What is HIPAA compliance? A complete guide

What is HIPAA compliance? A complete guide

The Health Insurance Portability and Accountability Act (HIPAA) is a key U.S. regulatory framework for protecting sensitive patient data. For healthcare organizations—and vendors that touch protected health information (PHI)—HIPAA establishes expectations for security, privacy, and patient rights.

HIPAA compliance means following the HIPAA policies and procedures that govern how PHI is created, used, disclosed, stored, transmitted, and disposed of. Since the law’s introduction, the threat landscape has evolved, making it important to treat HIPAA as an ongoing program rather than a one-time audit.

This guide covers:

• The main objectives of HIPAA
• Who needs to be HIPAA compliant (covered entities vs. business associates)
• The core HIPAA rules (and what each one requires)
• HIPAA violations and penalties (what happens if you’re not compliant)
• Practical best practices for becoming and staying HIPAA compliant

GIF via GIPHY

Related guides:

• Preparing for HIPAA compliance: An 8-step HIPAA compliance checklist
• HIPAA compliance for software development: A 7-step checklist
• HIPAA violations in 2025: staff mistakes and vendor blind spots

---

Key takeaways

• HIPAA compliance is a program, not a document. You need safeguards, training, vendor controls, and the ability to prove they’re operating with evidence.
• HIPAA scope expands quickly through vendors. BAAs and subcontractor oversight are as important as your internal security controls.
• The Privacy Rule sets the “what and when” of PHI disclosure. The Security Rule sets the “how” for protecting electronic PHI (ePHI).
• Breach notification has strict timelines. If you haven’t rehearsed an incident response process, you’ll struggle to meet deadlines during a real event.
• Start with PHI flow mapping + risk analysis. Most HIPAA gaps become obvious once you can answer “where PHI lives” and “who can access it.”

---

What are the main objectives of HIPAA?

HIPAA became law in 1996. Two often-cited objectives are:

• Protect health insurance coverage for employees when they change jobs (portability)
• Establish standards for protecting PHI, especially as healthcare moved from paper records to electronic systems

Over time, HIPAA’s privacy and security requirements became the operational center of gravity. The regulation introduced standards for how PHI may be used and disclosed and expanded patient rights around access, amendments, and data sharing.

“HIPAA compliance keeps getting harder as cyber threats evolve and healthcare workflows change. Programs built as one-time projects tend to break as soon as new systems, vendors, or care models show up.”

---

Who needs to be HIPAA compliant?

Organizations that handle PHI typically fall into two buckets:

• Covered entities: organizations involved in healthcare treatment, payment, or operations
• Business associates: third parties that handle PHI on behalf of covered entities (often including subcontractors)

Covered entities (common examples)

• Healthcare providers (clinics, hospitals, specialists)
• Health plans
• Healthcare clearinghouses

Business associates (common examples)

• Cloud service providers and hosting vendors that can access PHI
• Billing, revenue cycle, and claims processing vendors
• IT managed service providers and support vendors with PHI access
• Healthcare SaaS platforms (telehealth, care coordination, patient engagement) that touch PHI for covered entities

Business Associate Agreements (BAAs)

Covered entities generally need a Business Associate Agreement (BAA) before disclosing PHI to a business associate. A strong BAA typically clarifies:

• Which safeguards the business associate will use to protect PHI
• Permitted uses and disclosures of PHI
• Subcontractor requirements (flow-down obligations)
• Breach notification expectations and timelines
• Termination and return/destruction of PHI terms

---

What are the HIPAA rules?

HIPAA “rules” are sets of standards that define privacy, security, and breach handling expectations. While there are multiple HIPAA rules and related updates, most compliance work maps to three core rules:

• Privacy Rule
• Security Rule
• Breach Notification Rule

Two important ideas show up across HIPAA compliance work:

• Minimum Necessary: limit use/disclosure of PHI to the minimum required for the task.
• Required vs. addressable specifications (Security Rule): some safeguards are mandatory as written; others must be evaluated for reasonableness and implemented as written or via a documented alternative.

1) The Privacy Rule

The Privacy Rule establishes patient rights over PHI and sets guardrails for use and disclosure.

One practical way to think about it is the difference between:

• Permitted uses/disclosures (may not require patient authorization), such as for treatment, payment, and healthcare operations.
• Authorized uses/disclosures (require explicit permission), such as certain marketing uses.

Common Privacy Rule program components include:

• Written privacy policies and procedures
• Workforce training (and enforcement for violations)
• Administrative/technical/physical safeguards to reduce improper disclosures
• Processes for patient access requests and record amendments

2) The Security Rule

The Security Rule focuses on electronic PHI (ePHI) and the safeguards needed to protect its confidentiality, integrity, and availability.

HIPAA organizes safeguards into three categories:

Administrative safeguards	Physical safeguards	Technical safeguards
Security management process	Facility access and control	Access controls
Information access management	Workstation use and security	Audit controls
Security incident procedures	Device and media control	Authentication
Workforce training and oversight		Transmission security

To keep these safeguards real (not just policy), teams typically run recurring activities like risk analysis, access reviews, log review/alerting, and vendor oversight.

