Home
Resources

HIPAA Compliance Deepdive

Framework Deepdive
HIPAA Compliance Deepdive

Summary

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

1. Overview

What HIPAA Is

The Health Insurance Portability and Accountability Act of 1996 establishes US federal requirements for the protection of individually identifiable health information. The implementing regulations administered by the US Department of Health and Human Services Office for Civil Rights (HHS OCR) at 45 CFR Parts 160 and 164 are commonly grouped into four rules: the Privacy Rule (Subpart E of Part 164), the Security Rule (Subpart C of Part 164, 45 CFR 164.302–164.318), the Breach Notification Rule (Subpart D, 45 CFR 164.400–414), and the Enforcement Rule (Part 160 Subparts C–E). Authoritative information is published by HHS OCR at hhs.gov/hipaa.

Who It Applies To

  • Covered Entities — health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with HIPAA standard transactions.
  • Business Associates — entities that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or another business associate. Most B2B SaaS vendors serving healthcare fall here.
  • Subcontractors — a business associate that creates, receives, maintains, or transmits PHI on behalf of another business associate. Same obligations as a business associate.

2025 Security Rule NPRM

HHS OCR published a Notice of Proposed Rulemaking on 6 January 2025 with the most significant Security Rule revision since 2003. Proposed changes include: removal of the addressable / required distinction; mandatory written documentation for all implementation specifications; mandatory encryption for ePHI at rest and in transit (with narrow exceptions); annual technical asset inventory and network mapping; explicit MFA for all access to ePHI; annual risk analysis with documented methodology; annual vulnerability scanning and 12-month penetration testing; vendor risk management and Business Associate Agreement (BAA) renewal cadence. The NPRM had not been finalized at the time of writing in May 2026; covered entities and business associates should track HHS OCR publication for the final rule, plan for substantial uplift, and treat the proposed text as a strong indicator of supervisory expectations.

Outcome

HIPAA is not certifiable. Compliance is demonstrated through documented programs, executed BAAs, and operational evidence available to OCR on request or in response to a complaint or breach. Penalties under the Enforcement Rule range from $100 per violation (cap $25,000 per identical violation per year for unknowing violations) to $50,000 per violation (cap $1.5 million per identical violation per year for willful neglect, uncorrected), adjusted annually for inflation. OCR publishes enforcement actions and Resolution Agreements at hhs.gov/hipaa/for-professionals/compliance-enforcement.

Security Consultants supports covered entities and business associates through the HIPAA compliance service, typically aligned with parallel SOC 2 or ISO 27001 programs to support enterprise B2B sales. For background on SOC 2 itself, see our blog post What SOC 2 is (really), and how do you get there.

2. Scope & Applicability

Protected Health Information (PHI)

PHI is individually identifiable health information held or transmitted by a covered entity or business associate, in any form. The 18 HIPAA identifiers (names, geographic subdivisions smaller than a state, dates other than year for individuals, telephone, fax, email, SSN, MRN, account, certificate / license, vehicle, device identifier, URL, IP, biometric, full-face photo, any other unique identifier) define when health information becomes individually identifiable.

Electronic PHI (ePHI)

The Security Rule applies specifically to PHI created, received, maintained, or transmitted in electronic form. The Privacy Rule applies to all PHI in any form.

De-identification

Information is no longer PHI if de-identified under either the Safe Harbor method (remove the 18 identifiers, no actual knowledge of re-identification risk) or the Expert Determination method (statistician's documented determination of very small re-identification risk).

Designated Record Set

Covered entities maintain a Designated Record Set containing PHI used to make decisions about an individual. Individuals have access rights (45 CFR 164.524), amendment rights (164.526), and accounting of disclosures rights (164.528) over this set.

Minimum Necessary Standard

Most uses and disclosures of PHI must be limited to the minimum necessary to accomplish the purpose (45 CFR 164.502(b), 164.514(d)). Exceptions: disclosures to or requests by a health care provider for treatment; disclosures to the individual; uses or disclosures required by law.

Business Associate Agreements (BAAs)

Covered entities must execute a written BAA with each business associate. Business associates must execute a written agreement with each subcontractor that handles PHI. The BAA must address permitted uses, safeguards, subcontractor flowdown, breach reporting, return / destruction of PHI on termination, and audit cooperation. The 2013 Omnibus Rule made business associates directly liable to OCR for HIPAA compliance.

