Rather than treating each rule in isolation, this guide pulls the requirements together into a single map — what you must do for privacy, security, breaches, documentation, and ongoing maintenance — so you can plan a complete program. This overview maps the full set of obligations that make up HIPAA compliance.
The foundation: know your role and your data
Before any specific requirement, HIPAA expects you to know where you stand. You must determine whether you are a covered entity or a business associate, because that defines which obligations apply. You must also identify the protected health information you hold — where it lives, how it flows, and who can access it.
This groundwork is not optional busywork; it is the basis for scoping every other requirement. An organization that has not mapped its PHI cannot conduct a meaningful risk analysis or implement proportionate safeguards.
Privacy Rule requirements
The Privacy Rule requires you to limit the use and disclosure of PHI to permitted purposes, apply the minimum necessary standard, and obtain authorization for uses outside the permitted categories. You must also honor patient rights — access, amendment, restriction, and accounting of disclosures.
Covered entities must additionally provide a Notice of Privacy Practices, designate a privacy official, and train the workforce on privacy policies. These requirements ensure PHI is used with restraint and that patients retain control over their information.
Security Rule requirements
The Security Rule requires safeguards for electronic PHI across three families: administrative, physical, and technical. At its center is a documented risk analysis that identifies threats to ePHI and a risk management process that addresses them.
From that foundation flow specific requirements — access controls, audit logging, encryption where appropriate, workstation and device security, and transmission protection. The rule is scalable, so the specific measures depend on your size, complexity, and risk, but every organization must address all three safeguard categories.
Free resource
HIPAA Compliance Kit
A practical checklist + policy starter pack to fast-track your program.
Breach Notification requirements
HIPAA requires you to detect, assess, and respond to breaches of unsecured PHI. You must conduct a four-factor risk assessment to determine whether an incident is a reportable breach, and if it is, notify affected individuals and HHS within required timelines — and the media for large breaches.
Business associates must notify the covered entity of breaches they discover. Because timelines are tight, a prepared breach-response plan is effectively a requirement, even though the rule frames it as an obligation triggered by an incident.
Business Associate Agreements
HIPAA requires a signed Business Associate Agreement before PHI is shared with any vendor that will handle it. Covered entities must have BAAs with their business associates, and business associates must have them with subcontractors.
This requirement extends protection through the supply chain. Operating without a required BAA is itself a violation, so maintaining a complete inventory of executed agreements is part of meeting this obligation.
Documentation requirements
HIPAA is documentation-driven. You must maintain written policies and procedures, your risk analysis and management plan, training records, access records, incident and breach files, and your BAAs. Documentation must generally be retained for six years and kept current.
In an audit, this documentation is the primary evidence of compliance. A strong program with no records is difficult to distinguish from no program at all, which is why documentation is treated as a core requirement rather than an afterthought.
Workforce training requirements
HIPAA requires that workforce members be trained on privacy and security policies appropriate to their roles, both at onboarding and periodically thereafter. Training must be documented, and a sanction policy must address violations.
Training is where requirements become behavior. The most carefully written policies provide little protection if staff have never been taught to follow them, which is why training is an explicit and recurring obligation.
Designating responsible officials
Covered entities must designate a Privacy Official and a Security Official responsible for the respective programs. Business associates, directly responsible for the Security Rule, must likewise assign accountability for security to a specific person.
This requirement places ownership of compliance with named individuals, ensuring that the program has leadership and that there is a clear point of contact for questions, complaints, and regulators.
Patient rights obligations
HIPAA requires covered entities to honor a set of patient rights: to access and obtain copies of records, request amendments, request restrictions and confidential communications, and receive an accounting of certain disclosures. These must be supported by reliable procedures.
Failures to provide timely access are among the most common complaints and enforcement actions, making the operational handling of patient rights a requirement that deserves real attention.
Ongoing and recurring obligations
HIPAA compliance is continuous, not a one-time project. You must review and update your risk analysis as systems and threats change, refresh policies, retrain staff, renew and review BAAs, and monitor for incidents. The program must adapt as the organization evolves.
This ongoing nature is itself a requirement: a compliance posture that was adequate two years ago but has not been maintained no longer satisfies HIPAA. Building a cadence of review and update is essential.
Requirements for business associates specifically
Business associates carry most of the Security Rule requirements directly — risk analysis, safeguards, documentation, breach reporting — plus the obligations flowed down through their BAAs and the duty to bind their own subcontractors. They are subject to direct enforcement, just like covered entities.
For vendors, meeting these requirements is also a commercial necessity, because healthcare customers increasingly demand proof of compliance before signing a contract.
Bringing the requirements together
Taken together, HIPAA’s requirements form a coherent program: know your role and data, protect privacy, secure electronic information, prepare for breaches, paper your vendor relationships, document everything, train your people, assign accountability, honor patient rights, and maintain it all over time.
Approached as a connected whole rather than a checklist of isolated rules, these requirements become achievable. The organizations that succeed are those that build a system to meet them continuously, not those that scramble to satisfy each one in isolation.
Requirements vs best practices
It helps to distinguish what HIPAA strictly requires from what is merely good practice. The law mandates a risk analysis, safeguards, policies, training, BAAs, and breach response, but it is deliberately flexible about how you meet many of them. Practices like annual penetration testing or third-party attestation are not strictly required, yet they have become expected because they strengthen the program and reassure customers.
Understanding this line helps organizations prioritize: meet every genuine requirement first, then adopt the best practices that most reduce risk and best serve their customers and regulators.
Common requirement failures
The most frequent HIPAA failures are predictable: a missing or outdated risk analysis, absent or generic policies, untrained staff, missing Business Associate Agreements, and unencrypted devices. Each of these maps directly to a core requirement, and each appears repeatedly in enforcement actions.
Because these failures are so common, they are also a useful self-check. An organization that can confidently demonstrate each of these requirements has addressed the areas regulators scrutinize most closely.
How requirements differ by organization size
HIPAA’s requirements apply to organizations of every size, but the way they are met scales. A solo practice and a national health system both need a risk analysis, safeguards, and policies, yet the depth, formality, and resourcing differ enormously. The Security Rule’s flexibility is what allows this proportionality.
The key is that smaller size reduces the scale of the requirements, not their existence. Every covered entity and business associate must address them; only the implementation varies.
Mapping requirements to evidence
For each requirement, ask what evidence would demonstrate it. A risk analysis is evidenced by the documented assessment; training by completion records; access control by provisioning and review logs; vendor management by executed BAAs. Mapping requirements to the artifacts that prove them turns compliance into something you can show, not just assert.
This evidence-oriented mindset also prepares an organization for audits, where the ability to produce the right documentation quickly is what distinguishes a smooth review from a painful one.
Turning requirements into a plan
The final move is to convert this overview into an action plan. List each requirement, assess your current state against it, assign an owner, and set a timeline to close any gaps. This transforms a daunting body of regulation into a concrete project with clear accountability.
Organizations that approach HIPAA this way — methodically, requirement by requirement — find that what looked overwhelming becomes a sequence of manageable tasks, each with a clear definition of done.
Free consultation
Need help with HIPAA?
Talk to our certified compliance team — we’ve supported 200+ audits.