Complete HIPAA Compliance Guide 2026

Q: Who Must Comply with HIPAA in 2026

HIPAA applies to two categories of organizations: covered entities and business associates. Understanding which bucket you fall into determines your direct obligations.

Q: HIPAA FAQs for 2026

Does HIPAA apply to employers? Generally, no — with important exceptions. HIPAA does not apply to employers in their role as employers, even when they receive employees' health information in connection with leave requests or accommodation processes. However, if an employer sponsors a group health plan, the health plan itself is a HIPAA covered entity and must comply with the Privacy and Security Rules.

ComplianceStack

Complete HIPAA Compliance Guide 2026: Privacy Rule, Security Rule, Enforcement

Last updated: 2026-05-03 — ComplianceStack Editorial Team

HIPAA compliance in 2026 is more demanding than at any point since the 2013 Omnibus Rule. The HHS Office for Civil Rights has proposed sweeping Security Rule changes — mandatory encryption, multi-factor authentication, annual penetration testing — while simultaneously ramping up enforcement against telehealth providers, mental health platforms, and healthcare apps. Whether you are a hospital, a solo practice, a healthcare SaaS company, or a billing vendor, this guide covers every major HIPAA obligation, the real enforcement record, and how to build a defensible compliance program.

Who Must Comply with HIPAA in 2026

HIPAA applies to two categories of organizations: covered entities and business associates. Understanding which bucket you fall into determines your direct obligations.

Covered entities are health plans (including employer-sponsored group health plans), healthcare clearinghouses, and healthcare providers that transmit any health information electronically in connection with a HIPAA-covered transaction. This includes hospitals, physician practices, dental offices, pharmacies, mental health providers, physical therapists, nursing homes, and health insurance carriers.

Business associates are persons or entities that create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a covered entity. Common examples include: EHR vendors, medical billing companies, IT service providers with PHI access, cloud storage providers, transcription services, law firms handling patient files, accountants reviewing health plan data, and pharmacy benefit managers. Since the 2013 Omnibus Rule, business associates are directly liable under HIPAA — not merely contractually bound by their Business Associate Agreement. OCR can investigate and fine a business associate for HIPAA violations independently of the covered entity.

Healthcare apps and telehealth: The rise of digital health has created significant ambiguity. A healthcare provider using a telehealth platform is a covered entity; the telehealth vendor is a business associate. However, a consumer wellness app that is not contracted to act on behalf of a covered entity is generally not subject to HIPAA — it may instead fall under FTC jurisdiction. OCR issued guidance in 2022 clarifying that tracking pixel technologies embedded in healthcare provider websites that transmit PHI to advertising platforms (Meta Pixel, Google Analytics) likely violate HIPAA.

De-identified data exemption: Data that has been properly de-identified under 45 CFR §164.514 — either through the Expert Determination method or the Safe Harbor method (removing all 18 PHI identifiers) — is not PHI and is not subject to HIPAA restrictions. De-identification must be documented and defensible.

If you are unsure whether HIPAA applies to your organization, use our free HIPAA Risk Calculator at /hipaa-risk-calculator to assess your exposure in under five minutes. Industry-specific guidance is available at /checklist/hipaa/dental-practice, /checklist/hipaa/mental-health, and /checklist/hipaa/pharmacy.

The HIPAA Privacy Rule (45 CFR Part 164, Subpart E)

The Privacy Rule governs how covered entities and business associates may use and disclose PHI. It establishes patient rights and imposes requirements on the operational handling of health information.

Minimum Necessary Standard: Covered entities must make reasonable efforts to limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose. This standard applies to most uses and disclosures except treatment, disclosures to the patient, and uses pursuant to a patient authorization.

Patient Rights: Under the Privacy Rule, patients have the right to:
- Access their PHI within 30 days of request (one 30-day extension is permitted with written notice). A proposed regulatory update would reduce this to 15 days — watch for finalization.
- Request amendment of their PHI if they believe it is inaccurate or incomplete.
- Receive an accounting of disclosures for certain disclosures made in the prior six years.
- Request restrictions on certain uses and disclosures.
- Request confidential communications (e.g., receive calls only at a specific number).
- Receive a Notice of Privacy Practices (NPP) describing how their PHI may be used.