Cloud and SaaS Services

Cloud providers handling PHI on behalf of covered entities are business associates and must sign BAAs. AWS, Azure, Google Cloud, and Oracle all offer HIPAA-eligible service tiers with vendor BAAs. SaaS vendors handling PHI must do likewise. Use of cloud services without an executed BAA is a Security Rule violation regardless of the cloud provider's underlying security posture.

3. Core Principles

Privacy Rule (45 CFR Part 164 Subpart E)

  • Permissible uses and disclosures of PHI (164.502–164.514)
  • Notice of Privacy Practices (164.520)
  • Individual rights: access (164.524), amendment (164.526), accounting of disclosures (164.528), restrictions (164.522)
  • Administrative requirements: Privacy Officer designation, workforce training, complaints process, sanctions, mitigation

Security Rule (45 CFR Part 164 Subpart C)

  • Administrative safeguards (164.308): security management process, workforce security, information access management, security awareness, contingency plan, evaluation, BAAs
  • Physical safeguards (164.310): facility access controls, workstation use and security, device and media controls
  • Technical safeguards (164.312): access control, audit controls, integrity, person or entity authentication, transmission security
  • Organizational requirements (164.314): BAA content, group health plan requirements
  • Policies, procedures, and documentation (164.316): six-year retention; available to workforce; reviewed and updated

Breach Notification Rule (45 CFR 164.400–164.414)

  • Definition of breach: acquisition, access, use, or disclosure of PHI not permitted under the Privacy Rule that compromises security or privacy, unless the entity can demonstrate low probability that PHI has been compromised via a four-factor risk assessment
  • Notification to individuals: without unreasonable delay and no later than 60 days from discovery
  • Notification to HHS: contemporaneously for breaches affecting 500 or more individuals; annually for smaller breaches
  • Notification to prominent media outlets: for breaches affecting more than 500 residents of a state or jurisdiction
  • Business associate notification to covered entity: without unreasonable delay and no later than 60 days from discovery

Enforcement Rule

  • OCR has authority to investigate complaints, conduct compliance reviews, and impose civil money penalties
  • Department of Justice handles criminal HIPAA violations under 42 USC 1320d-6
  • HHS publishes Resolution Agreements with corrective action plans for material settlements

4. Control Breakdown

Administrative Safeguards (164.308)

164.308(a)(1) Security Management Process: risk analysis; risk management; sanction policy; information system activity review.
164.308(a)(2) Assigned Security Responsibility: Security Official designated.
164.308(a)(3) Workforce Security: authorization, clearance, termination procedures.
164.308(a)(4) Information Access Management: access authorization, establishment, modification.
164.308(a)(5) Security Awareness and Training: workforce training, periodic security reminders, malicious software protection awareness, log-in monitoring, password management.
164.308(a)(6) Security Incident Procedures: response and reporting.
164.308(a)(7) Contingency Plan: data backup, disaster recovery, emergency mode operation, testing and revision.
164.308(a)(8) Evaluation: periodic technical and nontechnical evaluation.
164.308(b) Business Associate Contracts: written BAA.
Evidence: risk analysis report, security policy set, workforce training records, BAA register, IR plan, BCP/DR test records.

Physical Safeguards (164.310)

164.310(a) Facility Access Controls: contingency operations, facility security plan, access control and validation, maintenance records.
164.310(b) Workstation Use; 164.310(c) Workstation Security: controls over physical attributes of workstations accessing ePHI.
164.310(d) Device and Media Controls: disposal, media re-use, accountability, backup and storage.
Evidence: facility access logs, asset inventory with ePHI flag, media disposal records, hardware inventory.

Technical Safeguards (164.312)

164.312(a) Access Control: unique user identification (required), emergency access procedure (required), automatic logoff (addressable; NPRM would make required), encryption and decryption (addressable; NPRM would make required).
164.312(b) Audit Controls: hardware, software, and procedural mechanisms that record and examine activity.
164.312(c) Integrity: protect ePHI from improper alteration or destruction.
164.312(d) Person or Entity Authentication: verify identity.
164.312(e) Transmission Security: integrity controls (addressable), encryption (addressable; NPRM would make required).
Evidence: IAM exports, MFA enforcement reports, SIEM rule sets, retention configurations, TLS configurations, encryption inventory, key management procedure.

Organizational Requirements (164.314)

164.314(a) Business Associate Contracts: written agreement satisfying the BAA content requirements; reporting of any security incident; flowdown to subcontractors.
164.314(b) Group Health Plans: plan-specific implementation requirements.
Evidence: BAA register, signed agreements, subcontractor flowdown evidence.

