Healthcare data is among the most sensitive information an organization can handle. Whether you run a hospital, a billing platform, a cloud storage service, or a CPA firm that works with medical clients, HIPAA compliance is not optional — it is a legal and operational necessity that protects both patients and the organizations that serve them.
This guide covers everything you need to know: what HIPAA is, who it applies to, what its requirements demand, and what happens when organizations fall short. Understanding the need for compliance in today’s world starts here — and for any business touching US healthcare data, HIPAA is the baseline.
what is hipaa?
HIPAA — the Health Insurance Portability and Accountability Act — was passed by the US Congress in 1996. It was designed to modernize healthcare information standards while establishing robust protections for patient data. At its core, HIPAA does four things:
- Provides the ability to transfer and continue health insurance coverage for American workers and their families when they change or lose their jobs
- Reduces healthcare fraud and abuse across the industry
- Mandates industry-wide standards for healthcare information on electronic billing and related processes
- Requires the protection and confidential handling of Protected Health Information (PHI)
HIPAA is structured around five major Titles. Title 2 — Administrative Simplification — defines the compliance requirements and applies to any service provider that deals with ePHI (electronic Protected Health Information) either directly or indirectly. Understanding what PHI means under HIPAA is essential before assessing your organization’s obligations.
How is HIPAA Classified? Who should be HIPAA Compliant?
Under Title 2, HIPAA classifies organizations into three categories:
Covered Entities → Business Associates → Subcontractors
The HIPAA Administrative Simplification Rules establish national standards for electronic transactions and code sets to maintain the privacy and security of PHI. Every organization that falls under one of these three classifications must comply with HIPAA to the level prescribed by law. If you are unsure which category applies to you, understanding the distinction between covered entities and business associates is the right place to start.
Covered Entities
Covered Entities are individuals or organizations that transmit Protected Health Information for transactions for which the Department of Health and Human Services (HHS) has adopted standards. These transactions include healthcare claims, payment and remittance advice, eligibility checks, healthcare electronic fund transfers, and referral certification.
Covered Entities fall into three groups:
| Healthcare Providers | Health Plans | Healthcare clearinghouses |
|
The category includes providers such as: Hospitals, clinics, doctors, psychologists, dentists, chiropractors, nursing homes, pharmacies, home health agencies, and other providers of healthcare that transmit health information electronically. |
The category includes providers such as: Health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs.
|
The category includes organizations that process non-standard health information and convert data into types that conform to the standards outlined in the HIPAA Administrative Simplification Regulations (i.e. standard electronic format or data content, or vice versa). |
Business Associates
A Business Associate is any individual or company that provides services to a Covered Entity requiring access to, storage of, use of, or transmission of PHI. This includes third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device manufacturers.
Before a Business Associate is given access to PHI or systems containing PHI, they must enter into a HIPAA Business Associate Agreement (BAA) with the Covered Entity. This contract defines the Business Associate’s responsibilities with respect to HIPAA and PHI. Understanding BAA requirements and common pitfalls is critical to avoid costly compliance gaps.
Subcontractors
Subcontractors are individuals or companies that provide services to HIPAA Business Associates and are limited to processing data as per their agreements. They perform specific functions involving the use or disclosure of PHI on behalf of Covered Entities, including:
- Legal and actuarial services
- Accounting and financial services
- Consulting and management
- Administration and accreditation
What are the Requirements of HIPAA Compliance?
Every Covered Entity and Business Associate with access to PHI must ensure that technical, physical, and administrative safeguards are in place. They must comply with the HIPAA Privacy Rule to protect the integrity of PHI, and follow the HIPAA Breach Notification Rule if a breach occurs.
All risk assessments, HIPAA-related policies, and reasons why any addressable safeguards have not been implemented must be documented — both as a governance practice and in preparation for any regulatory investigation. HIPAA IT requirements cover the full technical and administrative landscape of what must be in place.
Privacy Rule
The HIPAA Privacy Rule governs how ePHI can be used and disclosed. Since 2003, it applies to all healthcare organizations, health plan providers, healthcare clearinghouses, and — since 2013 — the Business Associates of Covered Entities.
