HIPAA is built on three rules. The Privacy Rule controls how protected health information may be used and disclosed and gives patients rights over it. The Security Rule protects the electronic version of that information through administrative, physical, and technical safeguards. The Breach Notification Rule says what you have to do, and how fast, when protected information is compromised. It binds two groups: covered entities and the business associates that handle data for them. The work that examiners look for first is the risk analysis. Skip it, and you have skipped the foundation the rest of the program is supposed to stand on.
Most organizations meet HIPAA the way they meet a deadline: late, and under pressure. A vendor asks for a signed agreement. A patient files a complaint. A laptop goes missing. Then the questions start, and the answers are supposed to already exist in a binder nobody has updated since the last reorganization. The organizations that fare well are the ones that did the slow, unglamorous work before anyone was watching.
This guide walks the regime the way a practitioner reads it: who it binds, the three rules that make it up, the safeguards the Security Rule actually requires, the risk analysis that anchors all of it, the business associate agreements that extend it down the supply chain, the clock that starts when something breaks, and what it costs to get it wrong. The grounding here is 45 CFR Part 160 and Part 164, and the HHS Office for Civil Rights audit protocol that examiners use to test against it.
Who has to comply
HIPAA does not apply to everyone who touches health information. It applies to two defined groups, and getting your own classification right is the first thing to settle, because the obligations differ.
Covered entities
A covered entity is one of three things: a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically in connection with a covered transaction such as a claim or an eligibility check. A solo physician who bills electronically is a covered entity. A hospital is a covered entity. A health insurer is a covered entity. The electronic-transmission trigger is what pulls most providers in.
Business associates
A business associate is any person or organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity to perform a function or service. Claims processors, cloud hosting providers, billing companies, transcription services, analytics vendors, and IT firms with access to systems holding health information are common examples. A business associate is directly liable for the Security Rule and for parts of the Privacy and Breach Notification Rules, not merely contractually liable to the covered entity.
A subcontractor that creates, receives, maintains, or transmits protected health information for a business associate is itself a business associate. The obligations flow all the way down the chain. A vendor cannot shed HIPAA by outsourcing the work to a fourth party.
The information HIPAA protects
HIPAA protects protected health information, or PHI: individually identifiable health information held or transmitted by a covered entity or business associate, in any form, whether on paper, spoken, or electronic. When that information is in electronic form, it is electronic protected health information, or ePHI, and the Security Rule attaches to it specifically. The first practical step in any HIPAA program is to map where this information lives and moves across your systems and media. That map is the predicate for everything that follows, the risk analysis most of all.
The three rules
People say "HIPAA" as if it were one thing. In practice it is three operative rules under 45 CFR Part 164, each with a distinct job.
| Rule | Citation | What it governs |
|---|---|---|
| Privacy Rule | Subpart E | How protected health information in any form may be used and disclosed, the minimum-necessary standard, and the rights patients hold over their own information, including access and amendment. |
| Security Rule | Subpart C | The administrative, physical, and technical safeguards that protect the confidentiality, integrity, and availability of electronic protected health information specifically. |
| Breach Notification Rule | Subpart D | What an entity must do, and by when, when unsecured protected health information is breached: who to notify, how, and within what timelines. |
The Privacy Rule and minimum necessary
The Privacy Rule sets the conditions under which protected information may be used and disclosed, and it builds in a discipline that many programs underweight: the minimum necessary standard. When you use, disclose, or request protected health information, you limit it to the least amount needed to accomplish the purpose. There are carve-outs, including disclosures to the patient and disclosures for treatment, but the default posture is restraint. The Privacy Rule also grants patients rights, including the right to access their own records and to request corrections.
The Security Rule safeguards
The Security Rule is where most of the engineering work sits. It organizes its requirements into three families of safeguards under 45 CFR 164.308, 164.310, and 164.312, plus organizational and documentation requirements. Each requirement is a standard, and most standards carry implementation specifications.
Administrative safeguards (164.308)
Administrative safeguards are the policies, procedures, and management actions that govern the security program. They are the largest family. They include the security management process and its risk analysis and risk management specifications, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, the contingency plan, periodic evaluation, and the requirement to have business associate agreements in place.
Physical safeguards (164.310)
Physical safeguards protect the facilities, equipment, and media where electronic protected health information lives. They cover facility access controls, workstation use and workstation security, and device and media controls, including the disposal and re-use of media that has held protected information. A hard drive that leaves the building without being wiped is a physical-safeguard failure.
Technical safeguards (164.312)
Technical safeguards are the technology controls applied to the information itself and to the systems that hold it. They cover access control with unique user identification and emergency access, audit controls that record and examine activity, integrity controls that protect information from improper alteration or destruction, person or entity authentication, and transmission security for information moving across networks.
Required versus addressable
Within the Security Rule, every implementation specification is labeled either required or addressable. This distinction trips up more programs than any other, so it is worth stating plainly.
| Label | What it means |
|---|---|
| Required (R) | You must implement the specification as written. There is no flexibility, and the determination is binary against the standard. |
| Addressable (A) | You assess whether the specification is reasonable and appropriate in your environment, then either implement it, implement an equivalent alternative, or document why neither is reasonable and the standard can still be met another way. Addressable is not optional. Skipping an addressable specification with no documented analysis is a violation, and the missing analysis is the finding. |
A proposed update to the Security Rule, issued by OCR in December 2024 and published in the Federal Register in January 2025 with comments closing in March 2025, would remove the addressable category and make nearly all implementation specifications required, while making controls like multi-factor authentication and encryption of electronic protected health information mandatory. As of this writing that rule is proposed, not finalized, so the required-versus-addressable logic above remains current law. Confirm the current text against the Code of Federal Regulations before relying on it in a high-stakes matter.
