Instant downloadAuditor-writtenSecure Stripe checkout
HIPAA Compliance: Best Practices Guide 2026 — ISO Toolkits

HIPAA Compliance: Best Practices Guide 2026

Achieving HIPAA compliance means aligning your organization with the US Health Insurance Portability and Accountability Act and its rules for protecting sensitive patient health information. Whether you run a medical practice, a health plan, a clearinghouse, or a company that handles data on their behalf, HIPAA sets the baseline for how Protected Health Information (PHI) must be safeguarded, used, and disclosed.

This guide explains who HIPAA applies to, the core rules you must satisfy, and the practical steps that turn legal requirements into day-to-day practice. This article is general guidance only and is not legal advice.

What is HIPAA and who must comply?

HIPAA is a US federal law enforced by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). It establishes national standards for the privacy and security of health information and defines the obligations of the organizations that handle it.

Two broad categories of organization fall within scope:

  • Covered entities — health plans, healthcare clearinghouses, and most healthcare providers that transmit health information electronically in connection with certain transactions.
  • Business associates — vendors and contractors that create, receive, maintain, or transmit PHI on behalf of a covered entity, such as billing companies, IT hosting providers, and cloud software vendors.

Both covered entities and business associates carry direct compliance obligations. A vendor that never sees a patient can still be held accountable if it mishandles PHI.

The core HIPAA rules you must satisfy

HIPAA compliance is built on several interlocking rules. Understanding how each one applies to your operations is the foundation of any credible program.

The Privacy Rule

The Privacy Rule governs how PHI may be used and disclosed. PHI is individually identifiable health information in any form — paper, electronic, or spoken. The rule limits sharing to permitted purposes such as treatment, payment, and healthcare operations, and gives individuals rights over their own information, including the right to access and request corrections.

A central concept is the minimum-necessary standard: when using or disclosing PHI, you should limit it to the least amount of information needed to accomplish the purpose. This does not apply to disclosures for treatment, but it does shape most other everyday sharing.

The Security Rule

The Security Rule applies specifically to electronic PHI (ePHI). It requires organizations to implement three categories of safeguards and to conduct a mandatory risk analysis. The safeguard categories are summarized below.

Safeguard typeWhat it coversExamples
AdministrativePolicies, processes, and workforce management that govern how ePHI is protectedRisk analysis, workforce training, access authorization procedures, contingency planning
PhysicalControls over physical access to systems and facilities holding ePHIFacility access controls, workstation security, device and media disposal
TechnicalTechnology-based controls that protect ePHI and control access to itAccess controls, audit logging, integrity controls, transmission security such as encryption

The risk analysis is not optional. Organizations must assess where ePHI lives, the threats and vulnerabilities it faces, and the likelihood and impact of potential compromise, then manage those risks to a reasonable and appropriate level.

The Breach Notification Rule

When unsecured PHI is compromised, the Breach Notification Rule requires notification. Covered entities must notify the affected individuals and HHS OCR, and in some cases the media. Notification to affected individuals is generally required without unreasonable delay and no later than 60 days after discovery of the breach. Business associates must notify the covered entity so it can meet its own obligations.

Business Associate Agreements (BAAs)

Whenever a covered entity shares PHI with a business associate, a written Business Associate Agreement is required. The BAA sets out how the business associate may use PHI, obligates it to safeguard the information, and requires it to report breaches. Business associates that engage subcontractors handling PHI must put equivalent agreements in place downstream.

Skipping a BAA is a common and avoidable failure. Before any vendor touches PHI, confirm the agreement is signed and that its terms reflect how the data will actually be handled.

A practical roadmap to HIPAA compliance

Turning the rules into an operating program takes a structured approach. The steps below outline a sensible sequence for most organizations.

  • Map your PHI. Identify where PHI and ePHI are created, received, stored, and transmitted across systems and vendors.
  • Conduct a risk analysis. Assess threats and vulnerabilities to ePHI and document the findings.
  • Remediate risks. Apply administrative, physical, and technical safeguards to bring identified risks to an acceptable level.
  • Write policies and procedures. Document how your workforce handles PHI, access, incidents, and disclosures.
  • Train your workforce. Ensure staff understand their responsibilities and refresh training regularly.
  • Execute BAAs. Confirm signed agreements are in place with every relevant vendor and subcontractor.
  • Prepare for breaches. Build an incident response and breach notification process before you need it.
  • Review and update. Revisit your risk analysis and safeguards as systems, vendors, and threats change.

Compliance is not a one-time project. It is an ongoing cycle of assessment, documentation, and improvement that must keep pace with how your organization handles health information.

Common HIPAA compliance pitfalls

Many enforcement outcomes trace back to a handful of recurring gaps. Watching for these can strengthen your HIPAA compliance posture considerably.

  • Treating the risk analysis as a checkbox rather than a genuine, documented assessment of ePHI risk.
  • Failing to encrypt or otherwise protect ePHI in transit and at rest where appropriate.
  • Overlooking BAAs with cloud providers, email services, and other vendors.
  • Granting workforce members more access to PHI than their roles require.
  • Lacking a tested incident response plan, which slows breach notification.
  • Letting policies go stale as new systems and services are adopted.

How the authorities enforce HIPAA

HHS OCR investigates complaints, conducts compliance reviews, and can impose corrective action and civil penalties. For authoritative guidance on the rules and enforcement, consult the official resource at the HHS HIPAA website. Demonstrable, documented good-faith effort — a real risk analysis, current policies, and evidence of training — is central to how organizations show their compliance.

Frequently asked questions

Is HIPAA compliance mandatory for my business?

If you are a covered entity or a business associate that creates, receives, maintains, or transmits PHI, then yes. If you never handle PHI on behalf of a covered entity, HIPAA generally does not apply to you.

What is the difference between the Privacy Rule and the Security Rule?

The Privacy Rule governs the use and disclosure of PHI in any form and applies the minimum-necessary standard. The Security Rule focuses specifically on electronic PHI and requires administrative, physical, and technical safeguards plus a risk analysis.

How quickly must I report a breach?

Affected individuals and HHS OCR generally must be notified without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI. Business associates must alert the covered entity so it can meet these deadlines.

Do I need a Business Associate Agreement with every vendor?

You need a BAA with any vendor that creates, receives, maintains, or transmits PHI on your behalf. Vendors that never access PHI typically do not require one, but confirm carefully before sharing any data.

Is encryption required under HIPAA?

Encryption is an addressable specification rather than a flat mandate, meaning you must assess whether it is reasonable and appropriate and implement it or a documented alternative. In practice, encrypting ePHI in transit and at rest is widely treated as a baseline expectation.

How often should I redo my risk analysis?

HIPAA does not fix a rigid interval, but the risk analysis should be reviewed and updated periodically and whenever significant changes occur in your systems, operations, or threat environment.

HIPAA compliance toolkit templates
The editable HIPAA Toolkit — policies, procedures, risk analysis and BAA templates.

Related guides

Put your HIPAA compliance program into action

Building the documentation from scratch is the slowest part of the journey. Our editable HIPAA (US) toolkit gives you ready-to-use policies, procedures, and templates you can tailor to your organization. Explore the HIPAA toolkit to accelerate your path to a defensible, audit-ready compliance program.

Shopping Cart