← Compliance Frameworks

Compliance Guide · United States

HIPAA Compliance Guide

HIPAA governs how every covered entity and business associate in the US must protect electronic Protected Health Information (ePHI). Here is what is actually required — including what changes when the 2025 Security Rule NPRM finalises.

  • Regulator: HHS Office for Civil Rights (OCR)
  • Enacted: 1996 · Security Rule 2003 · NPRM update 2025
  • Coverage: Covered Entities + Business Associates
  • Validity: Continuous — annual risk analysis required
Book a Free Consultation Call Healthcare cybersecurity →
HIPAA Security Rule compliance overview — administrative, physical and technical safeguards for PHI
3 HIPAA rules: Privacy, Security, Breach Notification
60 days To notify HHS, individuals, and media (500+)
$1.9M Maximum fine per violation category per year
Required Privacy Officer + Security Officer designation

Who needs to comply with HIPAA?

HIPAA applies to two categories of organisations — and most digital health companies underestimate the second:

  • Covered Entities — health plans (insurers, HMOs, employer-sponsored health plans), health care clearinghouses, and health care providers who electronically transmit health information for billing or eligibility checks. Practically: hospitals, clinics, dental practices, behavioural health providers, pharmacies.
  • Business Associates — any vendor or subcontractor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. EHR vendors, telehealth platforms, billing companies, cloud hosts, MSPs, marketing agencies handling patient data, AI tools, even law firms.

If you're a SaaS company that has even one healthcare customer using your product to process PHI, you are almost certainly a business associate — and you need a BAA, a HIPAA programme, and the ability to demonstrate it during a vendor security review.

The three HIPAA rules

1

Privacy Rule

Governs the use and disclosure of PHI in any form. Key concepts: minimum necessary, individual access rights, authorisations, and Notice of Privacy Practices.

2

Security Rule

Applies to ePHI specifically. Requires administrative, physical, and technical safeguards. The home of MFA, encryption, audit logs, access controls, and risk analyses.

3

Breach Notification Rule

Requires notification to individuals, HHS, and (for 500+ breaches) the media within 60 days of discovery. Annual aggregate notification for sub-500 breaches.

HIPAA Security Rule safeguards

The Security Rule organises ~50 specifications into three categories. Until the 2025 NPRM finalises, many specifications are addressable (you can implement an alternative if you document why) — but in practice, OCR enforcement has treated most of them as required.

Administrative Safeguards (~9 standards)

  • Security Management Process — including annual risk analysis (the #1 most-cited deficiency in OCR enforcement)
  • Assigned Security Responsibility — designate a Security Officer
  • Workforce Security & Information Access Management — onboarding/offboarding, least privilege
  • Security Awareness & Training — including phishing simulations
  • Security Incident Procedures, Contingency Plan, Business Associate Contracts, Periodic Evaluation

Physical Safeguards (~4 standards)

  • Facility Access Controls — badge access, visitor logs, server room security
  • Workstation Use & Security — locked screens, secure work-from-home setup
  • Device & Media Controls — disposal, re-use, accountability, backups

Technical Safeguards (~5 standards)

  • Access Control — unique user IDs, automatic logoff, encryption-decryption
  • Audit Controls — record and examine system activity
  • Integrity — protect ePHI from improper alteration or destruction
  • Person or Entity Authentication — verify identity (MFA in practice)
  • Transmission Security — encrypt ePHI in motion (TLS 1.2+)

2025 Security Rule NPRM — what's changing

In December 2024, HHS published the first major Security Rule update since 2013. The Notice of Proposed Rulemaking (NPRM) significantly raises the bar:

  • End of "addressable": nearly all specifications become explicitly required
  • MFA mandatory for all access to ePHI (with limited exceptions)
  • Encryption by default for ePHI at rest and in transit
  • Network segmentation required to limit lateral movement
  • Vulnerability scanning every 6 months and pen-testing every 12 months
  • Asset inventories and network maps updated at least annually
  • 72-hour restoration capability for ePHI after incidents
  • Annual compliance audits with written results

If finalised in 2025/2026, organisations will likely have 180 days to comply. Treat the NPRM as your floor today, not your ceiling tomorrow.

