Everything your practice needs to know — from who must comply to exactly what you need to do, plus the penalty amounts no one wants to talk about.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. It was created to ensure that patients retain certain rights over their medical records and that healthcare organizations implement safeguards to keep that information private and secure.
HIPAA is enforced by the Department of Health and Human Services Office for Civil Rights (HHS OCR). It applies to any organization that creates, receives, maintains, or transmits protected health information — from the largest hospital systems to solo practitioners. The law has real teeth: OCR collected $16.4 million in penalties in 2023 alone.
HIPAA is divided into several rules, but the two most important for most healthcare providers are the Privacy Rule and the Security Rule. The Privacy Rule governs how PHI can be used and disclosed. The Security Rule specifies the safeguards required to protect electronic PHI (ePHI).
Key Definition: PHI
PHI = Protected Health Information. Any information that relates to a patient's health condition, healthcare treatment, or payment — combined with any identifier (name, date of birth, address, SSN, account number, or even a device serial number) — is PHI. If your business touches it in any form, you are almost certainly covered by HIPAA.
HIPAA covers two distinct categories of organizations. Both face the same enforcement and penalty exposure.
Direct providers and payers of healthcare
Vendors & contractors who touch PHI
Not sure if you're covered? If your business touches patient health information, HIPAA likely applies. Take our free 5-minute compliance quiz to find out your specific obligations and risk areas.
These are the requirements HHS OCR looks for first. Miss any of them and you're exposed.
Identify and document all PHI vulnerabilities in your systems, processes, and people. The risk assessment is the foundational HIPAA requirement — without it, OCR considers you non-compliant regardless of other measures in place.
Restrict PHI access to only those workforce members who need it for their specific job functions. This includes unique user IDs, automatic logoff, emergency access procedures, and role-based access management for all ePHI systems.
Annual HIPAA training is required for everyone who handles PHI — including front desk staff, billers, and contractors. Training must be documented with completion records retained for 6 years.
Written privacy and security policies covering all HIPAA rules are required and must be reviewed annually. OCR requests these documents as the first step in any investigation or audit.
BAAs are required with every vendor who touches PHI on your behalf. You must have signed BAAs before sharing any patient data. Missing BAAs are one of the most commonly cited HIPAA violations.
Encryption is required for electronic PHI. Unencrypted devices containing ePHI that are lost or stolen constitute automatic breaches — there is no safe harbor without encryption.
You have a 60-day window to notify affected patients after discovering a breach. Large breaches (500+ individuals) must also be reported to HHS and the media. Your procedures must be documented before a breach occurs.
A designated Privacy Officer and Security Officer are required. In small practices, this can be the same person. They must be formally designated in writing and have actual responsibility for overseeing HIPAA compliance.
Track and retain all access to ePHI with audit logs. Logs must be retained for 6 years. Hardware activity logs, application access logs, and login/logoff events are all required.
Secure workstations, facility access controls, and device management policies are required. This includes screen positioning, computer locks, visitor logs, and procedures for disposing of PHI-containing devices and paper records.
HHS OCR uses a four-tier penalty structure. The fines escalate sharply based on your culpability.
Real-World Enforcement: The Numbers Are Not Theoretical
Anthem paid $16 million to OCR (2018 settlement). Advocate Health Care paid $5.55 million (2016 data breach). Memorial Healthcare System paid $5.5 million (employee snooping). Your practice isn't too small to be fined — OCR has fined solo practitioners as little as $25,000.
OCR collected $16.4 million in HIPAA penalties in 2023.
New HIPAA rules and enforcement priorities you need to know about in 2026.
The Centers for Medicare & Medicaid Services published a new HIPAA Final Rule establishing standards for electronic health care claims attachments and digital signatures.
🗓 Key Dates:
May 26, 2026: Effective date — Electronic claims documentation and digital signature standards take effect for all HIPAA-covered entities.
May 26, 2028: Full compliance deadline — All systems must fully meet new electronic claims attachment transaction standards.
Action: Review your claims processing systems now. Ensure your EHR, billing software, and any third-party claims handlers support the new digital signature and e-attachment formats. This rule affects all covered entities submitting healthcare claims electronically.
