HIPAA Compliance: What It Requires, Who It Covers, and How to Build a Program

HIPAA Compliance: What It Requires, Who It Covers, and How to Build a Program

TL;DR

• HIPAA's four rules (Privacy, Security, Breach Notification, Enforcement) apply to covered entities and their business associates. Ignorance of covered-entity status is not a defense.
• The Privacy Rule (45 CFR Parts 160 and 164, Subparts A and E) governs all PHI in any form. The Security Rule (Subpart C) adds a layer of administrative, physical, and technical safeguards for ePHI specifically.
• After discovering a breach, you have 60 calendar days to notify affected individuals (45 CFR § 164.404); breaches affecting 500 or more people also require simultaneous HHS and media notification (§§ 164.406, 164.408).
• Civil penalties range from $100 to $50,000 per violation depending on culpability, with an annual cap of $1.5 million per violation category (45 CFR § 160.404). OCR has collected over $142 million in penalties across more than 140 cases since 2003.
• The most-cited enforcement deficiency is a missing or inadequate risk analysis (45 CFR § 164.308(a)(1)(ii)(A)).

Who this is for

This guide is written for compliance officers, IT and security leads, and founders at covered entities or business associates who need to understand HIPAA obligations from first principles. It is also useful for in-house legal teams evaluating whether a new vendor relationship triggers Business Associate Agreement requirements.

What HIPAA Covers

The Health Insurance Portability and Accountability Act was enacted in 1996. The U.S. Department of Health and Human Services (HHS) issued the implementing regulations that form modern HIPAA compliance through a series of rules, codified at 45 CFR Parts 160 and 164.

HIPAA's core subject matter is protected health information (PHI): individually identifiable health information transmitted or maintained by a covered entity or its business associate, regardless of medium (electronic, paper, or oral). The definition is found at 45 CFR § 160.103. PHI excludes employment records held by covered entities in their capacity as employers, education records covered by FERPA, and information about individuals who have been deceased for more than 50 years.

When PHI is stored or transmitted electronically, it is called ePHI. The Security Rule applies exclusively to ePHI. The Privacy Rule applies to PHI in all forms.

Covered Entities and Business Associates

Covered Entities

Under 45 CFR § 160.103, a covered entity is one of three things:

• A health plan: any individual or group plan that pays for medical care, including health insurance companies, HMOs, employer-sponsored health plans, Medicare, and Medicaid.
• A healthcare clearinghouse: an entity that translates nonstandard health information into standard formats, or vice versa.
• A healthcare provider that transmits health information electronically in connection with any HIPAA-covered transaction (claims submission, eligibility inquiries, referral authorizations, and similar).

Not every healthcare provider is a covered entity. A physician who submits paper claims only and never transmits health information electronically falls outside the definition. In practice, electronic billing has made this exception rare.

Business Associates

A business associate is a person or organization that, on behalf of a covered entity, creates, receives, maintains, or transmits PHI to perform a function regulated by HIPAA, such as claims processing, data analysis, quality assurance, billing, or practice management (45 CFR § 160.103).

Legal, actuarial, accounting, consulting, management, financial, and administrative services companies that require access to PHI to perform their work are also business associates. The definition explicitly includes Health Information Organizations, e-prescribing gateways, and subcontractors of business associates who handle PHI. That last point matters: a company that contracts with a covered entity's IT vendor and receives PHI in the course of that work is a business associate and bears the same obligations.

Business associates must sign a Business Associate Agreement (BAA) with each covered entity they serve. The BAA requirements are detailed in 45 CFR § 164.504(e) and § 164.314(a). A valid BAA must:

• Define all permitted uses and disclosures of PHI
• Require the business associate to implement appropriate safeguards and comply with the Security Rule
• Obligate the business associate to report breaches of unsecured PHI
• Require that any subcontractors who receive PHI sign equivalent agreements
• Grant the covered entity a right to audit and to terminate the agreement for material breach
• Require return or destruction of PHI when the agreement ends

Failing to have a BAA with every qualifying vendor is one of the most common triggers for OCR enforcement.