Step-by-step HIPAA compliance roadmap

HIPAA compliance 4-step roadmap — risk analysis, safeguards implementation, workforce training, breach response and ongoing audit

Phase 1 Assess (Weeks 1–3)

  • Designate Privacy Officer and Security Officer
  • Inventory all ePHI: where it lives, who has access, how it flows
  • Conduct a HIPAA risk analysis using NIST SP 800-30 methodology

Phase 2 Document (Weeks 3–6)

  • Policies & procedures library (admin, physical, technical safeguards)
  • Workforce training programme + Notice of Privacy Practices
  • Incident response plan + breach notification procedures

Phase 3 Implement (Weeks 4–12)

  • Technical controls: MFA, encryption-at-rest and in-transit, audit logging, access reviews
  • BAAs with every vendor processing PHI (cloud, EHR, comms, AI tools)
  • Endpoint protection on every device with PHI access

Phase 4 Operate & Audit (Ongoing)

  • Annual risk analysis re-do (a non-negotiable HIPAA requirement)
  • Quarterly access reviews and audit log reviews
  • Vulnerability scanning per the 2025 NPRM cadence

OCR penalties & enforcement examples

  • Anthem (2018) — $16M settlement after a 2015 breach affecting 78.8M people. Root causes: failure to conduct enterprise-wide risk analysis, insufficient access reviews.
  • Premera Blue Cross (2020) — $6.85M after 10.4M individuals' PHI was exfiltrated.
  • Lifespan ACE (2020) — $1.04M after an unencrypted laptop was stolen, exposing 20K patients.
  • L.A. Care Health Plan (2023) — $1.3M after multiple gaps including failure to conduct a risk analysis.
  • Doctors' Management Services (2023) — $100K + 3-year CAP. The first ransomware-driven OCR settlement, citing inadequate risk analysis and audit controls.

Patterns: missing or stale risk analyses, no encryption on portable devices, BAAs that don't exist or aren't enforced, lack of audit log review.

Cost & timeline

Small practice / startup

3–6 months

Internal effort: ~120–200 hours. External support typically $10K–$40K one-off, then $1K–$3K/month for managed compliance + tooling.

Mid-size health tech / clinic group

6–9 months

Multi-team programme. External advisory + tooling: $40K–$120K including risk analysis, BAAs, technical controls, training. Ongoing: $3K–$10K/month.

Enterprise / hospital system

9–18 months

Often combined with HITRUST CSF or SOC 2. Programme work integrates with existing GRC; expect $120K+ external spend.

How Security Pulse helps with HIPAA

RunWay — Get compliant

  • NIST 800-30 aligned risk analysis
  • Policy library mapped to Privacy + Security + Breach rules
  • BAA template library and vendor inventory
  • Workforce training including HIPAA + phishing simulation
  • Incident response runbook with 60-day breach path

Autopilot — Stay compliant

  • MFA + encryption + access governance — NPRM-ready
  • Endpoint protection on every device touching PHI
  • 24/7 breach detection with Security Officer alerting
  • Audit log retention and review automation
  • OCR-ready evidence vault produced on demand

HIPAA vs HITRUST vs SOC 2

HIPAAHITRUST CSFSOC 2 Type II
TypeUS Federal regulationPrivate certificationPrivate attestation (AICPA)
Required by law?Yes (for CEs/BAs)NoNo (contractually required)
ScopePHI onlyMultiple frameworks incl. HIPAATrust Services Criteria
External audit?No formal audit, but OCR investigationsYes — HITRUST-authorised assessorYes — CPA firm
Time to achieve3–6 months9–18 months6–12 months
Best forAll healthcare orgs (mandatory)Health plans, large covered entitiesSaaS / business associates selling to enterprise

Common questions about HIPAA compliance

Who has to comply with HIPAA?

