HIPAA Compliance: 2024 Complete Guide

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) means adhering to the rules and regulations that impact what, how, and when protected health information (PHI) can be shared, and by whom.

To fully define HIPAA compliance, it’s necessary to understand its relationship to PHI. Under HIPAA, organizations or third parties that handle or manage PHI must ensure that patient health information is kept private and secure—while still enabling the efficient administration of health services. This is primarily accomplished under the HIPAA Privacy and Security Rules, but HIPAA also outlines standards for enforcement and what to do in case of a breach.

HIPAA compliance is an important part of an organization’s security strategy and risk mitigation efforts. Failure to comply with HIPAA standards puts your data security at risk—which can lead to fines and penalties (including civil and criminal lawsuits), disrupt business, break customer trust, and result in profit loss.

The Health Insurance Portability and Accountability Act is a federal law that was originally introduced in 1996 to ensure that employees could retain their health insurance during a voluntary or involuntary termination. The Act also aimed to combat waste, fraud, and abuse in the health industry and to simplify healthcare administration through standardized processes and transaction requirements. This included mandating federal standards for the privacy of individually identifiable health information—the standards that have arguably the most impact on modern compliance efforts.

Prior to HIPAA, the U.S. relied on a patchwork of federal and state laws to govern how health information could be used and shared. During this time, PHI could be distributed across hospitals, doctors’ offices, insurers, and state lines without notice or authorization from the patient—even for reasons unrelated to the patient’s medical care or reimbursement. This meant, for example, that unless forbidden by a state or local law, a health plan could share patient information with an employer who could then use it to make personnel decisions.

To address these disparities and abuse of patient information, HIPAA required the creation of national standards to protect the privacy and security of PHI across the country.

The task of creating and implementing these national standards fell to the U.S. Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR).

There are three main rules organizations must follow to be HIPAA compliant:

• The Privacy Rule
• The Security Rule
• The Breach Notification Rule

HHS first introduced the Privacy Rule, which had an effective compliance date of April 14, 2003. The Privacy Rule addresses the use and disclosure of individuals’ health information in all its forms (written, oral, and electronic).

The HIPAA Security Rule was implemented two years later on April 21, 2005, and addresses the security of electronic protected health information (ePHI) specifically. It does not apply to PHI transmitted orally or in writing.

The HIPAA Breach Notification Rule became effective on September 23, 2009. It outlines the requirements for who and when to notify in the event of a breach of unsecured PHI.

The purpose of HIPAA compliance is to ensure the confidentiality of private patient information in all its forms (paper, oral, and electronic). In addition to protecting patient privacy and information, complying with HIPAA protects organizations from costly security breaches, lawsuits, and penalties for violations. This is especially important as cybersecurity threats continue to rise in an increasingly digital-first world where electronic record keeping, digital data transfer, and cloud services are the primary mode of communication and data storage.

Amid this growing cyber risk landscape, ensuring compliance with HIPAA helps organizations minimize their vulnerabilities and reduce the impact of breaches when they do occur.

HIPAA compliance is required for organizations or third parties that handle or manage protected health information (PHI). These organizations are called covered entities.

Covered entities include:

• Healthcare providers, including hospitals, clinics, doctors, and nursing homes.
• Health plans, including insurance companies, HMOs, and government programs like Medicare.
• Healthcare clearinghouses, which essentially act as the middlemen between providers and insurance companies to help process claims.

Additionally, the HIPAA compliance definition stipulates that third-party vendors who provide services to covered entities and may handle protected data are also required to be HIPAA compliant. These business associates can include contractors, lawyers, accountants, IT specialists, and more.

HIPAA compliance is a costly investment and a tough standard to meet. But it has important benefits for both patients and covered entities.

Benefits to Patients

• Greater control over and access to their medical records
• Power to make more informed decisions about private health information
• Protection for how their information is used and disclosed
• Accountability for persons or entities that violate those legal protections

Benefits to Covered Entities

• Protection against loss of PHI and other sensitive data
• Greater customer satisfaction and confidence
• Reduced liability
• Better security against costly cyberattacks

A HIPAA violation is the unauthorized acquisition, access, use, or disclosure of PHI that compromises the patient and their information.