See your exact gaps, penalty exposure, and prioritized remediation actions in a formal audit document. $49–$149.
No spam. No sales calls. Sent within 1 business hour.
We built the tools consultants use — and made them accessible to every practice, regardless of size.
Automated vulnerability scanning of your systems and processes. Generates your complete HIPAA risk assessment report in minutes — not weeks. Includes remediation priorities ranked by severity.
AI-written HIPAA policies customized for your specific practice type. Covers Privacy Policy, Security Policy, Breach Notification Policy, BAA templates, and more — ready for immediate use.
Workforce training management with automated reminders and completion certificates. Tracks who has completed training, when it expires, and generates the audit-ready reports OCR requires.
Start with our free HIPAA Risk Score — no credit card required, takes 5 minutes, and tells you exactly where you stand.
The questions every healthcare provider asks us about HIPAA compliance.
HIPAA applies to all covered entities regardless of size — a solo practitioner with one patient is just as subject to enforcement as a major hospital system, with no small-practice exemption. The only size-based distinction is that breaches affecting fewer than 500 individuals can be reported to HHS annually rather than within the standard 60-day window.
HHS OCR requires HIPAA risk assessments at minimum annually and whenever there is a significant operational change — a new EHR system, a new location, a workflow overhaul, or a breach. The risk assessment is the most-cited deficiency in OCR corrective action plans, making it the highest-priority HIPAA requirement for any covered entity.
A HIPAA breach is any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy — this definition covers lost laptops, misdirected faxes, email errors to wrong patients, and unauthorized employee record-snooping. HHS OCR treats unencrypted devices lost or stolen as automatic breaches with no safe harbor.
HHS OCR requires breach notification within 60 days of discovery, with affected patients notified individually — the annual HHS reporting option applies only to small breaches affecting fewer than 500 individuals. Large breaches (500+ individuals) require simultaneous notification to HHS OCR and prominent media in the affected state.
A HIPAA Business Associate Agreement (BAA) is a required written contract between a covered entity and any vendor handling PHI on its behalf — sharing PHI without a signed BAA puts both parties in violation of 45 CFR §164.308(b). All EHR vendors, billing services, cloud storage providers, IT support companies, and any other third party touching patient data must execute a BAA before any PHI is shared.
HIPAA classifies encryption as an addressable safeguard — meaning organizations must either implement it or formally document why it's not reasonable and adopt an equivalent alternative. In OCR enforcement practice, unencrypted devices lost or stolen are treated as automatic breaches with no safe harbor. The operational answer is straightforward: encrypt every device containing ePHI.
HIPAA's Privacy Rule governs all forms of PHI — paper, electronic, and verbal — including patient rights to access, correct, and restrict use of their records. The Security Rule covers only electronic PHI (ePHI) and specifies the technical, physical, and administrative safeguards required to protect it. Both rules must be satisfied, and ComplianceStack's HIPAA compliance tools address requirements under each.
HIPAA compliance costs vary significantly by practice size and complexity, but the primary cost drivers are policy documentation, staff training, risk assessments, and audit-ready record keeping. ComplianceStack provides automated HIPAA risk assessments, AI-generated policies, and workforce training management starting at $49/month — allowing healthcare teams to stay focused on patients rather than paperwork.
HHS OCR audit requests focus on five document categories: the most recent risk assessment, written privacy and security policies, signed BAAs, workforce training records, and PHI access audit logs. Failure to produce current, organized documentation in an OCR audit results in substantial civil money penalties — documentation readiness is the primary determinant of audit outcome.
Psychologists, therapists, licensed counselors, and psychiatric providers are covered entities under HIPAA — mental health providers face the same enforcement exposure as any other covered entity. Mental health records carry additional protections under both HIPAA and state law, with psychotherapy notes receiving the highest level of protection and requiring separate authorization for any disclosure.
Take our free 5-minute HIPAA risk assessment. No credit card. No sales call required. Get your compliance score and a prioritized action plan instantly.
Start Free HIPAA Risk AssessmentFree forever. No credit card required.