Two categories: (1) Covered Entities — health plans, health care clearinghouses, and health care providers who transmit any health information electronically in connection with HIPAA-covered transactions; and (2) Business Associates — any vendor or subcontractor that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity. This includes EHR vendors, billing companies, cloud hosts, MSPs, AI scribe vendors, and even law firms handling PHI.

What is the difference between the Privacy Rule and the Security Rule?

The Privacy Rule governs the use and disclosure of PHI in any form (paper, oral, electronic). The Security Rule applies specifically to electronic PHI (ePHI) and requires administrative, physical, and technical safeguards. Most cybersecurity work falls under the Security Rule, but the Privacy Rule still drives policies like minimum necessary use, individual rights, and authorization handling.

What are the HIPAA Security Rule safeguards?

Three categories with roughly 50 specifications: Administrative Safeguards (security management process, workforce training, access management, contingency planning), Physical Safeguards (facility access, device & media controls, workstation use), and Technical Safeguards (access control, audit controls, integrity, person/entity authentication, transmission security). The 2025 NPRM proposes making many 'addressable' specifications mandatory and requiring MFA, encryption-by-default, network segmentation, and 24-month vulnerability scanning cycles.

How much can OCR fine us?

HIPAA penalties are tiered by culpability and adjusted annually for inflation. For 2025, per-violation amounts range from approximately $141 (lack of knowledge) to $71,162 (willful neglect, not corrected). The annual cap per violation category is $1,919,173. Real settlements have ranged from tens of thousands to $16 million (Anthem, 2018). Beyond fines, OCR routinely imposes Corrective Action Plans (CAPs) lasting 1–3 years.

When do we have to notify HHS of a breach?

For breaches affecting 500 or more individuals: notify HHS, affected individuals, and the media without unreasonable delay and in any case within 60 calendar days of discovery. For breaches affecting fewer than 500 individuals: notify affected individuals within 60 days, and report to HHS in an annual log within 60 days of the end of the calendar year. The 60-day clock starts when the breach is discovered, not when it occurred.

Do we need a BAA with every vendor that touches PHI?

Yes — HIPAA requires a Business Associate Agreement (BAA) with every business associate before that vendor is allowed to receive, store, transmit, or process PHI on your behalf. Major cloud providers (AWS, Azure, Google Cloud), EHRs, communication platforms (some Slack/Zoom/Twilio plans) and security vendors all offer BAAs — but only on specific tiers. Lacking a BAA is one of the most-cited findings in OCR enforcement.

How long does HIPAA compliance take?

For a small clinic or single-product digital health startup starting from scratch: typically 3–6 months to reach a defensible baseline (risk analysis, policies, technical controls, BAAs, training). For larger covered entities or multi-product business associates: 6–12 months including remediation. After that, HIPAA is continuous — annual risk reassessments, ongoing workforce training, BAA refreshes.

Is there an official HIPAA certification?

No. HHS/OCR does not certify or endorse any HIPAA certification programme. Third-party attestations (HITRUST CSF, SOC 2 + HIPAA, ISO 27001 + HIPAA mapping) are widely accepted by enterprise buyers and health plans as evidence of compliance, but they do not provide a legal safe harbour. The only thing that matters in an OCR investigation is your evidence.

What about telehealth and AI tools?

Telehealth platforms used for diagnosis or treatment are subject to full HIPAA — the OCR enforcement discretion that applied during COVID-19 ended in 2023. AI tools (scribes, summarisers, decision support) that process PHI are business associates and require BAAs. The 2024 HHS guidance also requires risk analyses for AI use cases that touch PHI.

How does Security Pulse help with HIPAA?

Security Pulse maps directly to the HIPAA Security Rule. RunWay handles the foundational programme: risk analysis, policies aligned to the 2025 NPRM, BAA library, vendor inventory, workforce training. Autopilot then runs continuously: encryption, MFA, identity governance, endpoint protection, audit logging, breach detection, and an evidence vault that produces OCR-ready reports on demand.

HIPAA compliance, finally without the spreadsheet sprawl.

Book a Free Consultation Call