'What's HIPAA?' An O.G.C. Guide for Healthcare Teams

Practical guidance for healthcare teams and business associates

HIPAA is a federal law. It sets national rules for how protected health information (PHI) is used, shared, secured, and reported. The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) enforces it.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).

The law covers health insurance portability and simpler admin processes. In practice, most groups use "HIPAA" to mean the Privacy Rule, Security Rule, and Breach Notification Rule.

HIPAA at a Glance

  • What: HIPAA sets national rules for how protected health information (PHI) is used, disclosed, secured, and reported.
  • Who: HIPAA applies to covered entities and business associates that create, receive, maintain, or transmit PHI.
  • Rules most organizations use: Privacy Rule, Security Rule, and Breach Notification Rule.
  • Practical effect: HIPAA requires documented risk analysis, written policies, workforce training, vendor BAAs, and an incident response process.
  • Why it matters: OCR enforcement repeatedly focuses on missing fundamentals, especially risk analysis, access controls, documentation, and vendor oversight.

What HIPAA Actually Does

What HIPAA actually does - healthcare compliance document with pencil illustration

At a practical level, HIPAA does four things that matter most:

  • Sets rules for when PHI can be used or disclosed
  • Requires safeguards for electronic protected health information, or ePHI
  • Gives patients important rights over their health information
  • Creates breach notification obligations when unsecured PHI is exposed

HIPAA shapes how health data is collected, accessed, shared, secured, tracked, and reported.

Who HIPAA Applies To

Who HIPAA applies to - healthcare technology network with medical icons

HIPAA applies to covered entities and business associates.

Covered Entities

Covered entities generally include:

  • Health plans (health insurers, HMOs, employer-sponsored group health plans, and government programs like Medicare and Medicaid)
  • Healthcare clearinghouses (entities that process nonstandard health information into standard formats)
  • Healthcare providers that conduct certain standard electronic transactions, such as electronic billing

Business Associates

Business associates are third parties hired to do a task that involves sharing PHI (Protected Health Information). This sharing is allowed when the right items are in place:

Common examples include:

  • Managed IT providers
  • Cloud hosting vendors
  • Billing companies
  • EHR support firms
  • Consultants handling PHI
  • Document storage vendors
  • Certain legal, analytics, and software providers

Who HIPAA Does Not Automatically Apply To

HIPAA does not apply to every employer, wellness app, or company that touches health data. Whether HIPAA applies depends on:

  • The role the organization plays in handling PHI
  • Whether it operates inside a covered-entity or business-associate relationship
  • How the information is collected and used

When people ask "Is this a HIPAA issue?" the real answer may involve employment law, platform terms, or another regulatory framework entirely.

What PHI Means

PHI means Protected Health Information. It is any data that can link a medical record to a person. Examples include:

  • Medical records
  • Diagnoses
  • Lab results
  • Treatment information
  • Insurance and billing records
  • Patient names tied to health details
  • Dates of birth
  • Addresses
  • Phone numbers
  • Other identifiers linked to health information

When that data exists in digital form, it is called ePHI.

If you want the full breakdown, read our guide on Protected Health Information (PHI).

Key Definitions

  • OCR: The HHS Office for Civil Rights that investigates HIPAA complaints, conducts compliance reviews, and enforces the HIPAA Privacy, Security, and Breach Notification Rules.
  • HHS: The U.S. Department of Health and Human Services, the federal department that houses OCR and issues HIPAA guidance and rulemaking.
  • NIST: The National Institute of Standards and Technology, a federal agency that publishes technical guidance used by many organizations to implement the HIPAA Security Rule.
  • MSO: A Management Services Organization that provides administrative or operational support, such as billing, IT, HR, or revenue-cycle functions, and may handle PHI on behalf of healthcare providers.
  • Breach: An impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI.
  • Reportable breach: A breach of unsecured PHI that triggers notification duties to affected individuals and, depending on scale, to HHS/OCR and the media under the Breach Notification Rule.
  • Unsecured PHI: PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through a technology or methodology recognized by HHS, such as encryption or proper destruction.
  • Healthcare operations: Activities that support the covered entity's core functions, including quality assessment, training, auditing, fraud detection, case management, and certain business planning and administrative work.
  • Media notice: A public notice required when a breach of unsecured PHI affects 500 or more residents of a single state or jurisdiction and must be provided to prominent media outlets serving that area.
  • Incident response and breach review process: The documented steps an organization follows after a suspected PHI incident, from identification and containment through risk review, notification decisions, remediation, and recordkeeping.

The Three HIPAA Rules Most Organizations Deal With

1. HIPAA Privacy Rule

The Privacy Rule (45 C.F.R. §§ 164.500–164.534) governs how PHI gets used or shared. It also gives people rights over their data. They can access records and ask for fixes in certain cases.

2. HIPAA Security Rule

The Security Rule (45 C.F.R. §§ 164.302–164.318) applies to ePHI and requires administrative, physical, and technical safeguards. In practice, that means:

  • Implementing access controls
  • Conducting regular risk analyses
  • Making decisions about encryption and device protections
  • Training your workforce
  • Documenting security procedures

For setup guidance, see NIST Special Publication 800-66 Revision 2 (Implementing the HIPAA Security Rule, published February 2024). It maps Security Rule standards to specific controls and practical steps.