Common violations include:

• Not encrypting PHI
• Loss or theft of devices
• Unauthorized sharing of information
• Improper disposal of PHI
• Accessing PHI from an unsecured network
• Failing to conduct proper training and risk assessment
• Failing to get a HIPAA compliance contract with business associates
• Waiting to notify of a breach

HIPAA violations can be intentional or unintentional. Civil or criminal penalties are issued depending on the type and severity of the violation.

HIPAA Penalties for Non-Compliance

There are two types of penalties for HIPAA violations: criminal and civil. Each type has tiers of penalties based on the severity of the violation. The maximum civil fine per violation is $1,919,173. The maximum criminal penalty is a fine of up to $250,000 and/or ten years of prison time. Penalties are compounding, meaning an organization can be penalized for each violation, with annual caps on penalties for multiple violations of the same provision.

Filing a Complaint

Anyone can file a complaint if they believe there has been a violation of the HIPAA Rules.

The complaint must:

• Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal.
• Name the covered entity or business associate involved, and describe how the Privacy, Security, or Breach Notification Rules were violated.
• Be filed within 180 days of when the person filing the complaint knew that the violation occurred.

So what does it mean to be compliant with HIPAA? HIPAA is broken down into three main rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.

These rules ensure that PHI is only shared and accessed by authorized parties and that covered entities safeguard PHI through reasonable physical, administrative, and technical measures—reporting any breaches in a timely manner.

HIPAA Privacy Rule

The Privacy Rule outlines the overarching standards governing the use and disclosure of individually identifiable health information handled by covered entities and business associates. The rule defines what constitutes protected health information, what safeguards must be in place to protect it, and how, where, and when it can be used and disclosed without the individual’s permission.

This protects patient privacy while giving patients greater access and control over their medical records and how that information is shared.

Protected health information under the Privacy Rule includes:

• Identifiers like name, address, birth date, and Social Security number
• The individual’s past, present, or future physical or mental health or condition
• The provision of health care to the individual
• The past, present, or future payment for the provision of health care to the individual

HIPAA Security Rule

The Security Rule sets standards for protecting and securing a subset of information covered under the Privacy Rule: electronic PHI. Where the Privacy Rule governs the privacy and confidentiality of all PHI, the Security Rule establishes standards specifically for securing ePHI. In other words, if electronic data isn’t secured, a cybersecurity breach can result in a breach in patient privacy—undermining the overarching Privacy Rule standards.

This is an important rule because so much information is stored, accessed, and shared digitally today. With cybersecurity threats growing each year, ensuring digital information is appropriately secured is essential to not only remaining HIPAA compliant but also protecting the organization and its patients.

HIPAA Breach Notification Rule

The Breach Notification Rule requires covered entities to notify the appropriate people when a breach occurs. A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

Covered entities must notify all individuals impacted by the breach as well as the Secretary of Health and Human Services without reasonable delay and within 60 days after discovering the breach. They can notify the Secretary by filling out and electronically submitting a breach report form.

In addition to notifying individuals and the HHS, the covered entity must also notify prominent local media if the breach affects more than 500 residents of a State or jurisdiction.

Privacy Rule Requirements

To comply with the Privacy Rule, covered entities must:

• Notify patients about their privacy rights and how the organization will use their information
• Adopt privacy procedures and train employees to follow them
• Assign a compliance officer to ensure the organization is adopting and following privacy procedures
• Secure patient records containing PHI so they aren’t readily available to those who don’t need to see them

Another key part of the Privacy Rule is the Minimum Necessary Requirement. This requirement is based on the best practice principle that PHI shouldn’t be used or disclosed unless necessary to get the job done. As such, the Privacy Rule requires covered entities to evaluate their practices and implement safeguards to limit unnecessary or inappropriate access to and disclosure of protected health information.

To do this, covered entities must create policies that identify:

• Who needs access to the information to carry out their job duties
• The categories or types of PHI needed
• Under what conditions such access is appropriate

For routine requests or disclosures, the organization can rely on standard protocols that limit the PHI disclosed to the minimum necessary. However, any non-routine disclosures or requests must be reviewed on a case-by-case basis.