Policies, Procedures, Documentation (164.316)

Maintain policies and procedures to comply with the standards. Retain documentation for six years from the date of creation or the date when last in effect, whichever is later. Make documentation available to workforce members. Review and update periodically in response to environmental or operational change.

5. Minimum Requirements (Non-Negotiable)

Mandatory Documents

  • Risk Analysis (164.308(a)(1)(ii)(A)) and Risk Management Plan
  • Information Security Policy and supporting policies covering all administrative, physical, and technical safeguards
  • Workforce Sanction Policy
  • Incident Response Plan with Breach Notification workflow
  • Contingency Plan including Data Backup, Disaster Recovery, and Emergency Mode Operation procedures
  • Workforce Security Procedures (authorization, clearance, termination)
  • Access Control Policy and Procedures
  • Audit Logging and Monitoring Procedure
  • Encryption Policy and Key Management Procedure
  • BAA template; BAA register; subcontractor BAA template
  • Notice of Privacy Practices (covered entities)
  • Designated Record Set documentation (covered entities)
  • Designated Privacy Officer and Security Officer documentation
  • Workforce training program with completion records

Mandatory Processes

  • Annual or more frequent Risk Analysis using a documented methodology (NIST SP 800-30 widely accepted)
  • Periodic Information System Activity Review
  • Periodic Evaluation (164.308(a)(8))
  • Workforce training upon hire, periodically thereafter, and when policies or procedures materially change
  • BAA execution before any business associate touches PHI
  • Incident response and breach risk assessment using the four-factor analysis
  • Breach notification within statutory timelines
  • Documentation retention for six years
  • Contingency Plan testing and revision (addressable in current Security Rule; NPRM would make required)

Technical Controls

  • Unique user identification and authentication (MFA strongly expected, mandatory under NPRM for all ePHI access)
  • Encryption of ePHI in transit and at rest (addressable in current Security Rule; NPRM would make required)
  • Audit logging across ePHI systems with regular review
  • Automatic logoff on workstations
  • Integrity controls preventing improper alteration of ePHI
  • Media sanitization and disposal aligned with NIST SP 800-88

6. Technical Implementation Guidance

Risk Analysis

  • Use NIST SP 800-30 or equivalent methodology
  • Identify ePHI flows, systems, and storage locations
  • Identify threats, vulnerabilities, likelihood, impact
  • Document risk treatment decisions
  • Refresh annually and after material change. See our risk assessment service.

Cloud Architecture

  • Use HIPAA-eligible service tiers from major cloud providers and execute the vendor BAA
  • Configure storage and database services to enforce encryption at rest
  • Enforce TLS 1.2 or higher for all transmission of ePHI
  • Restrict ePHI workloads to the BAA-covered services in your provider's HIPAA service catalog

Identity and Access

  • Phishing-resistant MFA for all ePHI access (current best practice; mandatory under NPRM)
  • Role-based access with documented least-privilege rationale
  • Quarterly access reviews on ePHI-accessing roles

Logging and Monitoring

  • Centralize logs from ePHI systems in a SIEM
  • Configure detections for anomalous ePHI access patterns, large exports, and credential misuse
  • Retain logs for at least 12 months online; six years total per documentation retention rule

Encryption

  • Use NIST-approved algorithms (AES-256, TLS 1.2/1.3 with strong cipher suites)
  • Document key management lifecycle in the Key Management Procedure
  • Encryption is a Safe Harbor under the Breach Notification Rule for ePHI rendered unusable, unreadable, or indecipherable per HHS guidance

Vulnerability Management

  • Authenticated monthly internal scans
  • Quarterly external scans
  • Annual penetration testing aligned with the NPRM expectation; see our penetration testing service

Incident Response and Breach Workflow

  • Maintain an incident response plan with explicit breach risk assessment using the four-factor analysis
  • Establish 60-day notification clocks for individuals, OCR, and (where applicable) prominent media outlets
  • For business associates: contractual notification to the covered entity
  • Preserve evidence and engage outside counsel as appropriate

7. Policy & Procedure Requirements

  • Information Security Policy
  • Acceptable Use Policy
  • Access Control Policy and Procedures
  • Workforce Security Procedures (Authorization, Clearance, Termination)
  • Security Awareness Training Procedure
  • Security Management Process Procedure
  • Audit Logging and Monitoring Procedure
  • Encryption and Key Management Policy
  • Configuration and Hardening Standard
  • Vulnerability and Patch Management Procedure
  • Incident Response Plan
  • Breach Notification Procedure
  • Contingency Plan including BCP and DR Procedures
  • Physical Security and Facility Access Procedure
  • Workstation Use and Security Procedure
  • Device and Media Controls Procedure
  • Business Associate Management Procedure with BAA template and register
  • Privacy Policy and Notice of Privacy Practices (covered entities)
  • Individual Rights Procedures (access, amendment, accounting, restriction)
  • Sanction Policy
  • Documentation Retention Policy (six years)

For organizations also pursuing SOC 2, most of these documents serve both standards. See our SOC 2 service for the dual-standard approach. For organizations also pursuing ISO 27001, see our ISO 27001 service.