The 18 PHI Identifiers: PHI is health information that identifies — or could reasonably be used to identify — an individual. The Safe Harbor de-identification method requires removal of all 18 identifiers: (1) names, (2) geographic subdivisions smaller than a state, (3) dates except year, (4) phone numbers, (5) fax numbers, (6) email addresses, (7) social security numbers, (8) medical record numbers, (9) health plan beneficiary numbers, (10) account numbers, (11) certificate/license numbers, (12) vehicle identifiers, (13) device identifiers, (14) web URLs, (15) IP addresses, (16) biometric identifiers, (17) full-face photos, (18) any other unique identifier.

Reproductive Health Privacy Updates (effective December 2024): The HIPAA Privacy Rule was amended to add new protections for reproductive health information. Covered entities may not use or disclose PHI related to reproductive health care to investigate or impose liability on individuals for seeking lawful reproductive health care, or to identify persons planning to seek such care. New attestation requirements apply when disclosing PHI that could relate to reproductive health care for health oversight, judicial proceedings, law enforcement, or to coroners. Covered entities should update their NPP and workforce training to reflect these changes.

Notice of Privacy Practices: Every covered entity must maintain a current NPP and distribute it to new patients, post it at service sites, and publish it on the entity's website. The NPP must describe uses and disclosures, patient rights, the entity's legal duties, and how to file complaints. Review your NPP against the December 2024 reproductive health amendments.

The HIPAA Security Rule (45 CFR Part 164, Subpart C)

The Security Rule governs electronic Protected Health Information (ePHI) — PHI that is created, received, maintained, or transmitted in electronic form. It requires covered entities and business associates to implement safeguards across three categories.

Administrative Safeguards are the policies, procedures, and workforce management activities that protect ePHI. They include:
- Security Risk Analysis (45 CFR §164.308(a)(1)) — The single most frequently cited gap in OCR audits. Every covered entity must conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI. This is not a one-time checkbox — it must be updated when operations, systems, or environments change, and at minimum annually.
- Security Risk Management Plan
- Workforce training and sanction policies
- Information access management and authorization procedures
- Security incident procedures
- Contingency plan (backup and disaster recovery)
- Business Associate Agreement management

Physical Safeguards govern the physical facilities and equipment where ePHI is stored or accessed: facility access controls, workstation use policies, workstation security, and device and media controls (including proper disposal).

Technical Safeguards govern the technology that protects ePHI: access controls (unique user IDs, automatic logoff, encryption/decryption), audit controls (hardware and software activity logs), integrity controls, and transmission security.

2026 Security Rule NPRM — Proposed Changes: HHS published a Notice of Proposed Rulemaking that would significantly update the Security Rule for the first time since 2006. Key proposed changes include:
- Mandatory encryption of ePHI at rest and in transit (currently listed as "addressable" — meaning organizations can use alternative measures or document why encryption is not reasonable. The NPRM would make encryption a required specification with no addressable alternative.)
- Multi-factor authentication (MFA) required for all access to systems containing ePHI
- Network segmentation to limit the spread of breaches
- Biannual vulnerability scans of all ePHI systems
- Annual penetration testing by qualified internal or external testers
- 72-hour incident response plan — organizations must be able to detect, respond to, and recover from security incidents within 72 hours
- Asset inventory of all hardware and software interacting with ePHI
- Enhanced business associate oversight requirements

The final rule is expected in May 2026 with a 240-day compliance window from publication. Organizations should treat proposed changes as the coming baseline and begin implementation now. For a detailed analysis of the NPRM changes, see /hipaa-security-rule-2026.

Breach Notification Rule (45 CFR Part 164, Subpart D)

The Breach Notification Rule requires covered entities and business associates to provide notification following the discovery of a breach of unsecured PHI.

Definition of Breach: A breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the PHI. Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction methods specified by HHS guidance.

The Four-Element Breach Determination Test: An impermissible use or disclosure is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least four factors:
1. The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification
2. The unauthorized person who used the PHI or to whom the disclosure was made
3. Whether the PHI was actually acquired or viewed (or only had opportunity to be)
4. The extent to which the risk to PHI has been mitigated

This four-element test is not a free pass — it requires a documented, good-faith analysis. Organizations that skip the analysis and assume no breach occurred are at significant risk.