By limiting the use and disclosure of PHI in this way, HIPAA compliant organizations can reduce the chance that information is compromised in an unauthorized disclosure or breach.

Security Rule Requirements

The Security Rule requirements aim to protect the confidentiality, integrity, and availability of patients’ ePHI. To do this, organizations are required to analyze their security risks, develop reasonable and appropriate security policies, and ensure their workforce is compliant.

The Security Rule outlines guidelines for three areas of security: administrative, physical, and technical.

• Administrative safeguards include any administrative actions, policies, or procedures to develop and implement security measures that protect ePHI.
• Physical safeguards are measures that protect physical access to ePHI. This can include building access controls, workstation security, and device controls.
• Technical safeguards are the technology and associated policies and procedures that protect ePHI and control its access. These safeguards can include access control, audit controls, and authentication procedures.

HIPAA doesn’t require specific technologies to achieve compliance but rather gives organizations the flexibility to determine what technology will help them meet these requirements.

To achieve HIPAA compliance, organizations should develop a strategic compliance program based on the following key elements:

1. Implementing written policies and procedures

Policies and procedures provide the foundation for a strong compliance program.

The written policies and procedures should outline:

• A corporate compliance program
• A code of conduct or ethics
• Training, acknowledgment, and corrective action plans
• A disaster recovery plan

These policies and procedures—based on HIPAA requirements—help direct what behaviors are acceptable, what actions need to be taken, and how operations should run day-to-day to ensure everyone is compliant. They should also outline what to do if a violation occurs and how to maintain a well-trained workforce.

Policies should apply to all employees, staff members, volunteers, and management departments to ensure broad compliance. These should be living documents that are reviewed regularly and kept up to date with best practices and new or evolving regulations.

2. Designating a compliance officer and committee

Implementing compliance policies without anyone to oversee how those policies are carried out and whether they are consistently adhered to will lead to gaps in compliance. This puts the organization at risk for violations and breaches—and the associated penalties.

To ensure compliance policies and procedures are properly implemented and maintained, organizations should appoint a compliance officer to lead an advisory committee. Together they will monitor compliance efforts, assess compliance risks, and advise on how to correct or improve current compliance plans.

3. Conducting effective training and education

A compliance program is useless if no one is aware of it. That is why it's essential to develop and implement a robust training and education plan.

A training program should consider:

• How will new employees be trained?
• Who will conduct training?
• What type of training will be provided and how will the information be made accessible?
• Where can people find answers to questions?
• Who will manage employee training and ensure compliance?

A training program must be more than a one-time event. Training should occur regularly with resource materials readily available so employees can continuously access the information they need to stay up to date and effectively comply.

4. Developing effective lines of communication

Open communication is critical to ensure members of the organization can report problems, ask questions, provide feedback, and solicit help when needed. This requires not only providing clear channels for communicating, but building a culture of transparency where people feel comfortable sharing without fear of retaliation.

This culture can be developed by creating clear communication policies, encouraging (and acting on) feedback, ensuring confidentiality, communicating compliance expectations regularly, and providing channels for anonymous reporting, such as hotlines or surveys.

5. Conducting internal monitoring and auditing

Compliance isn’t a stationary achievement. It is an evolving and ongoing objective that requires consistent monitoring and effort. This can include:

• Internal audits
• Compliance inspections
• Peer reviews
• External audits, reviews, and inspections

Additionally, automated monitoring systems can help organizations identify network compliance issues and risks and audit IT systems for proper data security and access controls.

6. Enforcing standards through well-publicized disciplinary guidelines

How will HIPAA standards be enforced in the organization? Enforcement is an essential component of compliance as it helps people understand the risks and the seriousness of the violations, and take steps to avoid them. Clear disciplinary guidelines ensure consistent compliance.

A good policy management system can support this initiative by notifying employees when new standards or policies are in effect and outlining what the consequences are for noncompliance.

7. Responding promptly to detected problems and undertaking corrective action

How quickly organizations respond to compliance issues is critical to mitigating the risk of greater harm and limiting the scope of the problem.

Organizations should create a corrective action plan that outlines how to address violations, including how to identify, confirm, and handle compliance issues. The plan should clarify who needs to be notified along with what disciplinary action, if any, is required.