The Privacy Rule

The HIPAA Privacy Rule, codified at 45 CFR Part 160 and Subparts A and E of Part 164, establishes when and how covered entities and business associates may use or disclose PHI.

The baseline rule under 45 CFR § 164.502 is that covered entities may not use or disclose PHI except as the Privacy Rule permits or requires. Permitted uses include treatment, payment, and healthcare operations without patient authorization. Marketing uses of PHI and selling PHI require written authorization from the individual.

Minimum Necessary Standard

Covered entities must make "reasonable efforts to limit" PHI disclosures to what is necessary for the intended purpose (45 CFR § 164.502(b)). This standard does not apply to disclosures to the individual, to a healthcare provider for treatment, or to disclosures authorized by the individual.

Patient Rights

Under 45 CFR § 164.524, individuals have the right to inspect and obtain copies of their PHI held in a designated record set. Covered entities must act on access requests within 30 days, with a single 30-day extension permitted if the covered entity gives written notice. Fees are limited to the actual cost of labor, supplies, and postage. OCR has pursued numerous enforcement actions against providers who failed to provide timely access, which is one of the more straightforward categories of Privacy Rule violation.

Individuals also have the right to request amendments to their PHI (45 CFR § 164.526), to request restrictions on certain uses, and to receive an accounting of disclosures (45 CFR § 164.528).

Notice of Privacy Practices

Covered entities must provide individuals with a Notice of Privacy Practices (45 CFR § 164.520) that describes how their PHI may be used, their rights, and how to file complaints with HHS. Direct treatment providers must make a good-faith effort to obtain written acknowledgment of receipt.

Privacy Officer Requirement

Covered entities must designate a privacy official responsible for developing and implementing privacy policies and procedures (45 CFR § 164.530(a)). They must also appoint a contact person or office to receive complaints.

The Security Rule

The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) applies to ePHI only. It requires covered entities and business associates to:

• Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit
• Protect against reasonably anticipated threats to the security or integrity of ePHI
• Protect against reasonably anticipated uses or disclosures not permitted under the Privacy Rule
• Ensure workforce compliance with Security Rule requirements

(45 CFR § 164.306(a))

The Security Rule uses a required vs. addressable distinction in its implementation specifications. Required specifications must be implemented without exception. For addressable specifications, an entity must assess whether each specification is reasonable and appropriate for its environment. If it is, the entity must implement it. If not, the entity must document the reason and implement an equivalent alternative. "Addressable" does not mean optional (45 CFR § 164.306(d)).

Administrative Safeguards (45 CFR § 164.308)

Administrative safeguards are the policies and procedures that manage the selection, development, and maintenance of security measures. 45 CFR § 164.308 requires:

• Security Management Process (required): Conduct a risk analysis, implement risk management, apply sanction policies, and review information system activity.
• Assigned Security Responsibility (required): Designate a security official responsible for security policies.
• Workforce Security (addressable): Authorization and supervision, workforce clearance procedures, and termination procedures.
• Information Access Management (required/addressable): Policies to authorize ePHI access consistent with the Privacy Rule.
• Security Awareness and Training (addressable): Training on malicious software protection, login monitoring, and password management.
• Security Incident Procedures (required): Identify, respond to, and document security incidents and their outcomes.
• Contingency Planning (required/addressable): Data backup, disaster recovery, and emergency operations plans.
• Evaluation (required): Periodic technical and nontechnical evaluation of security measures.

The risk analysis requirement under § 164.308(a)(1)(ii)(A) is the single most-cited deficiency in OCR enforcement actions. It requires an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI." HHS provides a free Security Risk Assessment (SRA) Tool for smaller organizations.

Physical Safeguards (45 CFR § 164.310)

45 CFR § 164.310 governs physical access to facilities and equipment:

• Facility access controls (addressable): Contingency operations procedures, a facility security plan, access control and validation procedures, and maintenance records.
• Workstation use (required): Policies specifying proper workstation functions and the physical environment.
• Workstation security (required): Physical safeguards restricting workstation access to authorized users.
• Device and media controls (required/addressable): Disposal of PHI from decommissioned media, media reuse procedures, accountability records, and data backup before moving equipment.

