Everything your practice needs to know — from who must comply to exactly what you need to do, plus the penalty amounts no one wants to talk about.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. It was created to ensure that patients retain certain rights over their medical records and that healthcare organizations implement safeguards to keep that information private and secure.
HIPAA is enforced by the Department of Health and Human Services Office for Civil Rights (HHS OCR). It applies to any organization that creates, receives, maintains, or transmits protected health information — from the largest hospital systems to solo practitioners. The law has real teeth: OCR collected $16.4 million in penalties in 2023 alone.
HIPAA is divided into several rules, but the two most important for most healthcare providers are the Privacy Rule and the Security Rule. The Privacy Rule governs how PHI can be used and disclosed. The Security Rule specifies the safeguards required to protect electronic PHI (ePHI).
Key Definition: PHI
PHI = Protected Health Information. Any information that relates to a patient's health condition, healthcare treatment, or payment — combined with any identifier (name, date of birth, address, SSN, account number, or even a device serial number) — is PHI. If your business touches it in any form, you are almost certainly covered by HIPAA.
HIPAA covers two distinct categories of organizations. Both face the same enforcement and penalty exposure.
Direct providers and payers of healthcare
Vendors & contractors who touch PHI
Not sure if you're covered? If your business touches patient health information, HIPAA likely applies. Take our free 5-minute compliance quiz to find out your specific obligations and risk areas.
These are the requirements HHS OCR looks for first. Miss any of them and you're exposed.
Identify and document all PHI vulnerabilities in your systems, processes, and people. The risk assessment is the foundational HIPAA requirement — without it, OCR considers you non-compliant regardless of other measures in place.
Restrict PHI access to only those workforce members who need it for their specific job functions. This includes unique user IDs, automatic logoff, emergency access procedures, and role-based access management for all ePHI systems.
Annual HIPAA training is required for everyone who handles PHI — including front desk staff, billers, and contractors. Training must be documented with completion records retained for 6 years.
Written privacy and security policies covering all HIPAA rules are required and must be reviewed annually. OCR requests these documents as the first step in any investigation or audit.
BAAs are required with every vendor who touches PHI on your behalf. You must have signed BAAs before sharing any patient data. Missing BAAs are one of the most commonly cited HIPAA violations.
Encryption is required for electronic PHI. Unencrypted devices containing ePHI that are lost or stolen constitute automatic breaches — there is no safe harbor without encryption.
You have a 60-day window to notify affected patients after discovering a breach. Large breaches (500+ individuals) must also be reported to HHS and the media. Your procedures must be documented before a breach occurs.
A designated Privacy Officer and Security Officer are required. In small practices, this can be the same person. They must be formally designated in writing and have actual responsibility for overseeing HIPAA compliance.
Track and retain all access to ePHI with audit logs. Logs must be retained for 6 years. Hardware activity logs, application access logs, and login/logoff events are all required.
Secure workstations, facility access controls, and device management policies are required. This includes screen positioning, computer locks, visitor logs, and procedures for disposing of PHI-containing devices and paper records.
HHS OCR uses a four-tier penalty structure. The fines escalate sharply based on your culpability.
Real-World Enforcement: The Numbers Are Not Theoretical
Anthem paid $16 million to OCR (2018 settlement). Advocate Health Care paid $5.55 million (2016 data breach). Memorial Healthcare System paid $5.5 million (employee snooping). Your practice isn't too small to be fined — OCR has fined solo practitioners as little as $25,000.
OCR collected $16.4 million in HIPAA penalties in 2023.
New HIPAA rules and enforcement priorities you need to know about in 2026.
The Centers for Medicare & Medicaid Services published a new HIPAA Final Rule establishing standards for electronic health care claims attachments and digital signatures.
🗓 Key Dates:
May 26, 2026: Effective date — Electronic claims documentation and digital signature standards take effect for all HIPAA-covered entities.
May 26, 2028: Full compliance deadline — All systems must fully meet new electronic claims attachment transaction standards.
Action: Review your claims processing systems now. Ensure your EHR, billing software, and any third-party claims handlers support the new digital signature and e-attachment formats. This rule affects all covered entities submitting healthcare claims electronically.
We built the tools consultants use — and made them accessible to every practice, regardless of size.
Automated vulnerability scanning of your systems and processes. Generates your complete HIPAA risk assessment report in minutes — not weeks. Includes remediation priorities ranked by severity.
AI-written HIPAA policies customized for your specific practice type. Covers Privacy Policy, Security Policy, Breach Notification Policy, BAA templates, and more — ready for immediate use.
Workforce training management with automated reminders and completion certificates. Tracks who has completed training, when it expires, and generates the audit-ready reports OCR requires.
Start with our free HIPAA Risk Score — no credit card required, takes 5 minutes, and tells you exactly where you stand.
The questions every healthcare provider asks us about HIPAA compliance.
Yes. HIPAA applies to all covered entities regardless of size. A solo practitioner treating patients is a covered entity. There are no small-practice exemptions — the only size-related distinction is the reporting window for small breaches (under 500 individuals), which can be reported annually rather than within 60 days.
At minimum annually, plus whenever there is a significant change — such as implementing a new EHR system, opening a new location, undergoing a major workflow change, or after a breach. HHS OCR has made the risk assessment the centerpiece of every HIPAA audit.
Any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. This includes lost or stolen laptops, misdirected faxes, email errors sent to wrong patients, and unauthorized employee snooping on patient records. There is a limited exception for inadvertent access by authorized employees who do not retain or further use the PHI.
60 days from discovery of the breach. Large breaches affecting 500 or more individuals must also be reported to HHS and prominent media outlets in the affected state. Small breaches (under 500 individuals) must be reported to HHS annually — but you still must notify patients within 60 days.
A written contract between a covered entity and any vendor or contractor who handles PHI on its behalf. BAAs are required before sharing any PHI with a third party. Without a BAA, both parties are in violation. Common vendors requiring BAAs include EHR vendors, billing services, cloud storage providers, IT support companies, and lawyers who access patient records.
Encryption is classified as an "addressable" specification, meaning you must either implement it or document why it is not reasonable and implement an equivalent alternative. In practice, HHS OCR treats unencrypted devices that are lost or stolen as automatic breaches. The practical answer is: encrypt everything that contains ePHI.
The Privacy Rule covers all forms of PHI — paper, electronic, and verbal — and governs patients' rights including access to their records, corrections, and restrictions on use. The Security Rule covers only electronic PHI (ePHI) and specifies the technical, physical, and administrative safeguards required to protect it. Both rules must be satisfied.
It varies significantly by practice size and complexity. The investment depends on your approach: building and maintaining policies, training staff, conducting risk assessments, and preparing audit documentation all require ongoing time and resources. ComplianceStack starts at $49/month and includes automated risk assessments, AI-generated policies, and workforce training management — so your team stays focused on patients, not paperwork.
OCR typically requests your most recent risk assessment, written privacy and security policies, signed Business Associate Agreements, workforce training records, and audit logs of PHI access. If you cannot produce these documents, expect significant fines. Having organized, current documentation is the entire game in an OCR audit.
Yes. Psychologists, therapists, licensed counselors, and psychiatric providers are covered entities under HIPAA. Mental health records have additional protections under both HIPAA and state laws. Psychotherapy notes — the clinician's personal session notes — have the highest level of protection and require separate authorization for disclosure.
Take our free 5-minute HIPAA risk assessment. No credit card. No sales call required. Get your compliance score and a prioritized action plan instantly.
Start Free HIPAA Risk AssessmentFree forever. No credit card required.