HIPAA compliant (often misspelled “HIPPA”) means that an organization meets the federal standards set by the Health Insurance Portability and Accountability Act for protecting patient health information. The law establishes rules for how medical data is stored, shared, and secured, and it applies to healthcare providers, health plans, and the companies that work with them. Compliance isn’t a single checkbox. It’s an ongoing process that spans privacy policies, digital security, employee training, and physical access controls.
Who HIPAA Actually Applies To
HIPAA doesn’t apply to every business that touches health information. It applies to three categories of “covered entities”: healthcare providers (doctors, clinics, dentists, pharmacies, nursing homes, psychologists, chiropractors), health plans (insurance companies, HMOs, employer health plans, and government programs like Medicare and Medicaid), and healthcare clearinghouses that process medical billing data into standardized formats. Healthcare providers are only covered if they transmit information electronically in connection with standard transactions like billing or insurance claims.
The law also reaches any company that handles patient data on behalf of a covered entity. These are called business associates, and they include IT vendors, cloud storage providers, billing companies, shredding services, and even email platforms used to send patient information. A covered entity must have a written Business Associate Agreement (BAA) in place before sharing any protected data. That contract spells out exactly what the business associate can do with the information, requires them to implement their own security safeguards, and obligates them to report any unauthorized disclosures. If a software company tells you they’re “HIPAA compliant” but won’t sign a BAA, that’s a red flag.
What Counts as Protected Health Information
Protected health information, or PHI, is any health data that can be linked to a specific person. This includes the obvious things like medical records, diagnoses, lab results, and prescription history. But it also covers 18 types of identifiers that can connect health data to an individual: names, addresses, dates (birth, admission, discharge), phone numbers, email addresses, Social Security numbers, medical record numbers, health plan IDs, account numbers, license plate numbers, device serial numbers, web URLs, IP addresses, biometric data like fingerprints, full-face photos, and any other unique identifying number or code.
If health information has all 18 identifiers stripped away, it’s considered “de-identified” and no longer falls under HIPAA protections. This is how researchers can study health trends without triggering privacy requirements.
The Privacy Rule: Who Can See Your Data
The Privacy Rule is the core of HIPAA compliance. It sets a simple default: a covered entity cannot use or disclose your health information unless the Privacy Rule specifically allows it or you authorize it in writing.
Without your authorization, your information can be shared for treatment, payment, and routine healthcare operations. Your doctor can send your records to a specialist for a referral. Your hospital can share billing codes with your insurance company. These everyday functions of healthcare don’t require your written permission each time.
For anything outside those purposes, the organization needs your signed authorization. There are limited exceptions for public interest situations like reporting communicable diseases, responding to court orders, or preventing serious threats to health or safety. But the rule also imposes a “minimum necessary” standard: even when sharing is allowed, organizations must limit the information to only what’s needed for that specific purpose. A billing office processing a claim doesn’t need your full medical history.
You also have the right to request access to your own records and to receive an accounting of who your information has been disclosed to. Covered entities are legally required to provide both.
The Security Rule: Protecting Electronic Data
The Security Rule focuses specifically on electronic protected health information (ePHI) and requires three categories of safeguards.
Administrative safeguards are the policies and procedures that govern how an organization manages security. The most critical requirement is a risk analysis: a thorough assessment of potential threats to the confidentiality, integrity, and availability of electronic health data. This isn’t a one-time task. The rule requires it to be ongoing, and organizations should repeat it whenever they adopt new technology, experience staff turnover in key roles, or have a security incident. Organizations must also train their workforce on security policies and implement procedures to prevent, detect, and correct security violations.
Physical safeguards control who can physically get to systems that store patient data. This means facility access controls (locked server rooms, visitor logs, badge access), workstation policies that dictate where and how employees can access ePHI, and documentation of any repairs or changes to security-related hardware like doors, locks, and walls. Even something as simple as positioning a computer screen so patients in a waiting room can’t see it falls under physical safeguards.
Technical safeguards are the digital protections: access controls that limit who can log into systems, encryption for data in transit and at rest, audit logs that track who accessed what information and when, and mechanisms to verify that ePHI hasn’t been altered or destroyed without authorization.
What Happens After a Data Breach
HIPAA’s Breach Notification Rule sets strict deadlines when protected health information is compromised. If a breach is discovered, the covered entity must notify every affected individual within 60 days, without unreasonable delay. Notifications must be sent by first-class mail or email if the individual has agreed to electronic communication.
The scale of the breach determines additional obligations. If 500 or more people in a single state or jurisdiction are affected, the organization must also notify prominent local media outlets within that same 60-day window. For breaches affecting 500 or more individuals anywhere, the organization must report directly to the Department of Health and Human Services (HHS) within 60 days. Smaller breaches affecting fewer than 500 people can be reported to HHS annually, due within 60 days after the end of the calendar year in which they were discovered.
Penalties for Noncompliance
HIPAA violations carry financial penalties that scale with how much the organization knew and whether they tried to fix the problem. There are four tiers:
- Unknowing violations: $100 to $50,000 per violation, up to $25,000 per year for repeat violations.
- Reasonable cause (the organization should have known but didn’t act with willful neglect): $1,000 to $50,000 per violation, up to $100,000 per year.
- Willful neglect, corrected within the required time period: $10,000 to $50,000 per violation, up to $250,000 per year.
- Willful neglect, not corrected: $50,000 per violation, up to $1.5 million per year.
Criminal penalties, including imprisonment, can also apply when individuals knowingly obtain or disclose protected health information in violation of the law.
There Is No Official HIPAA Certification
One of the most common misconceptions is that an organization can be “HIPAA certified.” HHS is clear on this point: there is no standard or requirement that calls for certification, and HHS does not endorse or recognize any private organization’s HIPAA certification. A third-party audit or assessment can be a useful tool for identifying gaps, but passing one doesn’t create legal protection. HHS can still investigate and find violations regardless of whether an organization holds a certificate from a private company.
When a software vendor or service provider claims to be “HIPAA compliant,” what that should mean in practice is that they’ve implemented the required safeguards, they conduct regular risk analyses, they train their staff, and they’re willing to sign a Business Associate Agreement. The compliance itself is demonstrated through ongoing practices, not a badge or a certificate hanging on the wall.