Technical Safeguards (45 CFR § 164.312)

45 CFR § 164.312 requires:

• Access controls (required/addressable): Unique user identification (required), emergency access procedures (required), automatic logoff (addressable), and encryption/decryption (addressable).
• Audit controls (required): Hardware, software, or procedural mechanisms that record and examine activity in systems containing ePHI.
• Integrity (addressable): Mechanisms to authenticate ePHI and verify it has not been altered or destroyed in an unauthorized manner.
• Authentication (required): Verification of the identity of persons or entities seeking access.
• Transmission security (addressable): Integrity controls and encryption to guard ePHI during electronic transmission.

Encryption is addressable, not required. However, the breach notification safe harbor at 45 CFR § 164.402 means that breached PHI that was properly encrypted under HHS guidance does not trigger notification obligations. In practice, unencrypted portable devices are the source of a disproportionate share of reportable breaches.

The Breach Notification Rule

45 CFR §§ 164.400-414 requires covered entities and business associates to notify affected parties when a breach of unsecured PHI occurs.

What Counts as a Breach

Under 45 CFR § 164.402, a breach is "the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information."

A disclosure is presumed to be a breach unless the covered entity demonstrates a low probability of compromise through a four-factor risk assessment:

1. The nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification
2. The identity of the unauthorized person who used or received the PHI
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk has been mitigated

Notification Timelines

All three notification obligations run from the date the breach is discovered, not the date it occurred:

The 60-day individual notification deadline is a hard ceiling. OCR has taken enforcement action against covered entities that missed it.

Business associates must notify the covered entity of a breach "without unreasonable delay and no later than 60 calendar days after discovery" (45 CFR § 164.410). The BAA typically sets a shorter contractual window (often 5-10 business days) so the covered entity has time to investigate before the 60-day clock runs out on their own notifications.

OCR Enforcement: What the Cases Show

The HHS Office for Civil Rights enforces HIPAA under the Enforcement Rule (45 CFR Part 160, Subparts C, D, and E). Civil money penalties are structured at 45 CFR § 160.404 across four tiers. The amounts below are the base statutory amounts; they are adjusted annually under the Federal Civil Monetary Penalties Inflation Adjustment Act:

Criminal penalties under 42 U.S.C. § 1320d-6 reach up to $250,000 in fines and 10 years imprisonment for offenses involving intent to sell, transfer, or use PHI for personal gain or malicious harm. As of 2024, OCR has settled or imposed civil money penalties in more than 140 cases totaling over $142 million.

Selected Enforcement Cases

Three cases illustrate how OCR uses the penalty tiers:

Cignet Health of Maryland (2011): OCR imposed a $4.3 million civil money penalty, the largest at the time of issuance. Cignet denied 41 patients access to their own medical records and then failed to cooperate with OCR's investigation. The penalty included $1.3 million for the access violations (Tier 1) and $3 million for willful neglect in failing to comply with OCR's demands.

Memorial Healthcare System (2017): A $5.5 million settlement following unauthorized access to the ePHI of 115,143 patients by employees and a business associate's employees over a period of years. The root cause was a failure to review audit logs, which is a required administrative safeguard under § 164.308(a)(1)(ii)(D).

Hospice of North Idaho (HONI): A $50,000 settlement for failure to conduct a risk analysis, triggered by the theft of an unencrypted laptop containing records of 441 patients. This case established OCR's willingness to pursue smaller organizations for foundational Security Rule failures.

The pattern across enforcement cases is consistent: inadequate risk analysis, missing BAAs, failure to restrict access, and poor audit log practices account for the majority of resolved cases.

Common Violations and How to Avoid Them

1. No risk analysis on record. This is the most-cited deficiency in OCR investigations. An organization that cannot produce a documented risk analysis (§ 164.308(a)(1)(ii)(A)) has no documented basis for any security decision. Run the HHS SRA Tool at minimum; supplement with NIST SP 800-30 for risk assessment methodology at larger organizations.

2. Missing or unsigned BAAs. Every vendor, consultant, or subcontractor who touches PHI must have a signed BAA before access is granted. Audit your vendor list against your BAA inventory at least annually.