Key obligations under the Privacy Rule:
- Implement appropriate safeguards to protect the privacy of PHI
- Respond to patient access requests within 30 days
- Set limits and conditions on use and disclosure of PHI without patient authorization
- Grant patients rights over their health information — including the right to obtain copies, examine records, and request corrections
Understanding PHI disclosure rules helps organizations establish compliant workflows for every scenario where patient data changes hands.
Security Rule
The HIPAA Security Rule defines the standards that must be applied to safeguard ePHI both at rest and in transit. It applies to anyone — or any system — that has access to confidential patient data. There are three components:
Physical Safeguards — Focus on physical access to ePHI regardless of its location, whether stored in a remote data center, the cloud, or on-premises servers. These also govern how workstations and mobile devices must be secured against unauthorized access.
Administrative Safeguards — The policies and procedures that bring the Privacy Rule and Security Rule together, ensuring governance is in place across all organizations handling ePHI. These safeguards ensure staff are aware of breach risks and the consequences of non-compliance. HIPAA security rules define the full scope of what administrative governance must cover.
Technical Safeguards — Govern the technology used to protect ePHI and control access to it. A central requirement: ePHI must be encrypted at rest and in transit so that any breach renders the data unreadable, undecipherable, and unusable. This intersects directly with data protection best practices in healthcare.
Breach Notification Rule
The HIPAA Breach Notification Rule requires Covered Entities to:
- Notify affected patients when a breach of their ePHI occurs
- Promptly notify the Department of Health and Human Services (HHS)
- Issue a media notice if the breach affects more than 500 patients
HIPAA violations — whether from mishandled PHI, inadequate safeguards, or delayed breach notifications — carry serious financial and reputational consequences. Staying current on HIPAA updates in 2026 is essential as enforcement continues to intensify.
HIPAA Violation Penalties
HIPAA penalties are tiered based on the level of negligence and the scale of the breach. The HHS Office for Civil Rights (OCR) enforces violations and publishes findings publicly — often referred to as the “Wall of Shame.” Fines range from $100 per violation for unknowing violations up to $1.9 million per violation category per year for wilful neglect left uncorrected.
Beyond financial penalties, HIPAA violations can trigger:
- Federal criminal charges for intentional misuse of PHI
- Reputational damage that erodes patient and partner trust
- Loss of business relationships with enterprise healthcare clients
- Mandatory corrective action plans monitored by the OCR
Understanding healthcare data breaches — their causes, costs, and prevention strategies — is the most effective way to put HIPAA requirements in real-world context. Healthcare cybersecurity practices must be tightly aligned with your HIPAA safeguards to close the gaps that regulators and attackers both exploit.
HIPAA Compliance and the Broader Compliance Landscape
HIPAA does not exist in isolation. Many organizations subject to HIPAA also operate under GDPR, SOC 2, or ISO 27001 — and aligning these frameworks reduces duplicated effort. Understanding HIPAA vs GDPR compliance helps multinational organizations map their obligations efficiently.
For organizations wondering about the cost of getting certified, a clear understanding of HIPAA certification cost helps leadership plan the investment. For those who need expert guidance throughout, HIPAA consultants provide the structured support needed to implement, verify, and maintain compliance without disrupting daily operations.
How CertPro Can Help
CertPro’s licensed CPAs and compliance specialists guide organizations through every stage of HIPAA compliance — from initial gap assessment and policy development through to implementation, staff training, risk assessment, and formal certification. We work with healthcare providers, Business Associates, and SaaS platforms across the US, India, Canada, and beyond.
We don’t just make you compliant — we help you turn compliance into a competitive advantage with enterprise clients who demand proof of HIPAA alignment before signing contracts.
Contact CertPro today and let us guide, train, implement, verify, and certify your organization.
HIPAA UPDATES 2026: KEY REGULATORY CHANGES, NEW RULES, AND COMPLIANCE IMPACT EXPLAINED
Why is HIPAA Important to Patients
LAST UPDATE -- 10-01-2025 The Health Insurance Portability and Accountability Act, also known as HIPAA, is crucial for patients because it safeguards their privacy and health information. In order to provide national standards for the security of specific health...
WHAT IS THE HIPAA OMNIBUS RULE
In the U.S. healthcare sector, sensitive medical records are often subjected to cyberattacks like data breaches and ransomware. For example, recently a misconfigured MongoDB database has led to the exposure of 2.7 million patient profiles. This incident is due to a...