Notification Deadlines:
- Individuals: Must be notified by first-class mail (or email with authorization) within 60 days of discovery of the breach.
- HHS: Breaches affecting 500 or more individuals must be reported to HHS within 60 days. Breaches affecting fewer than 500 individuals are logged and submitted to HHS annually by March 1 of the following year.
- Media: For breaches affecting 500 or more residents of a state or jurisdiction, covered entities must notify prominent media outlets serving the area within 60 days.
- Business Associates: Must notify the covered entity without unreasonable delay and no later than 60 days from discovery. The BA's contract may impose a shorter timeline — 10 business days is common.

Substitute Notice: If contact information for 10 or more affected individuals is out of date, substitute notice (posting on the covered entity's website or in major print or broadcast media) is permitted.

For detail on how breach notification penalties are calculated, see /penalties/hipaa/breach-notification-penalties.

OCR Enforcement: 6 Real Cases (2016–2023)

Understanding actual enforcement actions gives organizations a realistic picture of OCR's priorities and the cost of non-compliance. The following are real settlements and civil monetary penalties imposed by OCR.

1. Anthem, Inc. — $16 Million (2018)
The largest HIPAA settlement in OCR history. Anthem's breach, discovered in January 2015, affected approximately 78.8 million individuals — the largest health data breach ever. Attackers obtained access through a phishing email and went undetected for months. OCR found failures in conducting an enterprise-wide risk analysis, insufficient security controls to detect the intrusion, and impermissible disclosure of ePHI. The $16 million settlement was accompanied by a comprehensive corrective action plan. This case established that even large, well-resourced covered entities are vulnerable — and that inadequate risk analysis at enterprise scale will draw maximum enforcement attention.

2. Premera Blue Cross — $6.85 Million (2019)
Premera's breach exposed the ePHI of 10.4 million individuals, including clinical information and Social Security numbers. OCR's investigation found that Premera had failed to conduct a thorough risk analysis, failed to implement a risk management plan to reduce vulnerabilities, and had known IT vulnerabilities that had not been remediated for years before the breach. The settlement of $6.85 million was one of the largest at the time and was paired with a three-year corrective action plan with an independent monitor. Premera also settled a class action lawsuit for $74 million.

3. MD Anderson Cancer Center — $4.35 Million Civil Monetary Penalty (2018)
This case is notable because it was a civil monetary penalty rather than a negotiated settlement — meaning OCR imposed the fine over MD Anderson's objection. OCR found that MD Anderson had an encryption policy since 2006 but failed to implement it. Three separate incidents between 2012 and 2013 involved unencrypted laptops and a USB drive that were lost or stolen, exposing the ePHI of approximately 34,883 individuals. An administrative law judge upheld the penalty, finding that MD Anderson's failure to encrypt constituted willful neglect — a finding that forecloses OCR's discretion to reduce or waive the penalty. See /penalties/hipaa/willful-neglect for the willful neglect penalty framework.

4. Advocate Health Care — $5.55 Million (2016)
At the time, the largest HIPAA settlement ever. Three separate breaches at Advocate affected approximately 4 million individuals. Two breaches involved unencrypted laptops stolen from employee vehicles and an administrative office. OCR found failures in risk analysis, inadequate physical safeguards for laptops, and a failure to obtain BAAs from business associates. The size of the penalty reflected the scale of the breach and Advocate's failure to implement basic encryption despite the known risk.

5. LifeBridge Health — $9.76 Million (2023)
A server breach at LifeBridge Health exposed the ePHI of 538,000 patients, including names, dates of birth, diagnoses, medication information, and Social Security numbers. OCR found that LifeBridge failed to conduct a comprehensive organization-wide risk analysis, failed to implement sufficient technical safeguards, and had inadequate policies and procedures for reviewing system activity. The $9.76 million settlement signals that OCR continues to prioritize risk analysis failures and that organizations with large patient populations face commensurate enforcement exposure.

