🏥 Healthcare Compliance

HIPAA Compliance Requirements 2026: 10 Rules, $145–$2.13M Penalties, Free Risk Score

Everything your practice needs to know — from who must comply to exactly what you need to do, plus the penalty amounts no one wants to talk about.

HIPAA Covered Entity Guide
Updated March 2025
10-Min Read
Get Your Free HIPAA Risk Score

What Is HIPAA, in Plain English?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. It was created to ensure that patients retain certain rights over their medical records and that healthcare organizations implement safeguards to keep that information private and secure.

HIPAA is enforced by the Department of Health and Human Services Office for Civil Rights (HHS OCR). It applies to any organization that creates, receives, maintains, or transmits protected health information — from the largest hospital systems to solo practitioners. The law has real teeth: OCR collected $16.4 million in penalties in 2023 alone.

HIPAA is divided into several rules, but the two most important for most healthcare providers are the Privacy Rule and the Security Rule. The Privacy Rule governs how PHI can be used and disclosed. The Security Rule specifies the safeguards required to protect electronic PHI (ePHI).

Key Definition: PHI

PHI = Protected Health Information. Any information that relates to a patient's health condition, healthcare treatment, or payment — combined with any identifier (name, date of birth, address, SSN, account number, or even a device serial number) — is PHI. If your business touches it in any form, you are almost certainly covered by HIPAA.

Who Must Comply With HIPAA?

HIPAA covers two distinct categories of organizations. Both face the same enforcement and penalty exposure.

Covered Entities

Direct providers and payers of healthcare

  • Medical practices & physicians
  • Hospitals & health systems
  • Pharmacies
  • Health insurance companies
  • Mental health providers
  • Dental offices
  • Chiropractors & physical therapists

Business Associates

Vendors & contractors who touch PHI

  • Medical billing companies
  • EHR/EMR software vendors
  • Cloud storage providers handling PHI
  • Lawyers accessing PHI
  • IT service providers with PHI access
  • Transcription services
💡

Not sure if you're covered? If your business touches patient health information, HIPAA likely applies. Take our free 5-minute compliance quiz to find out your specific obligations and risk areas.

Top 10 HIPAA Compliance Requirements

These are the requirements HHS OCR looks for first. Miss any of them and you're exposed.

1

Conduct Annual Risk Assessment

Identify and document all PHI vulnerabilities in your systems, processes, and people. The risk assessment is the foundational HIPAA requirement — without it, OCR considers you non-compliant regardless of other measures in place.

2

Implement Access Controls

Restrict PHI access to only those workforce members who need it for their specific job functions. This includes unique user IDs, automatic logoff, emergency access procedures, and role-based access management for all ePHI systems.

3

Train All Workforce Members

Annual HIPAA training is required for everyone who handles PHI — including front desk staff, billers, and contractors. Training must be documented with completion records retained for 6 years.

4

Create & Maintain Policies

Written privacy and security policies covering all HIPAA rules are required and must be reviewed annually. OCR requests these documents as the first step in any investigation or audit.

5

Sign Business Associate Agreements

BAAs are required with every vendor who touches PHI on your behalf. You must have signed BAAs before sharing any patient data. Missing BAAs are one of the most commonly cited HIPAA violations.

6

Encrypt PHI in Transit & at Rest

Encryption is required for electronic PHI. Unencrypted devices containing ePHI that are lost or stolen constitute automatic breaches — there is no safe harbor without encryption.

7

Establish Breach Notification Procedures

You have a 60-day window to notify affected patients after discovering a breach. Large breaches (500+ individuals) must also be reported to HHS and the media. Your procedures must be documented before a breach occurs.

8

Appoint a Privacy/Security Officer

A designated Privacy Officer and Security Officer are required. In small practices, this can be the same person. They must be formally designated in writing and have actual responsibility for overseeing HIPAA compliance.

9

Maintain Audit Logs

Track and retain all access to ePHI with audit logs. Logs must be retained for 6 years. Hardware activity logs, application access logs, and login/logoff events are all required.

10

Implement Physical Safeguards

Secure workstations, facility access controls, and device management policies are required. This includes screen positioning, computer locks, visitor logs, and procedures for disposing of PHI-containing devices and paper records.

Penalty Exposure

HIPAA Violation Penalties: Real Numbers

HHS OCR uses a four-tier penalty structure. The fines escalate sharply based on your culpability.

Tier 1
Unknowing
Unaware of the violation
$145–$73,011
per violation
Max $2,190,294/year
Tier 2
Reasonable Cause
Should have known
$1,461–$73,011
per violation
Max $2,190,294/year
Tier 3
Willful Neglect
Corrected within 30 days
$14,602–$73,011
per violation
Max $2,190,294/year
Tier 4
Willful Neglect
Not corrected
$71,162–$2.19M
per violation
Max $2,190,294/year
⚠️

Real-World Enforcement: The Numbers Are Not Theoretical

Anthem paid $16 million to OCR (2018 settlement). Advocate Health Care paid $5.55 million (2016 data breach). Memorial Healthcare System paid $5.5 million (employee snooping). Your practice isn't too small to be fined — OCR has fined solo practitioners as little as $25,000.

OCR collected $16.4 million in HIPAA penalties in 2023.

⚡ Updated

Recent Regulatory Developments

New HIPAA rules and enforcement priorities you need to know about in 2026.

📋

CMS HIPAA Claims Attachments Final Rule (Published March 24, 2026)

The Centers for Medicare & Medicaid Services published a new HIPAA Final Rule establishing standards for electronic health care claims attachments and digital signatures.