Separately, a 2024 rule on reproductive health information, which had added an attestation requirement for certain disclosures, was vacated nationwide by a federal court on June 18, 2025, and the appeal was dropped, so that rule and its attestation requirement are no longer in effect. Reproductive health information remains governed by the general HIPAA rules and by applicable state law.
Risk analysis: the foundation examiners check first
If there is one obligation to get right, it is the risk analysis under 45 CFR 164.308(a)(1)(ii)(A). It is a required specification, and it is the deficiency the Office for Civil Rights cites most often in enforcement. The standard asks for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information the entity creates, receives, maintains, or transmits.
The words "accurate and thorough" and "all" carry the weight. A risk analysis that covers one system and ignores three others is not thorough. One that was done two years ago and never revisited after a major system change is not accurate anymore. The risk analysis feeds the risk management specification at 164.308(a)(1)(ii)(B), which requires implementing measures sufficient to reduce the identified risks to a reasonable and appropriate level. The two move together: the analysis names the risks, and the management plan has to trace back to them.
Business associate agreements
A business associate agreement, or BAA, is the contract that binds a vendor handling protected health information to safeguard it and to use it only as permitted. Under 45 CFR 164.308(b) and 164.314(a), a covered entity must have a compliant BAA in place before it lets a business associate handle protected information, and a business associate must have one with each of its subcontractors. The agreement establishes the permitted uses, requires the safeguards, obligates breach reporting up the chain, and addresses the return or destruction of information when the relationship ends. A missing or stale BAA is a recurring enforcement finding, because it is easy to verify and easy to neglect.
Breach notification timelines
The Breach Notification Rule, 45 CFR 164.400 through 164.414, sets the clock that starts when unsecured protected health information is compromised. The timelines are specific, and the size of the breach changes who you have to tell.
| Who notifies whom | Deadline |
|---|---|
| Covered entity to affected individuals | Without unreasonable delay, and no later than 60 calendar days after discovery of the breach. |
| Covered entity to HHS, large breaches (500 or more) | Contemporaneously with notice to individuals, within the same 60-day window. |
| Covered entity to media, large breaches (500 or more in a state or jurisdiction) | To prominent media outlets serving the area, without unreasonable delay and no later than 60 days after discovery. |
| Covered entity to HHS, smaller breaches (fewer than 500) | In an annual log, no later than 60 days after the end of the calendar year in which the breach was discovered. |
| Business associate to covered entity | Without unreasonable delay and no later than 60 days after discovery, so the covered entity can meet its own deadlines. |
An impermissible use or disclosure of protected health information is presumed to be a breach unless the entity can show a low probability that the information was compromised, judged through a risk assessment that weighs the nature of the information, who used or received it, whether it was actually acquired or viewed, and the extent to which the risk has been mitigated.
Enforcement and penalties
The Office for Civil Rights enforces HIPAA, through complaint investigations, compliance reviews, and a periodic audit program. Civil money penalties follow a four-tier structure keyed to culpability.
| Tier | Culpability |
|---|---|
| 1 | The entity did not know, and by exercising reasonable diligence would not have known, of the violation. |
| 2 | The violation was due to reasonable cause and not willful neglect. |
| 3 | Willful neglect, but the violation was corrected within the required period. |
| 4 | Willful neglect that was not timely corrected. |
Each tier carries a higher per-violation minimum, and penalties are subject to an annual cap per identical provision. The dollar figures are adjusted for inflation, so confirm the current amounts against the published penalty schedule rather than relying on a number from memory. Penalties for willful neglect are mandatory. Beyond civil penalties, the Department of Justice can pursue criminal penalties, including fines and imprisonment, for knowing wrongful disclosure of protected health information, with the severity rising when the conduct involves intent to sell or use the information for gain.
The current OCR audit cycle is weighted toward the Security Rule provisions most relevant to hacking and ransomware: risk analysis, risk management, access control, audit controls, and contingency planning. The underlying requirements are the same ones that have always applied. What has shifted is where the examiner looks first.
A HIPAA readiness checklist
Run this before you assume the program is in shape.
- Your entity type is settled: covered entity, business associate, or subcontractor business associate, with the obligations that follow.
- You have a current map of where electronic protected health information is created, received, maintained, and transmitted across every system and medium.
- A risk analysis exists, covers all electronic protected health information, and has been updated after the last significant change.
- A risk management plan traces directly back to the risks the analysis identified.
- Administrative, physical, and technical safeguards are documented and operating, not just written.
- Every addressable specification you did not implement has a documented analysis explaining why and how the standard is still met.
- A compliant business associate agreement is in place with every vendor that touches protected health information, and with every subcontractor below them.
- A breach response plan exists with the 60-day clock built into it and the notification paths mapped by breach size.
- Workforce training and a sanction policy are in place and applied.
- The documentation is retained and available, because an examiner who cannot see the evidence treats it as absent.
What HIPAA rewards is an organization that can show its work: a map of where the data lives, an honest assessment of what could go wrong, controls that match the risks, and a record an examiner can read as proof that someone took it seriously before anyone made them. That is the whole job. For the terms used throughout this guide, see the HIPAA glossary.