Achieving HIPAA compliance means aligning your organization with the US Health Insurance Portability and Accountability Act and its rules for protecting sensitive patient health information. Whether you run a medical practice, a health plan, a clearinghouse, or a company that handles data on their behalf, HIPAA sets the baseline for how Protected Health Information (PHI) must be safeguarded, used, and disclosed.
This guide explains who HIPAA applies to, the core rules you must satisfy, and the practical steps that turn legal requirements into day-to-day practice. This article is general guidance only and is not legal advice.
What is HIPAA and who must comply?
HIPAA is a US federal law enforced by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). It establishes national standards for the privacy and security of health information and defines the obligations of the organizations that handle it.
Two broad categories of organization fall within scope:
- Covered entities — health plans, healthcare clearinghouses, and most healthcare providers that transmit health information electronically in connection with certain transactions.
- Business associates — vendors and contractors that create, receive, maintain, or transmit PHI on behalf of a covered entity, such as billing companies, IT hosting providers, and cloud software vendors.
Both covered entities and business associates carry direct compliance obligations. A vendor that never sees a patient can still be held accountable if it mishandles PHI.
The core HIPAA rules you must satisfy
HIPAA compliance is built on several interlocking rules. Understanding how each one applies to your operations is the foundation of any credible program.
The Privacy Rule
The Privacy Rule governs how PHI may be used and disclosed. PHI is individually identifiable health information in any form — paper, electronic, or spoken. The rule limits sharing to permitted purposes such as treatment, payment, and healthcare operations, and gives individuals rights over their own information, including the right to access and request corrections.
A central concept is the minimum-necessary standard: when using or disclosing PHI, you should limit it to the least amount of information needed to accomplish the purpose. This does not apply to disclosures for treatment, but it does shape most other everyday sharing.
The Security Rule
The Security Rule applies specifically to electronic PHI (ePHI). It requires organizations to implement three categories of safeguards and to conduct a mandatory risk analysis. The safeguard categories are summarized below.
| Safeguard type | What it covers | Examples |
|---|---|---|
| Administrative | Policies, processes, and workforce management that govern how ePHI is protected | Risk analysis, workforce training, access authorization procedures, contingency planning |
| Physical | Controls over physical access to systems and facilities holding ePHI | Facility access controls, workstation security, device and media disposal |
| Technical | Technology-based controls that protect ePHI and control access to it | Access controls, audit logging, integrity controls, transmission security such as encryption |
The risk analysis is not optional. Organizations must assess where ePHI lives, the threats and vulnerabilities it faces, and the likelihood and impact of potential compromise, then manage those risks to a reasonable and appropriate level.
The Breach Notification Rule
When unsecured PHI is compromised, the Breach Notification Rule requires notification. Covered entities must notify the affected individuals and HHS OCR, and in some cases the media. Notification to affected individuals is generally required without unreasonable delay and no later than 60 days after discovery of the breach. Business associates must notify the covered entity so it can meet its own obligations.
Business Associate Agreements (BAAs)
Whenever a covered entity shares PHI with a business associate, a written Business Associate Agreement is required. The BAA sets out how the business associate may use PHI, obligates it to safeguard the information, and requires it to report breaches. Business associates that engage subcontractors handling PHI must put equivalent agreements in place downstream.
Skipping a BAA is a common and avoidable failure. Before any vendor touches PHI, confirm the agreement is signed and that its terms reflect how the data will actually be handled.
A practical roadmap to HIPAA compliance
Turning the rules into an operating program takes a structured approach. The steps below outline a sensible sequence for most organizations.
- Map your PHI. Identify where PHI and ePHI are created, received, stored, and transmitted across systems and vendors.
- Conduct a risk analysis. Assess threats and vulnerabilities to ePHI and document the findings.
- Remediate risks. Apply administrative, physical, and technical safeguards to bring identified risks to an acceptable level.
- Write policies and procedures. Document how your workforce handles PHI, access, incidents, and disclosures.
- Train your workforce. Ensure staff understand their responsibilities and refresh training regularly.
- Execute BAAs. Confirm signed agreements are in place with every relevant vendor and subcontractor.
- Prepare for breaches. Build an incident response and breach notification process before you need it.
- Review and update. Revisit your risk analysis and safeguards as systems, vendors, and threats change.
Compliance is not a one-time project. It is an ongoing cycle of assessment, documentation, and improvement that must keep pace with how your organization handles health information.
Common HIPAA compliance pitfalls
Many enforcement outcomes trace back to a handful of recurring gaps. Watching for these can strengthen your HIPAA compliance posture considerably.
- Treating the risk analysis as a checkbox rather than a genuine, documented assessment of ePHI risk.
- Failing to encrypt or otherwise protect ePHI in transit and at rest where appropriate.
- Overlooking BAAs with cloud providers, email services, and other vendors.
- Granting workforce members more access to PHI than their roles require.
- Lacking a tested incident response plan, which slows breach notification.
- Letting policies go stale as new systems and services are adopted.
How the authorities enforce HIPAA
HHS OCR investigates complaints, conducts compliance reviews, and can impose corrective action and civil penalties. For authoritative guidance on the rules and enforcement, consult the official resource at the HHS HIPAA website. Demonstrable, documented good-faith effort — a real risk analysis, current policies, and evidence of training — is central to how organizations show their compliance.
Frequently asked questions
Is HIPAA compliance mandatory for my business?
If you are a covered entity or a business associate that creates, receives, maintains, or transmits PHI, then yes. If you never handle PHI on behalf of a covered entity, HIPAA generally does not apply to you.
What is the difference between the Privacy Rule and the Security Rule?
The Privacy Rule governs the use and disclosure of PHI in any form and applies the minimum-necessary standard. The Security Rule focuses specifically on electronic PHI and requires administrative, physical, and technical safeguards plus a risk analysis.
How quickly must I report a breach?
Affected individuals and HHS OCR generally must be notified without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI. Business associates must alert the covered entity so it can meet these deadlines.
Do I need a Business Associate Agreement with every vendor?
You need a BAA with any vendor that creates, receives, maintains, or transmits PHI on your behalf. Vendors that never access PHI typically do not require one, but confirm carefully before sharing any data.
Is encryption required under HIPAA?
Encryption is an addressable specification rather than a flat mandate, meaning you must assess whether it is reasonable and appropriate and implement it or a documented alternative. In practice, encrypting ePHI in transit and at rest is widely treated as a baseline expectation.
How often should I redo my risk analysis?
HIPAA does not fix a rigid interval, but the risk analysis should be reviewed and updated periodically and whenever significant changes occur in your systems, operations, or threat environment.

Related guides
- HIPAA Security Rule: safeguards for electronic PHI
- HIPAA Privacy Rule: using and disclosing PHI
- HIPAA Risk Assessment: how to run a compliant risk analysis
- HIPAA Compliance Checklist: step-by-step requirements
- HIPAA Breach Notification: rules and deadlines
Put your HIPAA compliance program into action
Building the documentation from scratch is the slowest part of the journey. Our editable HIPAA (US) toolkit gives you ready-to-use policies, procedures, and templates you can tailor to your organization. Explore the HIPAA toolkit to accelerate your path to a defensible, audit-ready compliance program.