8. Audit Evidence & Verification

HIPAA does not require a certifying audit. OCR conducts investigations in response to complaints, breaches, and compliance reviews. The HHS OCR Audit Protocol (last comprehensively updated as part of the Phase 2 Audit Program) defines the evidence elements OCR examiners request. Many enterprise B2B customers require attestation evidence (SOC 2 report, HITRUST certification, ISO 27001 certificate) as a contractual proxy for HIPAA readiness, since HIPAA itself is not certifiable.

Typical Evidence Categories

  • Risk analysis documentation
  • Risk management plan with treatment decisions
  • Policies, procedures, and workforce training records
  • BAA register and signed agreements
  • Information system activity review records
  • Audit logs and SIEM exports
  • Encryption and key management evidence
  • Incident records and breach risk assessments
  • Contingency plan test records
  • Designated Privacy Officer and Security Officer designation memos
  • Notice of Privacy Practices (covered entities)

Common Remediation Items

  • Risk analysis treated as a one-time exercise rather than ongoing
  • BAAs missing for established vendors, including SaaS tools used by individual workforce members
  • Encryption claims unsupported by configuration evidence
  • Workforce training records incomplete
  • No four-factor breach risk assessment record on suspected incidents
  • Documentation not retained for six years

9. Implementation Timeline Considerations

Typical Duration

  • Business associate readiness (mature controls): 3–6 months from kickoff to credible HIPAA program
  • Business associate readiness (substantial remediation): 9–18 months
  • Covered entity full program: 12–24 months including Privacy Rule operationalization, BAA inventory, and workforce training rollout

Milestones

  • ePHI scoping and data flow mapping
  • Risk analysis
  • Gap analysis against the Privacy, Security, and Breach Notification Rules
  • Policy and procedure development
  • BAA inventory, gap closure, template execution
  • Workforce training rollout
  • Technical remediation (encryption, MFA, logging)
  • Contingency plan and IR plan test
  • Independent attestation (SOC 2, HITRUST) where required by customers

Dependencies

  • Cloud platform decisions and HIPAA-eligible service alignment
  • Vendor cooperation on BAA execution
  • Engineering capacity for encryption, MFA, audit logging
  • vCISO or program lead to coordinate (see vCISO service)

10. Ongoing BAU Requirements

  • Annual risk analysis refresh
  • Annual policy and procedure review
  • Workforce training on hire and periodically
  • Quarterly access reviews on ePHI roles
  • Continuous vulnerability scanning and remediation
  • Annual penetration testing
  • Annual IR tabletop and contingency plan test
  • BAA register maintained with renewal tracking
  • Periodic information system activity review
  • Breach risk assessment on every suspected incident with documentation
  • Documentation retention for six years

11. Maturity Levels

Minimum Compliance

  • Risk analysis completed and updated
  • Core policies and procedures in place
  • BAAs executed with all PHI-handling vendors
  • Workforce training operational
  • Manual evidence collection

Intermediate

  • Encryption at rest and in transit on all ePHI systems
  • MFA enforced on all ePHI access
  • Centralized SIEM with HIPAA-tuned detections
  • Quarterly access reviews and continuous vulnerability scanning
  • NPRM-aligned controls implemented ahead of finalization

Advanced

  • Continuous compliance posture aligned with SOC 2, ISO 27001, and HITRUST
  • Automated control telemetry and exception management
  • Integrated privacy, security, and breach response runbooks with rehearsed escalation
  • Vendor BAA lifecycle automated with continuous monitoring

12. FAQs

Is HIPAA certifiable?

No. HIPAA does not have a certification regime. Compliance is demonstrated through documented programs and operational evidence. Many enterprise customers ask for SOC 2, HITRUST, or ISO 27001 attestations as commercial proxies for HIPAA readiness.

Are we a covered entity or a business associate?

