What is HIPAA Compliance? Complete Healthcare Privacy Guide for 2025

TL;DR: Quick Takeaways

•HIPAA protects patient health information (PHI) in the United States
•Applies to covered entities (healthcare providers, health plans, clearinghouses) and business associates
•Three main rules: Privacy Rule, Security Rule, Breach Notification Rule
•Penalties range from $100-$50,000 per violation with annual caps up to $1.5M

The Health Insurance Portability and Accountability Act (HIPAA) is the cornerstone of healthcare privacy protection in the United States. If you handle protected health information (PHI) in any capacity—whether as a healthcare provider, health tech startup, or service provider—HIPAA compliance is not optional.

Enacted in 1996 and significantly updated through the HITECH Act (2009) and Omnibus Rule (2013), HIPAA establishes national standards for protecting sensitive patient health information. With healthcare data breaches affecting millions of patients annually and penalties reaching into the millions, understanding HIPAA is critical.

In this comprehensive guide, we'll break down everything you need to know about HIPAA compliance—from understanding who needs to comply to implementing the required safeguards.

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a federal law that establishes national standards for protecting sensitive patient health information from being disclosed without patient consent or knowledge.

While HIPAA started as legislation focused on health insurance portability, it has evolved into the primary framework governing healthcare data privacy and security in the United States. The law applies to covered entities and their business associates who handle Protected Health Information (PHI).

Key HIPAA Components

Privacy Rule:Standards for protecting PHI in all forms
Security Rule:Technical safeguards for electronic PHI (ePHI)
Breach Notification Rule:Requirements for reporting security breaches
Enforcement Rule:Investigation and penalty procedures

📊

HIPAA Framework Overview

Who Needs HIPAA Compliance?

HIPAA applies to two main categories of entities that handle PHI:

Covered Entities

✓ Healthcare providers (doctors, hospitals, clinics)
✓ Health plans (insurance companies, HMOs)
✓ Healthcare clearinghouses
✓ Any provider conducting standard transactions electronically

Business Associates

✓ Third-party service providers accessing PHI
✓ Medical billing companies
✓ IT service providers
✓ Cloud storage providers
✓ SaaS platforms handling PHI
✓ Medical transcription services

💡 Pro Tip:

Many startups and tech companies mistakenly believe HIPAA doesn't apply to them. If you're a SaaS platform, cloud provider, or service that accesses, stores, or transmits PHI on behalf of a covered entity, you're a business associate and must comply with HIPAA. This includes signing a Business Associate Agreement (BAA).

The Three HIPAA Rules Explained

HIPAA compliance requires understanding and implementing three main rules:

Privacy Rule

Standards for protecting PHI

• Establishes national standards for protecting PHI
• Limits use and disclosure of PHI without patient authorization
• Grants patients rights over their health information
• Requires written privacy policies and procedures
• Mandates Notice of Privacy Practices (NPP) to patients

Key Rights: Patients can access, amend, and obtain accounting of disclosures of their PHI

Security Rule

Technical safeguards for ePHI

• Administrative safeguards (security management, workforce training)
• Physical safeguards (facility access, workstation security)
• Technical safeguards (access controls, encryption, audit controls)
• Requires risk analysis and risk management
• Mandates contingency planning and disaster recovery

Key Requirement: Encryption of ePHI at rest and in transit is addressable (highly recommended) but not explicitly required

Breach Notification Rule

Requirements for reporting breaches

• Notify affected individuals within 60 days
• Notify HHS (immediate if 500+ individuals affected)
• Notify media if breach affects 500+ residents in a state
• Business associates must notify covered entities within 60 days
• Document all breaches, even those affecting fewer than 500 people

Key Definition: A breach is an unauthorized acquisition, access, use, or disclosure of PHI that compromises security or privacy

Need Help with HIPAA Compliance?

Get a free HIPAA readiness assessment and discover exactly what safeguards you need to implement for your healthcare organization or business associate services.

Book Free Assessment Download HIPAA Checklist

What is Protected Health Information (PHI)?

PHI is any health information that can be used to identify an individual. HIPAA defines 18 specific identifiers:

🆔 Direct Identifiers

• Names
• Geographic subdivisions smaller than state
• Dates (birth, admission, discharge, death)
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security Numbers
• Medical record numbers
• Health plan beneficiary numbers

🔢 Additional Identifiers

• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (fingerprints, voiceprints)
• Full-face photos
• Any other unique identifying number or code

De-identified Data

Data that has had all 18 identifiers removed (and no reasonable basis to believe it could identify an individual) is de-identified and not subject to HIPAA. This is critical for research and analytics.

