HIPAA compliance is the process of meeting federal standards that protect patient health information from being shared, accessed, or exposed without authorization. The law, formally the Health Insurance Portability and Accountability Act, applies to healthcare providers, health plans, and the vendors that support them. Compliance isn’t a single checklist item. It’s an ongoing set of policies, technical protections, and staff practices that together keep patient data private and secure.
Who Has to Comply
HIPAA applies to two categories of organizations. The first is “covered entities,” which include healthcare providers (doctors, clinics, dentists, psychologists, pharmacies, nursing homes), health plans (insurance companies, HMOs, employer-sponsored plans, Medicare, Medicaid, and military health programs), and health care clearinghouses that process billing data. A key detail: healthcare providers are only covered if they transmit information electronically in connection with standard transactions like billing or insurance claims. A therapist who operates entirely on paper and doesn’t file electronic claims could technically fall outside HIPAA’s reach, though that’s increasingly rare.
The second category is “business associates,” meaning any outside company that handles protected health information on behalf of a covered entity. This includes cloud storage providers, billing companies, IT contractors, shredding services, and even legal or accounting firms if they access patient records. Business associates are directly liable for certain HIPAA requirements, not just contractually bound. If your organization touches patient data in any capacity, HIPAA likely applies to you.
What Counts as Protected Health Information
Protected health information, commonly called PHI, is any health-related data that can be linked to a specific person. HIPAA identifies 18 categories of identifiers that make health data “protected.” The obvious ones include names, Social Security numbers, phone numbers, email addresses, and medical record numbers. But the list also covers items people don’t always think of: IP addresses, device serial numbers, full-face photos, biometric data like fingerprints, vehicle identifiers, and even web URLs. Dates tied to an individual (birth date, admission date, discharge date) count too, as do all ages over 89.
The practical implication: if a piece of health information could be used to figure out who the patient is, it’s PHI. To strip data of its protected status for research or analytics, an organization must remove all 18 identifier types. Even then, the remaining data can’t be used to re-identify anyone.
The Three Core Rules
HIPAA compliance rests on three main rules, each addressing a different dimension of data protection.
The Privacy Rule
The Privacy Rule governs how PHI can be used and disclosed. It gives patients rights over their own information, including the right to access their records, request corrections, and know who their data has been shared with. It sets limits on when a covered entity can share PHI without patient consent. Treatment, payment, and healthcare operations generally don’t require separate authorization, but marketing, most research, and sharing with employers typically do.
The Security Rule
The Security Rule focuses specifically on electronic PHI and requires three types of safeguards. Administrative safeguards are the policies and procedures side: conducting a risk analysis, training staff, designating a security officer, maintaining a contingency plan with data backups and disaster recovery, and having a process to sanction employees who violate policies. Physical safeguards protect the actual hardware and facilities, covering things like facility access controls, workstation security, and proper disposal or reuse of devices that stored patient data. Technical safeguards are the technology layer: unique user logins, automatic logoff, encryption, audit controls that track who accessed what, and protections for data in transit.
An important nuance in the Security Rule is the distinction between “required” and “addressable” safeguards. Required means you must implement it, period. Addressable means you need to assess whether it’s reasonable for your organization. If it is, you implement it. If not, you must document why and put an equivalent alternative in place. Encryption, for example, is addressable rather than required, but simply skipping it without justification and an alternative measure would be a violation.
The Breach Notification Rule
The Breach Notification Rule dictates what happens when something goes wrong. A breach is any unauthorized use or disclosure of PHI that compromises its security or privacy. When one occurs, the covered entity must notify every affected individual in writing within 60 days of discovering the breach. If the breach affects more than 500 people in a single state or jurisdiction, the organization must also notify prominent local media outlets. Breaches of 500 or more individuals require notifying the U.S. Department of Health and Human Services within 60 days as well. Smaller breaches can be reported to HHS annually.
