What is HIPAA compliance?

Note: This post was originally published on April 22, 2022, but was optimized and updated utilizing internal subject matter experts on Dec. 13, 2023.

Oro provides content designed to educate and help audiences on their compliance journey.

As someone who works in the healthcare industry, you likely come across the terms “HIPAA” and “compliance” regularly. The prevalence of HIPAA compliance in the healthcare space goes beyond patient paperwork and hospital records.

You’re likely aware that HIPAA, or the Health Insurance Portability and Accountability Act, focuses on protecting patient privacy and keeping patient data safe and sound. You might also understand its value in protecting your healthcare organization against costly lawsuits.

However, many organizations struggle to achieve full compliance. That’s because HIPAA regulations are fairly complex and largely dependent on the specific intricacies of your healthcare organization. HIPAA compliance may look different at different institutions, which makes it all the more important to do your homework and ensure you’re meeting each and every requirement.

If you’re looking for a full run-down on all things HIPAA, we’ve put together a thorough guide on HIPAA compliance and its role in protecting both your organization and its patients. Let’s dive in.

What is the Health Insurance Portability and Accountability Act?

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of individually identifiable health information, also known as protected health information (PHI).

Individually identifiable health information and protected health information (PHI)

Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos to name a few.

PHI that is transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards and is known as electronic protected health information or ePHI. The HIPAA Security Rule regulates ePHI and was enacted to account for changes in medical technology.

Who needs to comply with HIPAA?

The two types of entities responsible for protected health information need to be HIPAA-compliant are:

  1. Covered entities (CE)
  2. Business associates (BA)

1. Covered entities

A covered entity is defined by HIPAA regulation as healthcare providers, healthcare clearinghouses, or health plans that transmit PHI electronically. Typically, covered entities have direct contact with patients or use their information.

2. Business associates

A business associate is defined by HIPAA regulation as an organization that creates, receives, maintains, or transmits PHI of a covered entity. Additionally, HIPAA applies to organizations that maintain “persistence of custody” over PHI, like cloud providers. There are many examples of business associates because of the wide scope of service providers that may handle, transmit, or process PHI.

Common examples of business associates affected by HIPAA rules include billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.

Continued reading
HIPAA or HITRUST: Which is the right choice for your business?
HIPAA vs HITRUST: Navigating the World of Healthcare Information Security icon-arrow-long

How do you comply with HIPAA?

HIPAA regulation outlines a set of national standards that all covered entities and business associates must address. HIPAA compliance requirements include:

  • Self-assessments
  • Remediation plans
  • Policies, procedures, and employee training
  • Documentation
  • BA management
  • Incident management


HIPAA requires covered entities and business associates to conduct periodic technical and nontechnical audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.

Under HIPAA, a Security Risk Assessment is not enough to be compliant—it’s only one essential audit that HIPAA-beholden entities are required to perform to maintain their compliance year-over-year.

Remediation plans 

Once covered entities and business associates have identified their gaps in compliance through these self-assessments, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.

Policies, procedures, employee training

Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards. These policies and procedures must be regularly updated to account for changes to the organization.

Annual staff training on these Policies and Procedures is a best practice. Employee attestation should be documented stating they have read and understood the organization’s policies and procedures.


HIPAA-covered entities and business associates must document ALL efforts they take to become HIPAA-compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.

Business associate management

Covered entities and business associates must document all vendors with whom they share PHI. The entities and associates must ensure secure PHI handling to execute Business Associate Agreements (BAAs). BAAs should be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.

Incident management

When a covered entity or business associate has a data breach, they must document the breach and notify patients that their data was compromised in accordance with the HIPAA Breach Notification Rule. We explore details about the HIPAA Breach Notification Rule below.

In addition to these standards, several different HIPAA rules make up the HIPAA regulation. The HIPAA Rules were passed in the 20+ years that have come and gone since HIPAA was first enacted in 1996.

What are the rules?

Legislators built three rules into HIPAA to guide compliance. The HIPAA Rules that you should be aware of include:

HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for patients’ rights to PHI. Some of the standards outlined by the HIPAA Privacy Rule include patients’ rights to access PHI, health care providers’ rights to deny access to PHI, the contents of Use and Disclosure HIPAA release forms and Notices of Privacy Practices, and more.

The organization must document the specifics of the regulation in HIPAA Policies and Procedures. They also must train staff on these Policies and Procedures annually, with documented attestation.

HIPAA Security Rule

The HIPAA Security Rule sets national standards for the secure maintenance, transmission, and handling of ePHI. The HIPAA Security Rule applies to both covered entities and business associates because of the potential sharing of ePHI. The Security Rule outlines standards for the integrity and safety of ePHI, including physical, administrative, and technical safeguards that must be in place in any healthcare organization.

The organization must document the specifics of the regulation in HIPAA Policies and Procedures. They also must train staff on these Policies and Procedures annually, with documented attestation.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule is a set of standards that covered entities and business associates must follow in PHI or ePHI data breaches. The Rule lays out different requirements for breach reporting depending on the scope and size.