3) The Breach Notification Rule

The Breach Notification Rule defines what qualifies as a reportable breach and outlines notification requirements.

A common (high-level) operational model is:

• Determine whether an impermissible use/disclosure occurred
• Perform a risk assessment (nature/extent of PHI, who received it, whether it was viewed/obtained, and mitigation)
• If it’s a breach, notify affected individuals and report to HHS within required timelines (and sometimes media, depending on scale)

One overlooked requirement: you need to be able to document your decisions, timelines, and procedures. During audits and investigations, “we did it” is much less helpful than “we can prove it.”

---

HIPAA violations and penalties: what happens when you’re not compliant

HIPAA is enforced by the HHS Office for Civil Rights (OCR). OCR can investigate after complaints, audits, or breaches, and outcomes range from corrective action to civil monetary penalties. In severe cases, criminal charges may apply.

Civil penalties (high-level tiers)

HIPAA penalties are commonly described in tiers based on culpability and corrective action. Fine amounts and caps are adjusted periodically, and enforcement outcomes vary based on facts.

Tier	Criteria (simplified)	What it usually means
Tier 1	Unaware / couldn’t reasonably avoid	Often tied to weak controls discovered after an incident
Tier 2	Should have known / couldn’t avoid	Risk analysis and monitoring gaps show up here
Tier 3	Willful neglect, corrected	Problems were known; remediation efforts matter
Tier 4	Willful neglect, not corrected	Highest risk for significant penalties and oversight

Criminal penalties (when intent is involved)

Criminal charges typically require evidence that an entity knowingly violated HIPAA or misused PHI (for example, for personal gain or malicious intent). In these situations, penalties can include substantial fines and imprisonment.

What penalties look like operationally

Even without “maximum” fines, HIPAA failures often cascade into:

• Costly forensic work and remediation programs
• Mandatory corrective action plans (CAPs) and ongoing oversight
• Contract and revenue impacts (suspended integrations, terminated vendor relationships)
• Reputation damage and patient/partner trust loss

---

How do you become HIPAA compliant? Best practices

HIPAA compliance is easiest when you treat it as a repeatable operating system: scope → controls → evidence → monitoring → improvement.

Here are high-impact best practices:

• Perform regular risk assessments: run risk analysis on PHI/ePHI flows at planned intervals and after meaningful changes (new vendors, new systems, incidents).
• Implement comprehensive workforce training: make training recurring, role-aware, and tied to real workflows (support access, engineering access, clinical access).
• Maintain demonstrable security measures: align encryption, access control, logging, backups, and patching with a documentation trail that proves how controls operate.
• Establish and rehearse incident response: build a process you can execute inside notification timelines, including decision logs and templates.
• Practice continuous monitoring: treat “new risks” as normal—vendors change, systems sprawl, and threats evolve.
• Maintain thorough documentation: keep HIPAA-relevant documentation for required retention periods (commonly at least six years), including policies, training records, access logs, and incident artifacts.

A practical “start here” checklist (for busy teams)

If you need to get moving quickly, start with:

1. Map PHI flows (systems, integrations, storage, support channels)
2. Vendor inventory + BAAs (and subcontractor flow-down where needed)
3. Access control baseline (least privilege, MFA, offboarding)
4. Logging + monitoring (and evidence of review/alerting)
5. Risk analysis + remediation tracking
6. Incident response plan + breach decision workflow

---

Make HIPAA compliance easier with SecureSlate

HIPAA compliance is significantly easier when it’s operational: clear owners, recurring workflows, and evidence that stays current as your systems and vendors change.

SecureSlate helps teams:

• Centralize HIPAA policies, control ownership, and audit-ready evidence
• Track vendors and BAAs with review cadences
• Run recurring workflows like access reviews and policy acknowledgements
• Maintain a clear trail of proof for audits, customer reviews, and renewals

Get started for free to see how SecureSlate turns HIPAA requirements into clear, repeatable execution.

---

FAQ

Who needs to be HIPAA compliant?

Covered entities and many vendors (business associates) that create, receive, maintain, or transmit PHI on behalf of covered entities.

What is considered PHI under HIPAA?

PHI is information about an individual’s health condition, healthcare, or payment for healthcare that can identify the individual. When it’s stored/transmitted electronically, it’s often referred to as ePHI.

What are the main HIPAA rules?

Most HIPAA compliance work maps to the Privacy Rule, Security Rule, and Breach Notification Rule.

Is there an official HIPAA certification?

There isn’t a single official “HIPAA certification” issued by the government. Some organizations pursue third-party training or audits to demonstrate good-faith readiness, but compliance is ultimately about operating safeguards and meeting legal/contractual obligations.

---

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to HIPAA and related regulations, you should consult a licensed attorney.