6. Banner Health — $1.25 Million (2023)
Banner Health's breach affected 2.81 million individuals and resulted from a cyberattack. The $1.25 million settlement focused specifically on Banner's inadequate risk analysis — specifically the failure to conduct an accurate and thorough assessment before the attack. This case reinforces that OCR treats risk analysis failure as an independent, serious violation regardless of whether the organization had other security measures in place.

HIPAA Penalties in 2026 (45 CFR §160.404)

HHS adjusts HIPAA civil monetary penalties annually for inflation under the Federal Civil Penalties Inflation Adjustment Act. The 2026 penalty tiers per violation category, per calendar year:

Tier 1 — Did Not Know: The covered entity or business associate did not know and, by exercising reasonable diligence, would not have known of the violation.
- Minimum: $141 per violation
- Maximum: $71,162 per violation
- Annual cap: $71,162 for identical violations

Tier 2 — Reasonable Cause: The violation was due to reasonable cause and not willful neglect.
- Minimum: $1,424 per violation
- Maximum: $71,162 per violation
- Annual cap: $71,162 for identical violations

Tier 3 — Willful Neglect, Corrected: The violation was due to willful neglect, but was corrected within 30 days.
- Minimum: $14,238 per violation
- Maximum: $71,162 per violation
- Annual cap: $71,162 for identical violations

Tier 4 — Willful Neglect, Not Corrected: The violation was due to willful neglect and was not corrected.
- Minimum: $71,162 per violation
- Maximum: $2,134,831 per violation
- Annual cap: $2,134,831 for identical violations

Critical note on willful neglect: OCR cannot waive or reduce civil monetary penalties for Tier 3 or Tier 4 violations. This is a statutory limitation under 42 U.S.C. §1320d-5(b)(3). If OCR determines that a violation involved willful neglect, the minimum penalty is mandatory regardless of any cooperation or remediation efforts after the fact. See /penalties/hipaa/willful-neglect for more on this framework.

Criminal Penalties: Under 42 U.S.C. §1320d-6, individuals who knowingly obtain or disclose PHI in violation of HIPAA face:
- Up to $50,000 fine and 1 year imprisonment for basic violations
- Up to $100,000 fine and 5 years imprisonment for offenses under false pretenses
- Up to $250,000 fine and 10 years imprisonment for offenses with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm

For a complete breakdown of penalty calculations and examples, see /penalties/hipaa/violation-tiers.

State-by-State HIPAA Variations: California, New York, and Texas

HIPAA establishes a federal floor — states may impose stricter requirements, and many do. Organizations operating in California, New York, or Texas face additional obligations that can significantly exceed HIPAA's baseline.

California

California has the most comprehensive healthcare privacy law stack in the United States.

Confidentiality of Medical Information Act (CMIA), Cal. Civ. Code §56 et seq.: The CMIA applies to any provider of health care, health care service plans, contractors, and employers with respect to employee medical information. Critically, the CMIA applies to a broader universe of entities than HIPAA — including entities that are not HIPAA covered entities. Penalties include:
- Civil penalty of $1,000 per violation for negligent disclosures
- Civil penalty of $3,000 per violation for negligent disclosures with patient harm
- Civil penalty of up to $250,000 per violation for willful and malicious disclosures
- Private right of action for nominal, actual, and punitive damages

California Department of Public Health (CDPH) enforces the CMIA against healthcare facilities. CDPH can impose administrative penalties of up to $100 per patient per day for certain violations and refer cases to the Attorney General.

California Office of Health Information Integrity (CalOHII) conducts HIPAA compliance audits of healthcare entities operating in California. CalOHII audits are independent of OCR audits and can result in referrals to CDPH or OCR.

Detailed California-specific requirements are at /compliance/hipaa/california.

New York

NY SHIELD Act (Stop Hacks and Improve Electronic Data Security Act): Effective March 2020, the SHIELD Act expanded New York's data breach notification requirements and imposed reasonable security obligations on any person or business that owns or licenses private information of New York residents — regardless of where the business is located. It requires reasonable administrative, technical, and physical safeguards, including specific encryption requirements.

DFS Cybersecurity Regulation (23 NYCRR Part 500): Applies to financial services companies licensed by the New York Department of Financial Services — including many health insurers. Requires a written cybersecurity program, annual risk assessments, MFA for critical systems, encryption of nonpublic information, and annual penetration testing. Health insurers regulated by DFS face both HIPAA and Part 500 requirements simultaneously.