Business Associate Agreements (BAA)

If you're a business associate, you must sign a BAA with each covered entity you serve. Here's what you need to know:

📄 What a BAA Must Include

• Permitted uses and disclosures of PHI
• Business associate's obligations to safeguard PHI
• Prohibition on unauthorized use or disclosure
• Requirement to report breaches
• Requirement to ensure subcontractors comply (downstream BAAs)
• Return or destruction of PHI upon termination
• Covered entity's right to audit compliance

⚠️ Common BAA Mistakes

❌ Not signing BAAs with all vendors accessing PHI
❌ Using outdated BAA templates (pre-2013 Omnibus Rule)
❌ Failing to get BAAs from subcontractors
❌ Not reviewing BAA terms carefully (liability, indemnification)
❌ Assuming verbal agreements are sufficient

💡 Pro Tip:

No BAA = No business with covered entities. Healthcare organizations cannot legally share PHI with you without a signed BAA. If you're a SaaS company or service provider, having a standard BAA ready to sign dramatically speeds up sales cycles with healthcare customers.

HIPAA vs HITRUST

HIPAA is the regulation; HITRUST is a certifiable framework that includes HIPAA requirements:

Aspect	HIPAA	HITRUST
Type	Federal regulation	Certifiable security framework
Certification	No certification available	Third-party certification (e1, i1, r2)
Controls	General requirements	300+ prescriptive controls
Assessment	Self-assessment	Independent third-party validation
Recognition	Required minimum	Gold standard in healthcare

Key Difference: HIPAA compliance is mandatory for covered entities and business associates. HITRUST is voluntary but provides a higher level of assurance and is increasingly required by healthcare organizations when selecting vendors.

Automate HIPAA Compliance

LowerPlane helps healthcare organizations and business associates implement HIPAA-compliant security controls, automated audit logging, and comprehensive documentation.

✓HIPAA Security Rule control implementation
✓Automated risk analysis and management
✓BAA templates and vendor management
✓Breach notification workflows

See How It Works

Key Takeaways

1
HIPAA applies to both covered entities and business associates—if you handle PHI for a healthcare organization, you must comply.
2
The three rules (Privacy, Security, Breach Notification) work together to protect PHI in all forms—paper, electronic, and verbal.
3
Business Associate Agreements are mandatory—you cannot handle PHI without a signed BAA in place.
4
Encryption is not technically required but is the most effective way to avoid breach notification requirements if a security incident occurs.
5
Regular risk analysis, workforce training, and incident response planning are not optional—they're required by the Security Rule.

Frequently Asked Questions

Do I need a BAA with every vendor that handles PHI?

Yes, you must have a signed BAA with every vendor, service provider, or subcontractor that creates, receives, maintains, or transmits PHI on your behalf. This includes cloud hosting providers, email services (if they can access content), billing companies, IT support, and SaaS platforms. No BAA means no access to PHI.

What are the penalties for HIPAA violations?

HIPAA penalties are tiered based on culpability: Tier 1 (unknowing) $100-$50,000 per violation; Tier 2 (reasonable cause) $1,000-$50,000; Tier 3 (willful neglect, corrected) $10,000-$50,000; Tier 4 (willful neglect, not corrected) $50,000 per violation. Annual maximum penalties can reach $1.5M per violation category. Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years.

Is encryption required under HIPAA?

Encryption is "addressable" under the HIPAA Security Rule, not strictly required. However, if ePHI is encrypted and the encryption key was not compromised, a breach of that data does not need to be reported. This safe harbor provision makes encryption a de facto standard. If you choose not to encrypt, you must document why encryption is not reasonable and appropriate, and implement equivalent alternative measures.

How long must I retain patient records under HIPAA?

HIPAA itself does not specify retention periods for medical records—state laws govern medical record retention (typically 5-10 years). However, HIPAA requires that documentation of policies, procedures, and security measures be retained for 6 years from the date of creation or when last in effect, whichever is later. This includes risk analyses, workforce training records, BAAs, and breach documentation.

How often should I conduct HIPAA audits?

HIPAA requires ongoing security risk analyses but doesn't specify frequency. Best practice is to conduct comprehensive risk analyses annually and whenever there are significant changes to your systems or operations (new technologies, organizational changes, security incidents). You should also perform regular security audits (quarterly or monthly) of technical safeguards like access logs, and annual policy reviews.