3. Broad access instead of minimum necessary. Granting all staff access to all ePHI when role-based access would suffice violates both the Privacy Rule's minimum necessary standard and the Security Rule's access control requirements. Role-based access should map to job function, not convenience.

4. Unencrypted portable devices. Stolen or lost unencrypted laptops and phones are among the most common breach triggers. Encryption converts a reportable breach into a non-event under the § 164.402 safe harbor.

5. Documentation gaps. HIPAA requires retaining documentation for six years from creation or last effective date, whichever is later (45 CFR § 164.530(j)). OCR investigators review documentation first. If a control is not documented, it effectively does not exist for enforcement purposes.

6. Delayed breach notifications. Organizations sometimes delay notification while investigating whether an event is a reportable breach. The 60-day clock under § 164.404 runs from discovery, not from the conclusion of an internal investigation. Build notification timelines into your incident response procedures.

Building a HIPAA Compliance Program: 10 Steps

1. Conduct a risk analysis

Under 45 CFR § 164.308(a)(1)(ii)(A), every covered entity and business associate must conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI. The risk analysis must identify all systems that create, receive, maintain, or transmit ePHI; document threats and vulnerabilities; assess existing controls; and assign risk levels. HHS's free Security Risk Assessment Tool provides a structured starting point.

2. Implement a risk management plan

A risk analysis without a remediation plan is incomplete. 45 CFR § 164.308(a)(1)(ii)(B) requires implementing security measures to reduce risks to a reasonable and appropriate level. Document each identified risk, the chosen control, the residual risk, and the timeline.

3. Appoint a Privacy Officer and Security Officer

45 CFR § 164.530(a)(1) requires a designated Privacy Officer; 45 CFR § 164.308(a)(2) requires a Security Officer. Both roles can be filled by the same person in smaller organizations. These individuals are accountable for policy development, implementation, and ongoing compliance.

4. Develop and implement policies and procedures

Policies must address PHI access, use, and disclosure; workforce sanctions; incident response and breach notification; device disposal; password and access management; remote work; and business associate management. Under 45 CFR § 164.530(j), documentation must be retained for six years from creation or last effective date.

5. Deploy technical safeguards

Per 45 CFR § 164.312: assign unique user IDs, implement audit logging on all ePHI systems, set automatic workstation logoff, and encrypt ePHI in transit. TLS 1.2 or higher is the current standard for transmission encryption. For ePHI at rest, follow NIST guidance on encryption key management.

6. Establish physical safeguards

Per 45 CFR § 164.310: implement facility access controls (badge readers, visitor logs), workstation security policies (clean desk, screen lock), and documented procedures for disposing of hardware that has held ePHI.

7. Train your workforce

45 CFR § 164.530(b) requires training all workforce members on privacy policies within a reasonable period of hire and when material changes occur. Training must be documented: dates, attendees, materials used. Training records are routinely requested in OCR investigations.

8. Execute Business Associate Agreements

Identify every vendor and contractor with PHI access. Execute BAAs before granting access. BAA requirements are at 45 CFR §§ 164.504(e) and 164.314(a). Review BAAs annually against your current vendor list.

9. Build and test a breach response plan

Create documented procedures for detecting, containing, and investigating potential breaches; performing the four-factor risk assessment under § 164.402; drafting individual, HHS, and media notifications; and meeting the 60-day deadline at § 164.404. Run tabletop exercises at least once a year.

10. Monitor, audit, and update

HIPAA requires periodic evaluation of security measures under 45 CFR § 164.308(a)(8). In practice, this means quarterly access reviews, continuous vulnerability scanning, annual penetration testing of ePHI systems, and regular review of audit logs. Update your risk analysis whenever significant environmental, operational, or workforce changes occur.

HIPAA and Cloud Services

Cloud providers that store or process ePHI on your behalf are business associates and must sign a BAA before you grant them access. The major providers offer BAAs: AWS, Microsoft Azure, and Google Cloud all publish lists of services covered under their respective BAAs. Notably, not all services within a provider's platform are HIPAA-eligible, so review the specific service list before deployment.

