each carries โ is the first step in determining what compliance means for your specific organisation.
Covered entities are the three types of organisations directly regulated by HIPAA: healthcare providers who transmit health information electronically (physicians, hospitals, pharmacies, nursing homes, labs, and many others), health plans (insurance companies, HMOs, employer-sponsored health plans, Medicare and Medicaid programmes), and healthcare clearinghouses (organisations that process nonstandard health information into standard formats). If your organisation falls into any of these three categories, you are a covered entity with full HIPAA compliance obligations under all four rules.
Business associates are organisations or individuals that create, receive, maintain, or transmit PHI on behalf of a covered entity in the course of performing services for that entity. This category includes a broad range of organisations: medical billing companies, transcription services, EHR vendors, cloud storage providers who store ePHI, law firms that work on healthcare matters, consultants who have access to PHI, and any other third party that handles PHI as part of their service delivery.
Business associates must sign Business Associate Agreements (BAAs) with their covered entity clients and are directly subject to the Security Rule and Breach Notification Rule.
Subcontractors of business associates โ companies hired by a business associate to perform services involving PHI โ are also business associates under HIPAA and must sign BAAs with their upstream business associate. This chain of accountability means that PHI protection obligations travel through the entire service supply chain. A covered entity is responsible for having BAAs with its direct business associates, but business associates are responsible for flowing those protections down to their own vendors and subcontractors.
Workforce members of covered entities and business associates are not themselves directly subject to HIPAA as individual regulatory targets, but they must comply with their employer's HIPAA policies and can face employment consequences and potentially criminal charges for wilful PHI violations. HIPAA training for all workforce members who handle PHI is a required element of both covered entity and business associate compliance programmes, making workforce awareness a critical component of any organisation's compliance posture.
Policies and procedures that manage the selection, development, and maintenance of security measures. Includes the annual security risk analysis (the cornerstone requirement), risk management plan, workforce training programme, access management policies, contingency planning (backup and recovery), and evaluation of security effectiveness. Administrative safeguards are the management framework within which all other safeguards operate.
Controls that protect the physical facilities and equipment where ePHI is stored or accessed. Includes facility access controls (who can enter server rooms and areas with computers), workstation use policies (where ePHI can be accessed and how workstations must be secured), and device and media controls (how devices containing ePHI are tracked, moved, and disposed of). Physical safeguards protect against unauthorised physical access to systems containing PHI.
Technology and policies for protecting ePHI and controlling access to it. Includes unique user authentication (no shared login credentials), automatic logoff from inactive sessions, audit logging of all access to ePHI, data integrity controls that detect unauthorised modification, and encryption of ePHI in transmission. Technical safeguards are the security controls built into the systems and software that handle ePHI.
HIPAA requires covered entities and business associates to maintain written policies and procedures implementing all required safeguards, and to retain documentation for at least six years from creation or last effective date. Required documentation includes the results of annual risk analyses, risk management plans, workforce training records, access authorisation records, and Business Associate Agreements. Documentation is what you present during a HIPAA audit or investigation.
Software is 'HIPAA compliant' when it includes the technical features needed to protect ePHI and when the vendor will sign a Business Associate Agreement. Key technical features to verify:
Standard email is not HIPAA compliant because it lacks the required technical safeguards for ePHI. To send PHI by email compliantly:
HHS's Office for Civil Rights (OCR) enforces HIPAA and can investigate complaints, conduct compliance audits, and impose civil monetary penalties (CMPs) for violations. The penalty structure has four tiers based on the covered entity's or business associate's culpability โ from 'did not know' through 'wilful neglect corrected' to 'wilful neglect not corrected' โ with penalty amounts scaling dramatically with culpability.
The penalty ranges are significant. A single violation category can result in penalties up to $1.9 million per calendar year. Individual violations within a category are assessed at $100 to $50,000 per violation depending on culpability tier โ and each impermissible disclosure of a different patient's PHI can be treated as a separate violation.
Large-scale breaches involving thousands of patient records have resulted in multi-million dollar settlements. Advocate Aurora Health paid $16 million in 2018 (the largest HIPAA settlement at that time) following two breaches affecting 4 million patients. More recently, Banner Health, Premera Blue Cross, and several large hospital systems have all settled for amounts in the $5Mโ$18M range.
The most common causes of HIPAA enforcement actions include: failure to conduct a risk analysis, unauthorised access to PHI (including insider snooping), failure to implement access controls, missing or inadequate Business Associate Agreements, failure to provide patients access to their records within the required timeframe, and inadequate safeguards for portable devices containing ePHI. Many of these are preventable with consistent policy implementation and staff training.
Criminal penalties under HIPAA are enforced by the Department of Justice rather than OCR. Knowingly obtaining or disclosing PHI in violation of HIPAA carries penalties up to $50,000 and one year in prison. Violations committed under false pretences carry penalties up to $100,000 and five years.
Violations with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm carry penalties up to $250,000 and ten years in prison. Healthcare insiders who access and misuse patient records โ including viewing records of celebrities, ex-partners, or family members without authorisation โ have faced federal criminal prosecution under these provisions.