Cybersecurity attacks have been a growing threat for years. The health sector has long been a target for cyber attackers because it works with so much sensitive (and valuable) patient data. But the COVID pandemic accelerated and revealed just how vulnerable hospitals and the healthcare industry are in particular. In 2020, hacking/IT incidents represented a significant portion of the data breach reports.

Part of this increase is due to an influx of ransomware hackers. In response, HHS issues guidance and warnings for providers to strengthen their privacy and security measures. For example, in 2022, HHS released a notice of a new ransomware group targeting healthcare organizations called Hive. HHS recommended the Healthcare and Public Health (HPH) Sector apply appropriate cybersecurity principles and practices to defend their infrastructure and data against compromise.

In addition to notices of increased cybersecurity risks and recommendations, HHS and OCR published updates on how healthcare providers can disclose PHI under HIPAA within the context of the COVID outbreak. One of the most significant impacts of the pandemic on HIPAA compliance was related to telehealth services. Because people needed to work remotely (and many patients couldn’t safely access services in person), telehealth services and remote communication increased dramatically. The problem is that some remote communication technologies and platforms were not HIPAA compliant—posing a burden on providers and patients.

To address this issue, the OCR shared the Notice of Enforcement Discretion in relation to COVID-19 on March 17, 2020. The notice announced that OCR would exercise its enforcement discretion and not impose penalties for HIPAA noncompliance against covered health care providers in connection with the good faith provision of telehealth and the use of non-public facing audio or video communication products during the COVID-19 emergency. The list of permitted applications under this notice included Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype.

These enforcement exceptions enabled healthcare providers to use their best judgment in choosing telehealth technologies that allowed them to safely care for patients remotely without fear of penalty for inadvertent violations.

Achieving HIPAA compliance is a huge task and a costly investment. But breaking it down into manageable steps can help you manage compliance more easily.

Use the checklist below to make sure you’re on the right track.

1. Understand HIPAA Privacy and Security Rules

The first step to compliance is to understand what it means to be in compliance with HIPAA. The combined regulation text for all HIPAA rules is 115 pages long, and parsing through all the standards and technical requirements can be overwhelming.

To understand what is HIPAA compliant, review the HIPAA Privacy and Security Rules to get familiar with the various HIPAA guidelines for healthcare professionals. For instance, there are around 50 implementation specifications in the HIPAA Security Rule under the administrative, physical, and technical safeguards. This section can be highly technical so it will take time to parse out what rules apply and how you can implement them. Start by putting together the big picture and then drill down into the specific details as you go.

2. Determine if the Privacy Rule applies to you

The Privacy Rule defines what information is protected under HIPAA as well as who is covered by the Rule. These covered entities include health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form. If you’re not sure if you’re a covered entity, you can use the Covered Entity Decision Tool to find out.

If you are a covered entity, review the Privacy Rule guidelines on what constitutes protected health information and the general principles for uses and disclosures to see what areas may be applicable to your work.

3. Protect the right types of patient data

Not all information is protected under HIPAA—and there are permissible uses of PHI without authorization, such as when the patient data has been anonymized. In order to achieve HIPAA compliance, you’ll need to identify what patient data you have, how it is used, and what data falls under HIPAA regulation.

4. Prevent potential HIPAA violations

Preventing HIPAA violations requires an assessment of risk, a plan to address gaps in compliance and security, and robust implementation. A few HIPAA compliance controls you can include are:

• Encrypting data
• Never leaving devices or documents unattended
• Conducting regular cybersecurity awareness training
• Reviewing compliance requirements
• Never accessing patient records unless necessary
• Safely and properly disposing of PHI
• Ensuring all business associates sign a contract agreeing to HIPAA compliance
• Implementing system monitoring and access control management

5. Stay updated on HIPAA changes

Unfortunately, HIPAA compliance is often a moving target. HIPAA guidelines are subject to change—especially during health emergencies like the COVID pandemic. As technology continues to evolve, requirements will have to evolve too.

For instance, OCR issued a Notice of Proposed Rulemaking on January 21, 2021 that outlined proposed changes to HIPAA regulations. These changes aim to support individuals' engagement in their health care, remove barriers to coordinated care, and decrease regulatory burdens on health care.

