What Is HIPAA Compliance?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It applies to covered entities and business associates that handle protected health information (PHI).

What Is Protected Health Information (PHI)? PHI includes any information that: Identifies a patient (name, DOB, SSN, etc.) Relates to health conditions, treatment, or payment Is transmitted or stored in any form (electronic, paper, verbal) If your organization creates, receives, maintains, or transmits PHI, HIPAA applies to you.

The Three Core HIPAA Rules

1. Privacy Rule Protects how patient information is used and disclosed.

2. Security Rule Requires safeguards to protect electronic PHI (ePHI), including: Administrative safeguards Technical safeguards Physical safeguards

3. Breach Notification Rule Requires organizations to notify affected individuals and regulators when certain breaches occur.

What Does Being “Compliant” Actually Mean?

HIPAA compliance is not a one-time checklist.

It requires:

• Written policies and procedures

• Ongoing workforce training

• A Security Risk Analysis (SRA)

• Risk management and mitigation

• Incident tracking and documentation

• Business Associate Agreements (BAAs)

• Monitoring and updates as regulations change

Compliance must be documented. If it’s not documented, regulators typically consider it incomplete.

Who Must Comply?

• HIPAA applies to:  

• Healthcare providers

• Medical billing companies

• Healthcare clearinghouses

• Health plans

• Vendors handling PHI (Business Associates)

Why HIPAA Compliance Matters

• Non-compliance can result in:

• Civil monetary penalties

• Corrective action plans

• Government monitoring

• Reputation damage

• Lawsuits

Even small practices are subject to audits and investigations.

Have questions about whether HIPAA applies to you?

Chat with us or explore our related articles.

Last reviewed: January 2026