HIPAA 101: What It Is, Who It Applies To, and How to Stay Compliant

Overview of HIPAA

HIPAA, the Health Insurance Portability and Accountability Act, sets national standards for safeguarding Protected Health Information (PHI). It governs how health data is created, used, disclosed, and protected across clinical, administrative, and digital workflows.

The law’s core aim is to preserve the confidentiality, integrity, and availability of health information while enabling care delivery and payment. The Department of Health and Human Services (HHS), through its Office for Civil Rights, issues rules and enforces compliance across the healthcare ecosystem.

PHI includes any individually identifiable health information in any form—paper, verbal, or electronic (ePHI)—that relates to a person’s health status, care, or payment. HIPAA balances patient rights with operational needs so you can use data responsibly without compromising privacy.

Covered Entities and Business Associates

Covered entities

Covered entities include health plans, most healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses. If you diagnose, treat, pay for, or process health information tied to individuals, you likely fall within HIPAA’s scope.

Business associates and BAAs

Business associates are vendors or partners that create, receive, maintain, or transmit PHI for a covered entity. Examples include IT service providers, billing companies, cloud hosts, and analytics firms. You must execute Business Associate Agreements (BAAs) that require appropriate safeguards, specify breach reporting duties, and flow down obligations to subcontractors.

Privacy Rule Standards

Core principles

The Privacy Rule governs when PHI may be used or disclosed and grants individuals key rights. You may use or disclose PHI without authorization for treatment, payment, and healthcare operations, and for certain public interest purposes as permitted by law.

Minimum necessary and role-based access

You must limit uses, disclosures, and requests to the minimum necessary to achieve the purpose and define role-based access so workforce members see only what they need. Policies should document how you apply this standard in daily operations.

Individual rights and transparency

Individuals have rights to access and obtain copies of their PHI, request amendments, receive an accounting of certain disclosures, request restrictions or confidential communications, and receive a clear Notice of Privacy Practices. Honor these requests within required timeframes and keep thorough records.

De-identification and authorizations

Where feasible, de-identify data to remove direct identifiers and reduce privacy risk. For marketing, most research not otherwise permitted, or the sale of PHI, obtain a valid, written authorization that plainly states the purpose and scope.

Security Rule Safeguards

The Security Rule applies to ePHI and uses a risk-based approach. You must conduct a Risk Assessment, implement reasonable and appropriate protections, and review controls as systems and threats evolve.

Administrative Safeguards

• Perform and document risk analysis and risk management.
• Assign security responsibility and implement workforce training and sanctions.
• Develop policies, procedures, contingency and incident response plans, and periodic evaluations.

Physical Safeguards

• Control facility access, visitor management, and environmental protections.
• Define workstation use and security, including screen positioning and session timeouts.
• Manage device and media controls for movement, reuse, disposal, and data destruction.

Technical Safeguards

• Implement unique user IDs, strong authentication, and role-based access controls.
• Enable audit logs and integrity controls to detect unauthorized alteration.
• Use transmission security (e.g., TLS) and encrypt ePHI at rest and in transit when reasonable and appropriate.

Together, Administrative Safeguards, Physical Safeguards, and Technical Safeguards form a cohesive defense-in-depth strategy for ePHI.

Breach Notification Requirements

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. If one occurs, you must promptly perform a documented risk assessment considering the nature of the PHI, who received it, whether it was actually viewed or acquired, and the extent of mitigation.

If notification is required, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For incidents affecting 500 or more residents of a state or jurisdiction, notify prominent media as well. Report breaches to HHS; larger breaches require contemporaneous reporting, while smaller ones can be logged and submitted annually.

Business associates must notify the covered entity of breaches they discover, supplying details needed for individual notices. Strong encryption provides a safe harbor for “secured” PHI, reducing notification obligations when properly implemented.

Omnibus Rule Updates

The Omnibus Rule strengthened privacy and security protections and aligned HIPAA with HITECH updates. It expanded direct liability for business associates and their subcontractors, updated BAAs and Notices of Privacy Practices, and heightened penalties for noncompliance.

The rule also established a presumption of breach unless you can demonstrate a low probability of compromise via risk assessment, tightened limits on marketing and sale of PHI, and enhanced patient rights, including the ability to restrict disclosures to health plans when they pay out-of-pocket in full.

HIPAA Compliance Best Practices

• Appoint privacy and security officers with authority to enforce policies.
• Perform a comprehensive Risk Assessment at least annually and after major changes.
• Maintain current policies and procedures mapped to Privacy and Security Rule standards.
• Implement layered safeguards: Administrative, Physical, and Technical controls calibrated to your risks.
• Inventory vendors, execute robust BAAs, and verify subcontractor compliance.
• Deliver role-based training, reinforce minimum necessary, and test incident response plans.
• Monitor systems continuously, review audit logs, and remediate findings with documented timelines.
• Encrypt ePHI, manage access lifecycles, patch promptly, and validate secure configurations.
• Operationalize patient rights workflows and maintain complete documentation for regulators.

Conclusion

HIPAA 101 comes down to knowing whether it applies to you, understanding how PHI may be used and protected, and building a living compliance program. With clear policies, risk-driven safeguards, strong BAAs, and disciplined monitoring, you can protect individuals’ privacy and meet regulatory expectations with confidence.

FAQs.

What types of organizations must comply with HIPAA?

Health plans, most healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses are covered entities. Vendors that create, receive, maintain, or transmit PHI for them are business associates and must comply through BAAs and direct obligations.

How does the Security Rule protect electronic health information?

It requires a risk-based framework and implementation of Administrative, Physical, and Technical Safeguards. Controls such as access management, audit logging, integrity checks, encryption, and contingency planning work together to preserve ePHI confidentiality, integrity, and availability.

What are the consequences of a HIPAA breach?

Consequences can include mandatory notifications, corrective action plans, civil monetary penalties, reputational damage, operational disruption, and potential contractual liability. If PHI was properly encrypted, you may benefit from safe-harbor provisions that limit notification obligations.

How can organizations ensure ongoing HIPAA compliance?

Embed compliance into daily operations: perform regular Risk Assessments, refresh policies, train the workforce, test incident response, monitor controls, maintain BAAs, and document everything. Treat HIPAA as a continuous improvement program, not a one-time project.