New York-Presbyterian Hospital — $4.8 Million Settlement (2016): This landmark case involved a joint settlement between Columbia University Medical Center and NYP Hospital following a breach that exposed the ePHI of 6,800 patients. The organizations failed to implement proper technical safeguards when a physician attempted to deactivate a personal server — the server's firewall was not properly configured, making patient data accessible on the internet. NYP paid $3.3 million and Columbia paid $1.5 million.

See /compliance/hipaa/new-york for the full New York compliance picture.

Texas

Texas Medical Records Privacy Act (TMRPA), Tex. Health and Safety Code Ch. 181: The TMRPA applies to all covered entities in Texas and extends to any entity that comes into possession of protected health information, regardless of whether they transmit health information electronically. This is a broader scope than HIPAA, which requires electronic transmission for healthcare providers to qualify as covered entities.

Texas Health and Human Services Commission (HHSC) enforces TMRPA. Civil penalties can reach $1.5 million per year for violations of the same or similar requirements.

MD Anderson Cancer Center ($4.35M, 2018): MD Anderson — a Texas institution — faced the full weight of OCR enforcement for failure to encrypt despite its own written policies, finding of willful neglect by an administrative law judge.

For Texas-specific compliance requirements, see /compliance/hipaa/texas.

Building Your HIPAA Compliance Program in 2026

A defensible HIPAA compliance program is not built in a week before an audit. It is built systematically, documented thoroughly, and reviewed continuously.

Step 1: Conduct a Security Risk Analysis. Under 45 CFR §164.308(a)(1), the risk analysis must be accurate, thorough, and organization-wide. Identify all ePHI, all systems that create or transmit it, all threat scenarios, and current vulnerabilities. Document the methodology, findings, and probability/impact assessments. A risk analysis performed before the NPRM changes take effect should already be scoped to address encryption status, MFA gaps, and network segmentation. Use /hipaa-risk-calculator to structure your assessment.

Step 2: Appoint a Privacy Officer and a Security Officer. These are distinct roles under 45 CFR §164.530(a) and §164.308(a)(2) respectively. The Privacy Officer owns policies, patient rights, and NPP management. The Security Officer owns the risk program, technical controls, and incident response.

Step 3: Build and Train Your Workforce. HIPAA requires training for all workforce members who handle PHI, at hire and whenever policies materially change. Training must be role-appropriate. Document dates, content, and completion — OCR requests training records in virtually every audit. See /checklist/hipaa/mental-health and /checklist/hipaa/dental-practice for role-specific training content.

Step 4: Build and Maintain a BAA Inventory. Every vendor, contractor, or subcontractor that handles PHI on your behalf needs a signed BAA before any PHI is shared. Audit your vendor list annually. BAAs must include the 2013 Omnibus-required elements — legacy BAAs signed before 2013 should be updated.

Step 5: Implement Technical Safeguards. Under current rules: unique user IDs, automatic logoff, audit logs for ePHI access, and encryption (addressable but strongly recommended — under the NPRM it becomes mandatory). Under the coming 2026 rule: add MFA, network segmentation, biannual vulnerability scans, and annual penetration testing.

Step 6: Implement Physical Safeguards. Facility access controls, workstation use policies, device disposal procedures, and screen lock requirements for workstations where ePHI is displayed.

Step 7: Build a Breach Response Plan. Document the internal escalation process, who is responsible for conducting the four-element risk assessment, who authorizes notifications, and how notifications are drafted and sent. Run a tabletop exercise at least annually.

Step 8: Annual Review Cadence. Schedule an annual review of your risk analysis, policies and procedures, BAA inventory, training records, and access control reviews. Organizations that can show a consistent annual review cycle are in a materially stronger position with OCR.

For a comprehensive framework overview, see /frameworks/hipaa.

Common HIPAA Violations and How to Avoid Them

OCR's enforcement record makes clear which violations are most common and most dangerous. The following six violations account for the majority of OCR enforcement actions and corrective action plans.

1. No Risk Analysis Performed — 45 CFR §164.308(a)(1)
The single most frequently cited finding in OCR audits and investigations. Many organizations have never performed a formal, documented risk analysis. Others performed one in 2014 and never updated it. Every new system that touches ePHI, every cloud migration, every new office location, and every workforce expansion should trigger a review. Banner Health's $1.25 million settlement in 2023 turned specifically on an inadequate risk analysis.

2. Insufficient Access Controls — 45 CFR §164.312(a)(1)
Access to ePHI must be limited to workforce members who need it for their job functions. Common failures: former employees retaining active accounts after termination, shared login credentials, no role-based access tiering, and no periodic access reviews.

3. Unencrypted PHI — 45 CFR §164.312(a)(2)(iv) (currently addressable, soon mandatory)
Laptops, USB drives, smartphones, and portable devices continue to be a primary breach vector. OCR has consistently found that failure to encrypt portable devices when there is no documented alternative is equivalent to a required-specification failure. The NPRM will make this mandatory. MD Anderson's $4.35 million CMP was driven entirely by unencrypted devices.

4. Missing or Outdated BAAs — 45 CFR §164.308(b)(1)
BAAs must be signed before PHI is shared with any business associate. Common gaps: new SaaS tools adopted without compliance review, legacy BAAs that predate the 2013 Omnibus Rule requirements, and missing BAAs for IT service providers who have indirect access to ePHI through remote support.

5. Impermissible Disclosures Including Tracking Pixels — 45 CFR §164.502
OCR's December 2022 and March 2024 guidance on online tracking technologies clarified that covered entities embedding third-party tracking scripts (Meta Pixel, Google Analytics) in patient portals or appointment scheduling pages are potentially disclosing PHI without authorization. Audit your website and patient portal for embedded third-party scripts.

6. Failure to Honor Patient Access Rights — 45 CFR §164.524
Patients have the right to access their PHI within 30 days (one 30-day extension permitted with written notice). OCR has made patient access a stated enforcement priority since 2019 and has resolved multiple enforcement actions specifically on access right failures — including fines as low as $3,500 for single-patient violations against small practices.

HIPAA FAQs for 2026

Does HIPAA apply to employers?
Generally, no — with important exceptions. HIPAA does not apply to employers in their role as employers, even when they receive employees' health information in connection with leave requests or accommodation processes. However, if an employer sponsors a group health plan, the health plan itself is a HIPAA covered entity and must comply with the Privacy and Security Rules.

What is the difference between a covered entity and a business associate?
A covered entity directly provides or pays for healthcare — hospitals, physician practices, health insurers, healthcare clearinghouses. A business associate performs a function or activity involving PHI on behalf of a covered entity — billing companies, EHR vendors, IT support firms, attorneys, accountants. Since the 2013 Omnibus Rule, both are directly liable under HIPAA. Subcontractors of business associates who handle PHI are also business associates and carry direct liability.

Are healthcare apps covered by HIPAA?
It depends entirely on the relationship. A healthcare app contracted with a covered entity to provide services involving PHI is a business associate and must comply with HIPAA. A consumer wellness app that collects health data directly from users, without any covered entity relationship, is generally not subject to HIPAA. OCR's guidance recommends analyzing whether the app creates, receives, maintains, or transmits PHI in the performance of a function for a covered entity.

What triggers a HIPAA breach notification?
A breach is triggered by an impermissible use or disclosure of unsecured PHI. The 60-day notification clock starts on the date of discovery — when the covered entity knew or should have known of the breach. Small breaches (under 500 individuals) must still be logged and reported to HHS by March 1 of the following year.

How long do patients have to request access to records?
There is no time limit for a patient to request access to their PHI — the right is ongoing. The covered entity must respond within 30 days of receiving the request (one 30-day extension is allowed with written notice). OCR has proposed reducing this to 15 days; watch for the final rule. For a free assessment of your patient access process, see /hipaa-risk-calculator.

See Where Your HIPAA Program Has Gaps

Our free HIPAA Risk Calculator walks through the Security Rule, Privacy Rule, and Breach Notification Rule in under five minutes. No signup required. Get a prioritized gap report you can act on today.

Take the Free HIPAA Risk Assessment →