Covered entities are health plans, health care clearinghouses, and certain health care providers. Business associates are vendors that handle PHI on behalf of covered entities or other business associates. Most B2B SaaS handling PHI is a business associate. Some entities are hybrid (both), most commonly large health systems with non-clinical business lines.

What is a Business Associate Agreement and when is it required?

A BAA is a written contract required by 45 CFR 164.504(e) before a business associate handles PHI. It addresses permitted uses, safeguards, subcontractor flowdown, breach reporting, termination, return / destruction of PHI, and audit cooperation. No BAA, no PHI handling.

How quickly must we notify after a breach?

Individuals: without unreasonable delay and no later than 60 days from discovery. HHS: contemporaneously for breaches affecting 500 or more individuals; annually for smaller breaches. Prominent media: for breaches affecting more than 500 residents of a state or jurisdiction. Business associates notify the covered entity within 60 days; the BAA may impose shorter clocks.

Is encryption mandatory?

Under the current Security Rule, encryption is addressable, which means the entity must implement it or document the equivalent measure adopted. In practice, OCR considers unencrypted ePHI a material risk and most breaches involving unencrypted ePHI result in enforcement. The 2025 NPRM proposes to make encryption explicitly required for ePHI at rest and in transit. Encrypted ePHI rendered unusable, unreadable, or indecipherable per HHS guidance is also a breach safe harbor.

What changes are in the 2025 Security Rule NPRM?

HHS OCR proposed in January 2025: remove the addressable / required distinction; mandate written documentation for all implementation specifications; mandatory encryption; annual technical asset inventory and network mapping; explicit MFA on all ePHI access; annual risk analysis with documented methodology; annual vulnerability scanning and 12-month penetration testing; vendor risk management uplift. The final rule had not been published at the time of writing; build the program to the NPRM now to avoid expensive uplift later.

What does HIPAA cost?

For a business associate with mature SOC 2 controls, incremental HIPAA-specific work typically runs $50,000–$200,000 to operationalize the Privacy and Breach Notification Rule alongside the existing Security Rule controls, plus BAA negotiation costs. Covered entities incur substantially more due to Privacy Rule individual-rights operationalization.

Do we need to do a SOC 2 if we're already HIPAA-compliant?

HIPAA is regulatory; SOC 2 is a customer-driven assurance standard. Many enterprise B2B healthcare customers contractually require SOC 2 alongside HIPAA. The two share most underlying controls. See our SOC 2 service for the dual-standard approach.

How does HIPAA relate to state laws and the FTC Health Breach Notification Rule?

HIPAA is a federal floor, not a ceiling. State laws (California Confidentiality of Medical Information Act, New York SHIELD Act, Texas Medical Records Privacy Act) may impose additional requirements. The FTC Health Breach Notification Rule applies to entities outside HIPAA's scope that handle personal health records, with breach reporting obligations to the FTC.

What about the Right of Access?

Under 45 CFR 164.524, individuals have a right to access their PHI in the Designated Record Set, typically within 30 days (one 30-day extension permitted). OCR's Right of Access Initiative has resulted in dozens of enforcement actions against covered entities that fail to meet this timeline.

What about HITECH and the 21st Century Cures Act?

HITECH (2009) expanded HIPAA enforcement, established the Breach Notification Rule, and made business associates directly liable. The 21st Century Cures Act information-blocking provisions (administered by ONC) require certain health information to be made available to patients and providers electronically; this is a separate regulatory regime that intersects with HIPAA at the Designated Record Set boundary.

13. Summary

HIPAA establishes the US federal floor for the protection of individually identifiable health information across the Privacy, Security, Breach Notification, and Enforcement Rules. Compliance is operational, not certifiable: a documented risk analysis, a complete BAA inventory, technical safeguards anchored in encryption and MFA, workforce training, and a six-year documentation discipline. The 2025 Security Rule NPRM raises the bar materially across MFA, encryption, technical asset inventory, and testing cadence — covered entities and business associates should build now to the proposed standard.

To scope an engagement, book a call from the HIPAA compliance service page, or talk to us about combining HIPAA with SOC 2, ISO 27001, or a complete vCISO program for ongoing program management.

Share this post

Related articles

Framework Deepdive

ISO/IEC 42001:2023 AIMS Deepdive

Read article
ISO/IEC 42001:2023 AIMS Deepdive cover
Framework Deepdive

NIS 2 Compliance Deepdive

Read article
NIS 2 Compliance Deepdive cover
Framework Deepdive

DORA Compliance Deepdive

Read article
DORA Compliance Deepdive cover