Achieving HIPAA compliance is an organisational process, not a one-time event. The steps below describe the core activities that covered entities and business associates must undertake โ not as a finite project, but as an ongoing operational commitment.
The mandatory starting point is the security risk analysis. This formal assessment identifies all systems and workflows that create, receive, maintain, or transmit ePHI; assesses the threats and vulnerabilities to that ePHI; evaluates the likelihood and impact of each identified risk; and documents the current safeguards in place.
The risk analysis drives everything else in the compliance programme โ it tells you where your gaps are and what your risk management plan needs to address. HHS has published a Security Risk Assessment Tool (available at healthit.gov) that small and medium healthcare organisations can use to conduct and document their risk analysis.
The risk management plan turns risk analysis findings into action. For each significant risk identified, the plan specifies what safeguard will be implemented to reduce the risk to an acceptable level, who is responsible for implementation, and the timeline. HHS regulations require that risk be reduced to a 'reasonable and appropriate' level โ not eliminated, because perfect security isn't achievable, but managed to a level commensurate with the sensitivity of the PHI and the organisation's resources.
After the risk analysis and management plan, policy and procedure development formalises how your organisation implements all required safeguards. Written policies must address every addressable and required specification in the HIPAA Security Rule, and Privacy Rule policies must address patient rights, permitted disclosures, and workforce responsibilities for PHI handling. Policies should be reviewed and updated annually โ after the risk analysis, after any significant system change, and after any breach or near-miss incident that reveals a policy gap.
Business Associate Agreement management is a specific compliance obligation that many organisations underestimate. You must identify every third party that handles PHI on your behalf, ensure each has a signed BAA in place, and review BAAs when vendor relationships or services change materially. BAAs without the required provisions โ including business associates' direct liability for Security Rule compliance and breach notification obligations โ are non-compliant even when signed.
Small healthcare practices and small business associates face the same HIPAA compliance requirements as large hospital systems โ the regulations don't scale their requirements by organisation size. What does scale is the level of implementation that's considered 'reasonable and appropriate': a solo practitioner's compliance programme will look different from a 500-bed hospital's, reflecting different resources, PHI volumes, and risk profiles.
HHS acknowledges this through the concept of 'addressable' specifications in the Security Rule, which allow organisations to implement equivalent alternatives to specific requirements when the stated implementation is not reasonable given the organisation's circumstances โ as long as the decision is documented and justified.
For small practices, the most practical starting point is the HHS Security Risk Assessment Tool, the OCR's sample policies and procedures available at hhs.gov, and professional guidance from a healthcare attorney or HIPAA consultant when facing complex questions about BAAs, breach determinations, or Privacy Rule exceptions. Many small practices also use their EHR vendor as a practical starting point โ EHR vendors typically provide HIPAA-related documentation about their platform and include standard BAA templates in their service agreements, giving small practices a foundation to build on.
Small business associates โ marketing agencies, IT managed service providers, legal firms, and others who handle PHI incidentally โ sometimes don't recognise that they're business associates with direct HIPAA obligations. If your company accesses PHI in the course of performing services for a healthcare covered entity, you're a business associate regardless of how central healthcare is to your business model. Reviewing all client relationships for PHI access and ensuring BAAs are in place before PHI handling begins is the critical first step for business associates operating in the healthcare space.
HIPAA compliance is not a project with an end date. It's an operational discipline that requires consistent attention across several recurring activities. Organisations that treat compliance as ongoing rather than periodic maintain better security posture and are better positioned to demonstrate good-faith compliance when regulators investigate.
Annual activities include completing and documenting the security risk analysis, reviewing and updating all HIPAA policies and procedures, conducting workforce training with documentation of completion, reviewing all Business Associate Agreements for continued accuracy, testing backup and recovery procedures, and reviewing audit logs for unusual access patterns. These aren't optional โ each is directly tied to specific regulatory requirements.
Event-driven activities include updating policies and conducting spot training when systems change materially, when new workforce members are hired, when new vendors are engaged, and after any incident โ including near-misses โ that reveals a gap in the existing programme. Breach investigations should always conclude with a root-cause analysis that feeds back into policy and technical improvements, not just the notification process.
Organisations that invest in compliance culture โ where workforce members understand why HIPAA matters and feel empowered to flag potential issues โ consistently outperform organisations that treat compliance as a documentation exercise. PHI breaches caused by insider error are far more common than breaches caused by external attackers, and a culture where staff ask questions before acting on unclear PHI-handling situations prevents many of the most common violations before they occur.
Documentation discipline is the difference between organisations that survive an audit and those that face enforcement action. When OCR investigates a complaint or breach, it requests written policies, risk analysis records, training logs, and BAAs. An organisation that has genuinely good practices but can't document them faces the same exposure as one that has no practices at all โ in enforcement proceedings, undocumented compliance is treated as non-compliance. Building documentation habits into day-to-day operations โ not just during annual compliance reviews โ ensures that your actual security practices are reflected in the records that matter most when it counts.