🗓 Key Dates:

May 26, 2026: Effective date — Electronic claims documentation and digital signature standards take effect for all HIPAA-covered entities.

May 26, 2028: Full compliance deadline — All systems must fully meet new electronic claims attachment transaction standards.

Action: Review your claims processing systems now. Ensure your EHR, billing software, and any third-party claims handlers support the new digital signature and e-attachment formats. This rule affects all covered entities submitting healthcare claims electronically.

Get Your HIPAA Compliance Report

See your exact gaps, penalty exposure, and prioritized remediation actions in a formal audit document. $49–$149.

No spam. No sales calls. Sent within 1 business hour.

How ComplianceStack Makes HIPAA Compliance Manageable

We built the tools consultants use — and made them accessible to every practice, regardless of size.

AI Risk Assessment

Automated vulnerability scanning of your systems and processes. Generates your complete HIPAA risk assessment report in minutes — not weeks. Includes remediation priorities ranked by severity.

Policy Generator

AI-written HIPAA policies customized for your specific practice type. Covers Privacy Policy, Security Policy, Breach Notification Policy, BAA templates, and more — ready for immediate use.

Training Tracker

Workforce training management with automated reminders and completion certificates. Tracks who has completed training, when it expires, and generates the audit-ready reports OCR requires.

Start with our free HIPAA Risk Score — no credit card required, takes 5 minutes, and tells you exactly where you stand.

Get Free Risk Score View Pricing

Frequently Asked Questions

The questions every healthcare provider asks us about HIPAA compliance.

Does HIPAA apply to small practices with just 1-2 doctors?

HIPAA applies to all covered entities regardless of size — a solo practitioner with one patient is just as subject to enforcement as a major hospital system, with no small-practice exemption. The only size-based distinction is that breaches affecting fewer than 500 individuals can be reported to HHS annually rather than within the standard 60-day window.

How often do I need to do a HIPAA risk assessment?

HHS OCR requires HIPAA risk assessments at minimum annually and whenever there is a significant operational change — a new EHR system, a new location, a workflow overhaul, or a breach. The risk assessment is the most-cited deficiency in OCR corrective action plans, making it the highest-priority HIPAA requirement for any covered entity.

What counts as a HIPAA breach?

A HIPAA breach is any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy — this definition covers lost laptops, misdirected faxes, email errors to wrong patients, and unauthorized employee record-snooping. HHS OCR treats unencrypted devices lost or stolen as automatic breaches with no safe harbor.

How long do I have to report a HIPAA breach?

HHS OCR requires breach notification within 60 days of discovery, with affected patients notified individually — the annual HHS reporting option applies only to small breaches affecting fewer than 500 individuals. Large breaches (500+ individuals) require simultaneous notification to HHS OCR and prominent media in the affected state.

What is a Business Associate Agreement (BAA)?

A HIPAA Business Associate Agreement (BAA) is a required written contract between a covered entity and any vendor handling PHI on its behalf — sharing PHI without a signed BAA puts both parties in violation of 45 CFR §164.308(b). All EHR vendors, billing services, cloud storage providers, IT support companies, and any other third party touching patient data must execute a BAA before any PHI is shared.

Does HIPAA require encryption?

HIPAA classifies encryption as an addressable safeguard — meaning organizations must either implement it or formally document why it's not reasonable and adopt an equivalent alternative. In OCR enforcement practice, unencrypted devices lost or stolen are treated as automatic breaches with no safe harbor. The operational answer is straightforward: encrypt every device containing ePHI.

What's the difference between HIPAA Privacy Rule and Security Rule?

HIPAA's Privacy Rule governs all forms of PHI — paper, electronic, and verbal — including patient rights to access, correct, and restrict use of their records. The Security Rule covers only electronic PHI (ePHI) and specifies the technical, physical, and administrative safeguards required to protect it. Both rules must be satisfied, and ComplianceStack's HIPAA compliance tools address requirements under each.

How much does HIPAA compliance cost?

HIPAA compliance costs vary significantly by practice size and complexity, but the primary cost drivers are policy documentation, staff training, risk assessments, and audit-ready record keeping. ComplianceStack provides automated HIPAA risk assessments, AI-generated policies, and workforce training management starting at $49/month — allowing healthcare teams to stay focused on patients rather than paperwork.

What happens if I get audited by HHS OCR?

HHS OCR audit requests focus on five document categories: the most recent risk assessment, written privacy and security policies, signed BAAs, workforce training records, and PHI access audit logs. Failure to produce current, organized documentation in an OCR audit results in substantial civil money penalties — documentation readiness is the primary determinant of audit outcome.

Does HIPAA apply to mental health providers?

Psychologists, therapists, licensed counselors, and psychiatric providers are covered entities under HIPAA — mental health providers face the same enforcement exposure as any other covered entity. Mental health records carry additional protections under both HIPAA and state law, with psychotherapy notes receiving the highest level of protection and requiring separate authorization for any disclosure.

Related Tools from the Stack Network

LegalStackTools

Free Business Associate Agreement templates, HIPAA-compliant policy forms, and AI-powered legal document tools.

BizStackHub

Business templates and AI tools for small practices — from HIPAA policies to staff onboarding documents.

Know Exactly Where You Stand on HIPAA

Take our free 5-minute HIPAA risk assessment. No credit card. No sales call required. Get your compliance score and a prioritized action plan instantly.

Start Free HIPAA Risk Assessment

Free forever. No credit card required.

HIPAA by Industry

HIPAA by State

HIPAA Penalties & Enforcement

HIPAA Compliance Guides

Assess Risk Now →
Free compliance alerts — join 13,000+ professionals ✓ You're in!