HIPAA Compliance Standards Explained: Key Requirements, Rules, and Checklist

HIPAA compliance standards set the baseline for how you collect, use, disclose, and protect Protected Health Information (PHI). This guide explains the key requirements and rules—plus a practical checklist—so you can align policies, technology, and workforce practices with the law and reduce risk.

HIPAA Privacy Rule Provisions

Scope and permitted uses

The Privacy Rule governs all forms of PHI—paper, oral, and electronic (ePHI)—held by covered entities and their business associates. You may use or disclose PHI for treatment, payment, and healthcare operations, and as otherwise required or permitted by law. For all other purposes, you need a valid patient authorization.

The minimum necessary standard

When using or disclosing PHI, or when requesting it, you must limit the information to the minimum necessary to accomplish the intended purpose. Role-based access and documented criteria help operationalize this requirement.

Individual rights

Patients have rights to: access and obtain copies of their PHI (generally within 30 days, with one allowable 30‑day extension), request amendments, receive an accounting of disclosures, request restrictions, opt for confidential communications, and receive a Notice of Privacy Practices describing how PHI is used and shared.

Authorizations and special limitations

Uses such as marketing, sale of PHI, and most disclosures of psychotherapy notes generally require written authorization. De-identified data—created using accepted methods—is not PHI and is outside the Privacy Rule’s scope.

HIPAA Security Rule Safeguards

The Security Rule protects ePHI through Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Your program must be risk-based and scalable to your size and complexity.

Administrative Safeguards

• Security Management Process: perform risk analysis, apply risk management, enforce a sanction policy, and review information system activity.
• Assign security responsibility and define workforce security, information access management, and ongoing security awareness and training.
• Establish security incident procedures and a contingency plan (backup, disaster recovery, emergency mode operations, testing, and criticality analysis).
• Conduct periodic evaluations and execute a Business Associate Agreement (BAA) with each business associate handling ePHI.

Physical Safeguards

• Facility access controls to limit physical entry to systems and locations where ePHI resides.
• Workstation use and workstation security standards for fixed and mobile endpoints.
• Device and media controls for disposal, media re-use, accountability, and data backup/storage.

Technical Safeguards

• Access controls (unique user IDs, emergency access, automatic logoff, encryption/decryption).
• Audit controls to record and examine activity in systems containing ePHI.
• Integrity controls to guard against improper alteration or destruction of ePHI.
• Person or entity authentication to verify users and devices.
• Transmission security to protect ePHI in transit (e.g., encryption and integrity checks).

HIPAA Breach Notification Requirements

What constitutes a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. A breach is presumed unless a documented risk assessment shows a low probability of compromise, considering the PHI’s nature, the unauthorized recipient, whether it was actually viewed/acquired, and mitigation actions. Limited exceptions apply (e.g., certain good-faith or intra-organization disclosures and situations where PHI could not be retained).

Breach Notification Timeline and process

• Individuals: notify without unreasonable delay and no later than 60 calendar days after discovery, using first-class mail or agreed-upon electronic notice; provide substitute notice when contact information is insufficient.
• Department of Health and Human Services: for breaches affecting 500 or more individuals, notify without unreasonable delay and within 60 days; for fewer than 500, log and report to HHS within 60 days after the end of the calendar year.
• Media: if 500 or more individuals in a state or jurisdiction are affected, notify prominent media outlets.
• Business associates: notify the covered entity without unreasonable delay and no later than 60 days from discovery, supplying details needed for notices.

Content of notices

Notices must describe what happened, the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm, and how to contact your organization.

HIPAA Omnibus Rule Impact

Expanded business associate liability

The Omnibus Rule makes business associates—and their subcontractors—directly liable for many Privacy and Security Rule requirements. A Business Associate Agreement (BAA) must specify permissible uses/disclosures, required safeguards, breach reporting duties, subcontractor obligations, and termination terms.

Updated breach and privacy standards

The rule established a presumption of breach unless a low probability of compromise is documented, strengthened limits on marketing and sale of PHI, enhanced fundraising opt-outs, and clarified that genetic information is PHI. It also drove updates to the Notice of Privacy Practices and reinforced enforcement authority.