Regardless of size, organizations must report all breaches, but the specific protocols for reporting change depending on the number of records breached. We outlined the specifics of the HIPAA Breach Notification Rule in the sections below.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule is an addendum to HIPAA regulation. It was enacted to apply HIPAA to business associates and covered entities. The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant and outlines the rules surrounding Business Associate Agreements (BAAs).

Business Associate Agreements must be executed between a covered entity and business associate–or between two business associates–before transferring or sharing ANY PHI or ePHI.

The seven elements of an effective compliance program

The HHS Office of Inspector General (OIG) created the Seven Elements of an Effective Compliance Program. These elements give guidance for organizations to vet compliance solutions or create their own compliance programs.

These are the barebones, absolute minimum requirements that an effective compliance program must address. In addition to addressing the full extent of mandated HIPAA Privacy and Security standards, an effective compliance program must handle each of the Seven Elements.

The seven elements of an effective compliance program are as follows:

  1. Implementing written policies, procedures, and standards of conduct
  2. Designating a compliance officer and compliance committee
  3. Conducting effective training and education
  4. Developing effective lines of communication
  5. Conducting internal monitoring and auditing
  6. Enforcing standards through well-publicized disciplinary guidelines
  7. Responding promptly to detected offenses and undertaking corrective action

Over the course of a HIPAA investigation carried out by OCR in response to a HIPAA violation, federal HIPAA auditors will compare your organization’s compliance program against the Seven Elements. OCR may refer to NIST 800-66 and OCR audit protocols to judge its effectiveness.

Cybersecurity’s role in HIPAA compliance

The HHS requires both physical safeguards and technical safeguards for organizations hosting sensitive patient data. As healthcare organizations lean into technology, tons of patient information exists in the cloud or other digital formats. Cybersecurity plays a major role in keeping patient data safe and sound. When a data breach occurs, the consequences are numerous and harmful.

Leaked patient data results have financial and reputational consequences. Your organization will be responsible for covering financial penalties based on your negligence. Patients may not trust you to safeguard their sensitive information. 

Naturally, your organization should prevent data breaches from occurring in the first place. If sensitive patient information falls into the wrong hands, or you believe that your organization is at risk for a cyberattack, the U.S. Department of Health & Human Service outlines how you should respond to cyberattacks:


The entity must execute response and mitigation procedures and contingency plans.

Report crime

The entity should report the crime to criminal law enforcement agencies.

Report threat

The entity should report all cyber threat indicators to the appropriate federal agencies and ISAOs.

Assess breach

The entity must assess the incident to determine if there is a breach of protected health information.

If a breach occurs, your organization must report it to the affected individuals no later than 60 days from occurrence. Organizations must report larger breaches that impact 500 or more individuals to OCR and the media within 60 days of the occurrence.

How is HIPAA enforced?

The Department of Health and Human Services regulates HIPAA compliance, and it is enforced by the Office for Civil Rights (OCR).

The OCR’s role in maintaining medical HIPAA compliance comes in the form of routine guidance on new issues affecting health care and in investigating common HIPAA violations.

How is HIPAA audited?

Federal HIPAA auditors levy HIPAA fines on a sliding scale. Fines range from $100 to $50,000 per incident, depending on the level of perceived negligence. Expect higher fines if auditors detect that the organization under investigation has neglected to perform a “good faith effort” toward HIPAA compliance. With well over $40 million levied in fines since 2016, HIPAA compliance is more important now than ever before.

Through a series of interlocking regulatory rules, HIPAA compliance is a living culture. Healthcare organizations must implement it to protect the privacy, security, and integrity of protected health information.

Other FAQs about HIPAA compliance

The three main requirements of HIPAA are:

  1. The Privacy Rule
  2. The Security Rule
  3. The Breach Notification Rule

These rules protect the confidentiality of patient health information by setting standards for how it can be used and disclosed.

Yes, HIPAA requires encryption of protected health information and electronic PHI when the data is at rest. Exceptions may apply.

Yes, HIPAA requires encryption of protected health information (PHI) and electronic PHI (ePHI), though there are certain exceptions. The National Institute of Standards and Technology (NIST) recommends protecting PHI data with FIPS 140 approved encryption.

Electronic PHI must be encrypted if no other alternative measure is implemented or if there is a justifiable reason for not implementing encryption.

HIPAA requires ePHI to be encrypted during transmission, which could include email; however, a patient may request their email be sent via email. If the patient submits the appropriate consent form to receive the email and the patient understands (and accepts) the risks of sending their protected health information through email (in an unencrypted fashion), then the email may be sent without encryption. HHS still highly recommends the use of encryption for email or to provide an alternative secure solution for a patient to obtain their PHI (such as a secure portal).

HIPAA encryption requirements help protect sensitive patient information from being viewed by unauthorized parties and can help ensure the integrity of medical services.

Failing to comply with HIPAA encryption requirements can have serious consequences, including hefty fines, jail time, and damage to reputation.

Share this post with your network: