What Is HIPAA Compliance?

HIPAA Compliance refers to adherence with the Health Insurance Portability and Accountability Act and its three core rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Compliance requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI), while also providing individuals with rights over their health information and notifying them of breaches.

How Does HIPAA Compliance Work?

HIPAA compliance operates through a framework that establishes who must comply, what rules govern their conduct, and how they must document their compliance efforts.

Who Must Comply with HIPAA?

HIPAA compliance requirements apply to two categories of organizations: covered entities and business associates.

Covered entities include healthcare providers such as doctors, hospitals, and clinics that transmit PHI electronically, health plans including insurance companies and managed care organizations, and healthcare clearinghouses that provide billing and administrative services according to HHS Office for Civil Rights guidance on covered entities from 2024.

Business associates are organizations that handle PHI on behalf of covered entities under written Business Associate Agreements. These include vendors, payroll processors, IT service providers, and cloud storage providers. Business associates must comply with both the Privacy Rule and Security Rule, and any subcontractors they engage become business associates as well according to HHS Office for Civil Rights business associates guidance from 2024.

The Three Core HIPAA Rules

The Privacy Rule establishes national standards for safeguarding individuals' medical records and other personal health information. It applies to covered entities and business associates, defining permitted uses and disclosures of PHI while granting individuals rights to access, amend, and receive accounting of disclosures of their PHI. The rule allows de-identification of information under Safe Harbor or Expert Determination methods.

The Security Rule specifically addresses protection of electronic protected health information (ePHI). Organizations must implement administrative, physical, and technical safeguards to protect ePHI in all forms including stored, transmitted, and processed data. The rule mandates risk analyses and security incident response procedures, with specific requirements for encryption, access control, and audit controls according to HIPAA Journal's documentation on the seven HIPAA compliance rules from 2024.

The Breach Notification Rule requires notification following discovery of breach of unsecured PHI. Covered entities must notify affected individuals without unreasonable delay and no later than 60 days following discovery. Business associates must notify the covered entity without unreasonable delay. Media notification is required for breaches affecting 500 or more individuals in a jurisdiction, and HHS notification is required for all breaches regardless of size.

Business Associate Agreements

When covered entities engage business associates to perform functions involving PHI, they must execute written Business Associate Agreements that establish what services the business associate will provide and require compliance with Privacy and Security Rules. These agreements must define permitted uses and disclosures, address data breach notification responsibilities, include safeguard and security standards, and define subcontractor requirements according to Holland & Hart LLP guidance on business associate checklists from 2024.

Documentation Requirements for HIPAA Compliance

Covered entities and business associates must maintain and provide upon request comprehensive documentation demonstrating compliance. Required documentation includes organizational charts showing HIPAA Privacy and Security Officer roles, documented policies and procedures for Privacy Rule, Security Rule, and Breach Notification Rule compliance, privacy practices notices and authorization form templates, and documented policy reviews, approvals, version histories, and workforce acknowledgments.

Organizations must also maintain minimum necessary procedures and disclosure logs, Business Associate Agreements and vendor due diligence records, security risk analyses and risk management plans, workforce training materials, rosters, and completion records, and system logs and audit trails showing control operation according to HHS Office for Civil Rights audit protocol documentation from 2018, updated in 2024.

How Does HIPAA Compliance Differ Across the Three Core Rules?

The three core HIPAA rules address different aspects of health information protection, as shown in the following comparison:

Source: HHS Office for Civil Rights, Summary of the HIPAA Privacy Rule and Security Rule, 2024

The Privacy Rule governs all uses and disclosures of PHI in any form, whether electronic, paper, or oral. The Security Rule specifically protects electronic PHI through required administrative, physical, and technical safeguards. The Breach Notification Rule establishes post-breach obligations that apply when unsecured PHI is accessed, used, or disclosed in violation of the Privacy Rule.

Why Does HIPAA Compliance Matter?

HIPAA compliance has become increasingly important as enforcement activity escalates and regulatory requirements evolve to address modern cybersecurity threats.

Enforcement Activity and Regulatory Scrutiny

Twenty-two HIPAA enforcement actions resulted in settlements or civil monetary penalties in 2024, making it one of the most active enforcement years to date according to HIPAA Journal's analysis of new HIPAA regulations from 2025. This represents a marked increase in regulatory scrutiny compared to previous years.

Over 25,000 HIPAA-covered entities and hundreds of thousands of business associates currently operate under these compliance requirements. The HHS Office for Civil Rights proposed rule issued in December 2024 is scheduled for finalization in May 2026, following a comment period that closed March 7, 2025.

Proposed 2025 Regulatory Changes

The January 2025 Notice of Proposed Rulemaking (NPRM) proposes significant new obligations for covered entities and business associates. The proposed changes include elimination of the distinction between "required" and "addressable" specifications, making virtually all safeguards mandatory with limited exceptions according to Federal Register documentation from January 2025.

The NPRM also introduces mandatory annual compliance audits, written verification requirements from business associates regarding technical safeguards, and enhanced documentation and testing requirements. These changes represent the most significant update to HIPAA compliance requirements since the original implementation of the Security Rule.

Business Associate Verification Requirements

Under the proposed rule, covered entities would be required to verify in writing that business associates have deployed technical safeguards including encryption, access controls, and audit logging mechanisms. This new requirement shifts some verification responsibility from business associates to covered entities, creating additional compliance burden according to Buchalter analysis of significant new HIPAA obligations from 2025.

Financial Impact of Compliance

Implementation of administrative, physical, and technical safeguards requires significant ongoing investment. The proposed 2025 changes are estimated to create first-year implementation costs of $9 billion industry-wide for Security Rule updates alone, with broader HIPAA compliance costs extending beyond this figure according to Federal Register cost estimates from January 2025.

These financial impacts affect healthcare organizations of all sizes, though smaller providers and rural healthcare systems may face disproportionate challenges due to resource constraints.

What Are the Limitations of HIPAA Compliance?

HIPAA compliance faces several challenges in addressing modern cybersecurity threats and implementation realities across the healthcare sector.

Scope Gap Between Privacy and Security Rules

The Privacy Rule applies to all PHI in any form including electronic, paper, and oral, while the Security Rule only applies to electronic PHI. This distinction creates compliance complexity for organizations managing both electronic and non-electronic forms of protected health information, requiring different control frameworks for different data forms.

Addressable Specification Interpretation

The previous distinction between "required" and "addressable" specifications allowed flexibility but led to inconsistent security postures across the healthcare industry. Organizations frequently implemented addressable items minimally, resulting in significant variation in security capabilities according to HIPAA Journal analysis of HIPAA updates and changes from 2025. The proposed 2025 changes aim to address this weakness by making virtually all controls mandatory.

Legacy System Burden

Many healthcare organizations use legacy systems that are difficult to upgrade for compliance with modern security requirements. These systems may not support current encryption standards, access control mechanisms, or audit logging capabilities required under the Security Rule. Upgrading or replacing these systems requires significant capital investment and operational disruption according to RubinBrown analysis of HIPAA Security Rule changes from 2025.

Subcontractor Risk and Liability

Organizations remain liable for business associate and subcontractor compliance even when those entities are non-compliant. When a business associate engages a subcontractor to handle PHI, the covered entity maintains ultimate responsibility for ensuring the subcontractor meets HIPAA requirements. This creates cascading liability that organizations struggle to manage effectively through contractual mechanisms alone.

Cost Barriers for Smaller Organizations

The significant implementation costs for HIPAA compliance create barriers for smaller healthcare providers and rural healthcare systems that lack the financial resources of larger health systems. This cost disparity creates equity concerns across the healthcare delivery ecosystem, potentially limiting access to care in underserved areas where providers cannot afford comprehensive compliance programs.

Evolving Regulatory Standards

The proposed 2025 changes will require significant system and procedural modifications for organizations that have built compliance programs around the current framework. The elimination of the "addressable" versus "required" distinction, mandatory annual audits, and business associate verification requirements represent fundamental shifts in compliance obligations according to Federal Register documentation from January 2025.

How Does HIPAA Compliance Relate to Regulatory Requirements?

HIPAA compliance operates within a comprehensive regulatory framework with specific enforcement mechanisms and regulatory standards.

Statutory and Regulatory Framework

The statutory authority for HIPAA compliance derives from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The regulatory code implementing these requirements appears in 45 CFR Parts 160 and 164, with enforcement authority vested in the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).

State attorneys general have concurrent enforcement authority for the Breach Notification Rule, allowing both federal and state-level enforcement actions against non-compliant organizations.

Key Regulatory Standards

Organizations must comply with several specific regulatory requirements codified in the Code of Federal Regulations:

45 CFR §164.308: Administrative safeguards standards governing security management processes, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, evaluation, and business associate contracts.

45 CFR §164.310: Physical safeguards standards covering facility access controls, workstation use and security, and device and media controls including disposal, media reuse, accountability, and data backup/storage.

45 CFR §164.312: Technical safeguards standards including access control, audit controls, integrity controls, person or entity authentication, and transmission security for ePHI transmitted over electronic communications networks.

45 CFR §164.314: Organizational requirements establishing standards for business associate contracts and other arrangements, including requirements for group health plans.

45 CFR §164.316: Policies and procedures and documentation requirements for all aspects of the security program, including time limits for retention of documentation (six years from date of creation or last effective date, whichever is later).

Breach Notification Requirements

The Breach Notification Rule establishes specific timelines and procedures following discovery of a breach of unsecured PHI. Covered entities must provide notice to affected individuals within 60 calendar days of discovery. Individual notice must include the date and approximate time of breach, description of type and extent of information involved, steps individuals should take to protect themselves, the covered entity's response to the breach, and contact information for questions according to HHS Office for Civil Rights regulatory initiatives guidance from 2024.

Media notification is required for breaches affecting 500 or more individuals in a jurisdiction, and HHS notification is required for all breaches regardless of size. Business associates must notify the covered entity of breaches without unreasonable delay and no later than 60 days from discovery.

Proposed Rule Changes for 2025

The December 2024 Notice of Proposed Rulemaking proposes significant changes to HIPAA compliance requirements. The proposed changes include elimination of the "addressable" versus "required" specification distinction, mandatory annual compliance audits for all covered entities and business associates, written verification requirements from business associates regarding deployment of technical safeguards, and enhanced documentation and testing requirements for all security controls according to Federal Register documentation on the HIPAA Security Rule NPRM from January 2025.

If finalized as proposed in May 2026, these changes will represent the most significant expansion of HIPAA compliance obligations since the original implementation of the Security Rule in 2003.