What Is HIPAA Compliance? A Complete Guide

What HIPAA stands for (and why it exists)

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Congress originally passed it to help workers keep their health insurance when they changed jobs — the “portability” part. But the law also recognized that moving health records into electronic systems created new privacy and security risks, so it added the “accountability” provisions that most people now associate with the HIPAA name.

Over the years, the US Department of Health and Human Services (HHS) issued a series of regulations — the Privacy Rule, the Security Rule, the Breach Notification Rule, and others — that turned HIPAA into the foundation of health-data protection in the United States. Today, when people talk about “HIPAA compliance,” they almost always mean meeting the requirements of these rules to keep patient information private and secure.

What ‘HIPAA compliance’ really means

HIPAA compliance is not a single certificate you earn once and frame on the wall. It is an ongoing program of policies, safeguards, training, and documentation that demonstrates your organization protects health information the way the law requires. An organization is compliant when it has implemented the required administrative, physical, and technical safeguards, can prove it through documentation, and keeps that program current as systems and risks change.

This is an important mindset shift. Many teams treat HIPAA as a one-time project, but the regulations expect continuous risk management, periodic reviews, and prompt updates whenever something material changes — a new system, a new vendor, or a new type of data. Compliance is a posture you maintain, not a milestone you pass.

Who must comply with HIPAA

HIPAA applies to two categories of organizations. The first is covered entities: healthcare providers who transmit health information electronically, health plans (including insurers and most employer-sponsored plans), and healthcare clearinghouses. These are the organizations at the center of the healthcare system that create and hold patient records directly.

The second — and the one most often overlooked — is business associates. A business associate is any vendor that creates, receives, maintains, or transmits protected health information on a covered entity’s behalf. That includes SaaS platforms, cloud hosting providers, billing companies, analytics firms, and IT service providers. Since the 2013 Omnibus Rule, business associates are directly liable under HIPAA, and they must sign agreements with their own subcontractors too. If you build software that touches patient data, you are almost certainly a business associate. Our guide on covered entity vs business associate breaks down exactly which role you play, and who must comply with HIPAA covers the full scope.

What is PHI (and ePHI)?

At the heart of HIPAA is protected health information (PHI). PHI is any individually identifiable health information held or transmitted by a covered entity or business associate, in any form — paper, spoken, or electronic. It combines a health element (a diagnosis, treatment, or payment for care) with an identifier that ties it to a specific person, such as a name, address, date of birth, or medical record number.

When PHI is stored or transmitted electronically, it is called ePHI, and it falls under the more technical requirements of the Security Rule. Common examples include records in an electronic health record system, lab results in a patient portal, or appointment data in a scheduling app. Understanding what counts as PHI is the first practical step in any compliance effort, because you cannot protect — or scope — data you have not identified. Our dedicated guide on what PHI and ePHI are walks through the eighteen identifiers in detail.

The core HIPAA Rules

HIPAA is built from several interlocking rules, and understanding each one is the key to understanding your obligations:

• The Privacy Rule sets national standards for how PHI may be used and disclosed, and gives patients rights over their own information — to access it, request corrections, and learn who it has been shared with.
• The Security Rule requires administrative, physical, and technical safeguards specifically for ePHI, anchored by a documented risk analysis.
• The Breach Notification Rule requires organizations to notify affected individuals, HHS, and sometimes the media when unsecured PHI is breached.
• The Omnibus Rule (2013) extended HIPAA directly to business associates and their subcontractors and strengthened enforcement under the HITECH Act.
• The Enforcement Rule governs how the HHS Office for Civil Rights investigates complaints and imposes penalties.

For a fast tour of all of them, see our overview of the HIPAA Rules.

The three types of safeguards

The Security Rule organizes its requirements into three families of safeguards, and a compliant program addresses all three:

• Administrative safeguards are the policies and processes that govern your security program — risk analysis, workforce training, access management, and a sanctions policy for violations. These are the largest category and the backbone of compliance.
• Physical safeguards protect the physical systems and facilities where ePHI lives — facility access controls, workstation security, and rules for the disposal and reuse of devices and media.
• Technical safeguards are the technology controls that protect ePHI directly — unique user IDs, access controls, audit logging, integrity protections, and encryption of data in transit and at rest.

Notably, HIPAA labels some requirements “required” and others “addressable.” Addressable does not mean optional — it means you must implement the safeguard, or document a reasonable, equivalent alternative and why you chose it. Encryption is the classic addressable example.

How to become HIPAA compliant

While every organization is different, the path to compliance follows a consistent shape. First, map your PHI — identify every system, vendor, and workflow that touches health information. Second, conduct a risk analysis, which the Security Rule explicitly requires, to find threats to that data and decide how to treat them. Third, run a gap analysis against the rules to see what is missing.

From there you remediate: implement the safeguards, write the required policies and procedures, and execute Business Associate Agreements with every vendor that handles PHI. Then you operationalize the program with workforce training, named Privacy and Security Officers, and incident-response procedures. Finally, you maintain it — HIPAA is ongoing, so you review and update annually. Our step-by-step guide on how to become HIPAA compliant and the free HIPAA compliance checklist walk through each stage in detail.

HIPAA violations and penalties

HIPAA has real teeth. The Office for Civil Rights (OCR) enforces the law and can impose tiered civil penalties based on the level of culpability — from modest fines for unknowing violations to substantial penalties for willful neglect that is not corrected, up to an annual cap per identical provision. In serious cases involving the knowing misuse of PHI, criminal penalties are also possible.

Beyond fines, a breach or violation carries reputational damage, mandatory corrective action plans, and the loss of customer and patient trust. Common HIPAA violations include lost or stolen unencrypted devices, improper disclosures, missing risk analyses, and the absence of Business Associate Agreements — most of which are preventable with a sound program.

Is there a HIPAA ‘certification’?

This is one of the most common points of confusion. There is no official, government-issued HIPAA certification. No federal body reviews your organization and stamps it “HIPAA certified.” Any vendor claiming to make you “HIPAA certified” in a permanent sense is overstating what is possible under the law.

That said, third parties can attest to your compliance at a point in time, and many organizations pursue an independent assessment to give customers confidence. This is increasingly important for business associates that need to prove their posture to win deals. Our guide on HIPAA certification and attestation explains what is genuinely available and how to present your compliance credibly.

HIPAA alongside other frameworks

HIPAA rarely lives alone. Many health-tech companies also pursue SOC 2 to satisfy enterprise security reviews, or HITRUST, which offers a certifiable framework that incorporates HIPAA requirements. Because these frameworks share a large overlap in their underlying controls — access management, encryption, risk assessment, vendor oversight — pursuing them together is usually far more efficient than tackling each in isolation.

If your customers are asking for both a HIPAA attestation and a SOC 2 report, sequencing the work so shared controls are built once can substantially reduce total cost and effort. A specialist partner like ISpectra can map the overlap and bundle the engagements.

Getting started with HIPAA

If you are just beginning, resist the urge to buy tools or write policies first. Start by confirming whether you are a covered entity or business associate, then map where PHI lives and conduct an honest risk analysis. Those two steps anchor everything that follows and prevent you from spending money in the wrong places. From there, work methodically through remediation, documentation, training, and ongoing review.

HIPAA can feel daunting, but it is achievable with a clear plan and the right guidance. Explore the rest of the HIPAA compliance hub for deep dives on each topic, or talk to our team for a free readiness assessment to map your fastest path to a defensible program.