HIPAA Enforcement and Penalties

Regulators and actions

The Office for Civil Rights enforces HIPAA through investigations, technical assistance, corrective action plans, and settlement agreements. The Department of Justice handles criminal violations. State attorneys general may also bring civil actions.

Civil monetary penalties

Penalties are tiered by culpability—no knowledge, reasonable cause, willful neglect corrected, and willful neglect uncorrected. Fines are assessed per violation with annual caps by category and are adjusted annually for inflation. Common triggers include failure to perform risk analysis, delayed Right of Access responses, and inadequate safeguards.

Criminal penalties

Knowingly obtaining or disclosing PHI in violation of HIPAA can lead to criminal penalties, with enhanced penalties for offenses under false pretenses or for personal gain, malicious harm, or commercial advantage.

HIPAA Compliance Checklist Steps

1. Designate a Privacy Officer and Security Officer with clear authority and accountability.
2. Inventory where PHI and ePHI live, map data flows, and document all systems and processes.
3. Perform a documented risk analysis and launch a Security Management Process to reduce identified risks.
4. Adopt Administrative Safeguards: policies, training, role-based access, incident response, and contingency planning.
5. Harden Physical Safeguards: facility controls, workstation standards, device/media controls, and secure disposal.
6. Implement Technical Safeguards: access control, audit logging, integrity monitoring, authentication, and encryption in transit and at rest where appropriate.
7. Execute and maintain a Business Associate Agreement (BAA) with each vendor handling PHI; verify their safeguards.
8. Operationalize minimum necessary and identity verification for disclosures and requests.
9. Standardize Right of Access fulfillment (timelines, formats, and reasonable, cost-based fees).
10. Prepare and test incident response and breach notification procedures, including your Breach Notification Timeline.
11. Document everything: risk decisions, policies, training, sanctions, system activity reviews, and mitigation actions.
12. Monitor, audit, and reassess regularly; address findings through corrective action plans.
13. Plan for continuity: backups, disaster recovery, emergency mode operations, and periodic testing.
14. Review and update notices, authorizations, and consent workflows to reflect current practices.

HIPAA Risk Assessment Process

Methodology

• Define scope: include all locations, systems, devices, interfaces, and vendors that create, receive, maintain, or transmit ePHI.
• Identify assets and data flows: catalog applications, databases, endpoints, backups, and integrations.
• Analyze threats and vulnerabilities: consider human error, malicious insiders, ransomware, lost devices, misconfigurations, and third-party risks.
• Evaluate likelihood and impact: score risks, prioritize them, and record assumptions and evidence.
• Select controls: map Administrative, Physical, and Technical Safeguards to high-priority risks; define owners and timelines.
• Determine residual risk: accept, mitigate, transfer, or avoid; document rationale and sign-offs.
• Validate and monitor: test controls, review audit logs, track metrics, and schedule periodic reassessments.

Closing the loop—by documenting results, executing your action plan, and continuously improving—keeps your HIPAA compliance program effective and aligned with evolving operations and threats.

FAQs

What are the key HIPAA compliance standards?

The core standards are the Privacy Rule (how PHI may be used/disclosed and patient rights), the Security Rule (Administrative, Physical, and Technical Safeguards for ePHI), the Breach Notification Rule (when and how to notify), and the Omnibus Rule updates (expanded business associate liability and strengthened privacy/breach provisions).

How is electronic PHI protected under HIPAA?

Through the Security Rule’s risk-based controls: a Security Management Process, Administrative Safeguards (policies, training, access management), Physical Safeguards (facility/workstation/device controls), and Technical Safeguards (access control, audit logs, integrity, authentication, and transmission security, often with encryption).

What are the penalties for HIPAA violations?

OCR can impose tiered civil monetary penalties per violation with annual caps based on culpability, require corrective action plans, and refer egregious cases for criminal prosecution. Criminal penalties can include fines and imprisonment for offenses involving false pretenses or misuse for gain or harm.

How often should HIPAA risk assessments be conducted?

At least annually and whenever you experience material changes—such as new systems, major process updates, acquisitions, or incidents. Treat it as an ongoing program: update findings, revalidate controls, and refresh documentation throughout the year.