The changes to the Privacy Rule include proposals to:

• Strengthen individuals' rights to access their health information.
• Improve information sharing for care coordination and case management for individuals.
• Facilitate family and caregiver involvement in the care of individuals experiencing emergencies or health crises.
• Increase flexibility for disclosures in an emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies.
• Reduce administrative burdens on HIPAA covered health care providers and health plans.

Pay attention to changes in HIPAA guidelines like these so there aren’t gaps in your compliance.

6. Understand how COVID affects HIPAA

COVID has had an outsized impact on the healthcare sector, which has also affected how HIPAA is applied. Covered entities navigating this new public health landscape will need to be up to date on how HIPAA applies to patient privacy in a remote environment, what accommodations the government has made for health practices, and what rules still apply.

For example, under specific circumstances, the HIPAA Privacy Rule allows covered entities to disclose the PHI of an individual who has been infected with or exposed to COVID-19 to law enforcement, first responders, and public health authorities without the individual’s HIPAA authorization.

7. Document everything

Documentation of your compliance efforts is a critical part of the HIPAA compliance process. The Privacy Rule requires documentation of:

• Policies and procedures
• Communications that require a written/electronic copy
• Any actions, activities, or designations that require written/electronic records

Documentation proves the organization took measures to comply with the HIPAA rules. This is not only important for demonstrating compliance in a potential audit but also for ensuring the organization has a clear understanding of their own compliance landscape. When monitoring and reviewing compliance efforts, documentation provides a record of what steps have already been taken and where there may be gaps in compliance that need addressing.

8. Report data breaches

Between human error, advances in technology, and increasing cyber attacks, breaches are bound to happen occasionally. If and when a breach occurs, it is essential to report the violation as soon as possible. HIPAA guidelines generally require notification of breach within 60 days of discovery.

In order to reduce the impact of potential breaches, it’s important to uncover breaches as early as possible. This can be accomplished through robust monitoring, communication, and training as part of your overall compliance management program. Together with these efforts, you can ensure breaches are discovered early and reported quickly to help minimize the impact and risk to the organization (and patients).

Learn more about the HIPAA Compliance Checklist.

HIPAA leaves a lot of latitude for organizations to implement the safeguards with the technology and procedures that make the most sense for the specific entity. Securing ePHI is one of the more challenging and technical aspects of HIPAA compliance—and simultaneously one of the highest areas of risk. As cyber threats continue to rise, organizations and IT administrations need solutions that improve access management and data protection, and minimize the risk of unauthorized use.

StrongDM’s Zero Trust Privileged Access Management platform helps organizations ensure the right people have access to the right information at the right time under the right conditions. So patient data is never accessed without cause or consent. StrongDM helps you:

• Confidently offboard employees so that former staff can’t access critical infrastructure.
• Deliver just-in-time access so users can access the information they need when they need it–and no longer.
• Automate least-privilege access so users only have access to the resources necessary, limiting exposure of protected data.
• Add context-based authorization policies that can prevent unsanctioned actions from happening.

StrongDM also deploys built-in monitoring and log collection so you always have a record of access and permissions. This provides transparency into your compliance efforts, reveals potential risks, and supports formal and informal audits.

Failure to comply with HIPAA not only puts patients at risk—it puts your organization at risk too. Between cyber threats and penalties for violations, noncompliance is a costly risk to take. Play it safe with StrongDM and start protecting your PHI today.

Try StrongDM free for 14 days.

More HIPAA Compliance Resources

• How StrongDM Helps with HIPAA Compliance Solution Guide
• HIPAA Omnibus Rule: Everything You Need to Know
• Simplify Compliance Certification
• HIPAA Compliance Checklist
• HITRUST vs. HIPAA: Understanding the Difference
• HIPAA Compliance eBook
• What Are the Penalties for Violating HIPAA? (Civil & Criminal)
• What Is a HIPAA Violation? 12 Most Common Examples
• The HIPAA Minimum Necessary Standard Explained
• What Are the Three Rules of HIPAA? Explained
• How to Prevent Password Sharing in Healthcare (8 Ways)
• FISMA vs FedRAMP, NIST vs ISO, SOC 2 vs HIPAA, ISO27001 vs SOC 2