If a business associate discovers the breach, they must notify the covered entity within 60 days, and then the covered entity handles patient and government notifications. Not every security incident qualifies as a reportable breach. Organizations can perform a risk assessment considering factors like whether the data was actually viewed, who accessed it, and how effectively the exposure was contained. But the default assumption is that any impermissible disclosure is a breach unless the assessment demonstrates otherwise.
Business Associate Agreements
Before a covered entity can share PHI with a business associate, they must sign a Business Associate Agreement, or BAA. This contract spells out exactly what the business associate can and cannot do with the data. It must require the business associate to implement appropriate safeguards, report any unauthorized disclosures or breaches, make its records available to HHS for compliance reviews, and return or destroy all PHI when the contract ends. The agreement must also ensure that any subcontractors the business associate hires are held to the same standards. If the business associate violates a material term, the covered entity must have the right to terminate the contract.
Operating without a BAA when one is required is itself a HIPAA violation, regardless of whether any data is actually compromised.
Training and Workforce Requirements
HIPAA requires covered entities to train their workforce on privacy and security policies, but it deliberately avoids prescribing a one-size-fits-all program. The rules are designed to be scalable, recognizing that a two-person dental office and a large hospital system have very different needs. What matters is that training happens, that it’s relevant to each employee’s role, and that it’s documented. New hires need training, and existing staff need updates whenever policies change. Organizations must also have clear sanction policies so employees understand the consequences of mishandling PHI.
Penalties for Violations
The Office for Civil Rights at HHS enforces HIPAA, and penalties are structured in four tiers based on the level of culpability:
- Unknowing violations: $100 to $50,000 per violation, up to $25,000 per year for repeat violations of the same type.
- Reasonable cause (should have known but didn’t act with willful neglect): $1,000 to $50,000 per violation, up to $100,000 annually.
- Willful neglect, corrected within the required time period: $10,000 to $50,000 per violation, up to $250,000 annually.
- Willful neglect, not corrected: $50,000 per violation, up to $1.5 million annually.
These are civil penalties. Criminal violations, such as knowingly obtaining or disclosing PHI, can result in fines up to $250,000 and prison time. In practice, most enforcement actions begin with investigations triggered by patient complaints or reported breaches. Many cases result in corrective action plans and settlements rather than maximum fines, but the financial exposure is real, especially when a single breach can involve thousands of individual violations.
Required vs. Addressable Safeguards
One of the most misunderstood aspects of HIPAA compliance is the concept of “addressable” safeguards. Many organizations mistakenly read “addressable” as “optional.” It is not. When a safeguard is addressable, you must evaluate whether implementing it is reasonable and appropriate for your environment. If it is, you implement it. If your circumstances make a particular measure genuinely impractical, you must document the reasoning and adopt an equivalent alternative that achieves the same protective goal. Doing nothing and leaving no documentation is treated as noncompliance.
Risk analysis is the foundation of this process. Every covered entity and business associate must conduct a thorough assessment of potential risks to the confidentiality, integrity, and availability of electronic PHI. This isn’t a one-time exercise. It should be revisited whenever systems change, new threats emerge, or the organization’s operations evolve. The risk analysis informs which safeguards are necessary and how resources should be prioritized.
Recent Changes to Reproductive Health Privacy
In April 2024, HHS finalized a rule strengthening privacy protections for reproductive health information. The rule prohibits covered entities and business associates from disclosing PHI for the purpose of investigating or penalizing someone for seeking, obtaining, or providing lawful reproductive health care. When a covered entity receives a request for PHI related to reproductive care from law enforcement, courts, or oversight agencies, the rule requires the requestor to sign an attestation confirming the request is not for a prohibited purpose.
However, in June 2025, a federal court in Texas struck down most of this rule. The court vacated the core prohibitions on disclosure, though some modifications to privacy notice requirements remain in effect with a compliance deadline of February 16, 2026. The legal landscape around reproductive health privacy under HIPAA remains unsettled and may continue to shift.