The Security Rule's flexibility of approach provision at § 164.306(b) allows covered entities to account for their size, complexity, and technical capabilities when selecting security measures. This means a small practice using a cloud EHR vendor's built-in controls may satisfy many Security Rule requirements through that vendor's infrastructure, provided the arrangement is covered by a valid BAA and the covered entity retains responsibility for the administrative safeguards within its own operations.

Frequently Asked Questions

What are the current HIPAA civil penalty amounts?

Per 45 CFR § 160.404, penalties range from $100 per violation (Tier 1, no knowledge) to a $50,000 minimum per violation (Tier 4, uncorrected willful neglect), with an annual cap of $1,500,000 per violation category. These amounts are adjusted annually for inflation.

Does HIPAA apply to employers?

HIPAA does not apply to employment records, even if they contain health information. However, employer-sponsored health plans are covered entities under 45 CFR § 160.103 and must comply for plan-related PHI. Employers acting as plan sponsors have separate obligations when they have access to PHI for plan administration.

How often must a risk analysis be conducted?

45 CFR § 164.308(a)(1)(ii)(A) does not specify a frequency. HHS guidance treats the risk analysis as an ongoing process that must be updated when significant changes occur: new systems, new locations, workforce changes, or environmental changes that affect the ePHI threat landscape. Many organizations schedule a formal review annually and supplement it with triggered reviews after significant operational changes.

What is the difference between HIPAA and HITRUST?

HIPAA is a federal law with mandatory requirements enforced by OCR. HITRUST is a private, certifiable framework that incorporates HIPAA requirements alongside ISO 27001, NIST, PCI DSS, and other standards into a unified control set. HITRUST certification demonstrates that an organization has met a documented set of controls, but it is not a government-recognized status and does not insulate an entity from OCR enforcement. The two operate on different tracks: attestation vs. regulatory compliance.

Is there an official HIPAA certification?

No. HHS does not issue HIPAA certifications. Third-party assessors can evaluate an organization against HIPAA requirements and issue reports, but these are commercial assessments, not regulatory determinations. The only official validation of HIPAA compliance is a completed OCR investigation with no findings of violation.

What happens if a business associate causes a breach?

The covered entity retains notification obligations to affected individuals, HHS, and the media regardless of which party was at fault. The BAA should require the business associate to notify the covered entity without unreasonable delay (and no later than 60 days) after discovering a breach, per 45 CFR § 164.410. OCR can and does pursue both the covered entity and the business associate in enforcement actions arising from the same incident.

Sources used

1. 45 CFR Parts 160 and 164, Subparts A and E — accessed 2026-05-12
2. Subpart C — accessed 2026-05-12
3. 45 CFR § 164.404 — accessed 2026-05-12
4. §§ 164.406 — accessed 2026-05-12
5. 164.408 — accessed 2026-05-12
6. 45 CFR § 160.404 — accessed 2026-05-12
7. 45 CFR § 164.308(a)(1)(ii)(A) — accessed 2026-05-12
8. 45 CFR § 160.103 — accessed 2026-05-12
9. 45 CFR § 164.504(e) — accessed 2026-05-12
10. § 164.314(a) — accessed 2026-05-12
11. 45 CFR § 164.502 — accessed 2026-05-12
12. 45 CFR § 164.524 — accessed 2026-05-12
13. 45 CFR § 164.526 — accessed 2026-05-12
14. 45 CFR § 164.528 — accessed 2026-05-12
15. 45 CFR § 164.520 — accessed 2026-05-12
16. 45 CFR § 164.530(a) — accessed 2026-05-12
17. Security Risk Assessment (SRA) Tool — accessed 2026-05-12
18. 45 CFR § 164.310 — accessed 2026-05-12
19. 45 CFR § 164.312 — accessed 2026-05-12
20. 45 CFR § 164.402 — accessed 2026-05-12
21. 45 CFR §§ 164.400-414 — accessed 2026-05-12
22. 45 CFR § 164.410 — accessed 2026-05-12
23. 45 CFR Part 160, Subparts C, D, and E — accessed 2026-05-12
24. 42 U.S.C. § 1320d-6 — accessed 2026-05-12

Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.