For deeper guidance from our team, see:

3. HIPAA Breach Notification Rule

The Breach Notification Rule (45 C.F.R. §§ 164.400–164.414) requires groups to review incidents that involve unsecured PHI - that is, PHI not yet made unusable or unreadable through encryption or destruction. When an incident is reportable, the process involves:

  • Notifying affected individuals
  • Reporting to regulators and, in some cases, media
  • Analyzing the nature of the data and who received it
  • Determining whether the information was actually acquired or viewed
  • Documenting how the incident was mitigated

Not every exposure becomes a reportable breach. The review depends on the data, the recipient, and the chance of harm.

Key Breach Notification Timelines

  • Individual notice: Without unreasonable delay, no later than 60 days after discovering the breach
  • HHS/OCR notice: Breaches affecting 500 or more individuals must be reported to the Secretary of HHS within 60 days
  • Media notice: Required when a breach affects 500 or more residents of a single state or jurisdiction
  • Smaller breaches: Breaches affecting fewer than 500 individuals may be reported to HHS annually, no later than 60 days after the end of the calendar year

What HIPAA Compliance Means In Reality

"HIPAA compliant" is not a one-time badge or software feature. In practice, it means your group can show that it has:

  • Assigned privacy and security responsibility
  • Performed and documented a risk analysis
  • Implemented written policies and procedures
  • Trained workforce members
  • Managed vendor relationships and BAAs
  • Applied reasonable administrative, physical, and technical safeguards
  • Documented incidents, decisions, and remediation steps
  • Reviewed and updated the program over time

If you run a smaller practice, our HIPAA compliance checklist for small practices is your next step.

HIPAA Penalties and Enforcement

Penalty Figures Last Verified

Last verified: May 26, 2026.

Penalty amounts change each year for inflation under the Federal Civil Penalties Inflation Adjustment Act. The figures below reflect the changes effective January 28, 2026 and were last checked May 26, 2026.

  • Tier 1: Lack of knowledge – $145 to $73,011 per violation (annual cap: $2,190,294)
  • Tier 2: Reasonable cause – $1,461 to $73,011 per violation (annual cap: $2,190,294)
  • Tier 3: Willful neglect, corrected within 30 days – $14,602 to $73,011 per violation (annual cap: $2,190,294)
  • Tier 4: Willful neglect, not corrected – $73,011 to $2,190,294 per violation

The Department of Justice handles criminal penalties, which can reach $250,000 in fines and up to 10 years in prison for the worst offenses (HHS Enforcement Overview). OCR still focuses on missing basics like risk analysis, BAAs, and access controls.

Selected OCR Enforcement Examples

  • Banner Health (settlement announced 2023): $1.25 million settlement after a 2016 hacking incident affecting millions; OCR cited failures in risk analysis, monitoring, and authentication. (OCR Settlement)
  • L.A. Care Health Plan (settlement announced 2023): $1.3 million settlement for alleged Security Rule deficiencies, including enterprise-wide risk analysis failures. (OCR Settlement)
  • Montefiore Medical Center (resolution announced 2024): $4.75 million settlement for multiple Security Rule violations, including undetected unauthorized workforce access. (OCR Resolution Agreements)

OCR's Risk Analysis Enforcement Initiative launched in 2024. It has run through 2025 and 2026, with risk analysis and risk management cited again and again as key gaps. For a broader view of common failures, see common HIPAA violations and how to avoid them.

Common HIPAA Misunderstandings

"HIPAA means I can never share patient information"

Not quite. HIPAA allows many uses and disclosures for treatment, payment, and healthcare operations (tasks such as quality review, training, auditing, and business planning). There are also other allowed or required disclosures. The issue is whether the sharing is allowed, needed, and handled the right way.

"If we use encrypted systems, we are HIPAA compliant"

No. Encryption helps, but it does not replace the rest of the HIPAA program. You still need:

"Only hospitals need to worry about HIPAA"

No. HIPAA applies to:

"HIPAA only matters after a breach"

Also no. OCR (Office for Civil Rights) enforcement data shows the agency targets missing basics: risk analysis, access controls, records, and training.

For examples of where groups get in trouble, see common HIPAA violations and how to avoid them.

Patient Rights Under HIPAA

HIPAA gives people important rights, including:

  • Accessing their records
  • Requesting amendments
  • Receiving a notice of privacy practices
  • Requesting restrictions in some circumstances
  • Asking for confidential communications
  • Receiving an accounting of certain disclosures

These rights are a big reason HIPAA is not just a security rule. It is also a patient rights framework.

What Healthcare Organizations Should Do First

If you want to move from confusion to action, start here:

First 30 Days: Three Things To Do

  1. Run or update a documented risk analysis scoped to current systems and vendors so you know where PHI and ePHI are created, stored, transmitted, and accessed.
  2. Confirm vendor relationships and BAAs by inventorying vendors, verifying signed Business Associate Agreements, and escalating any high-risk or unsigned relationships for remediation.
  3. Stand up a basic incident response and breach review process with assigned owners, documented escalation steps, and at least one tabletop exercise for a realistic incident scenario.
  1. Find out whether you are a covered entity or business associate.
  2. Map where PHI and ePHI enter, move through, and leave your group.
  3. Run a documented risk analysis.
  4. Review your policies, training, and access controls.
  5. Confirm which vendors require BAAs.
  6. Build an incident response and breach review process.
  7. Assign clear ownership for privacy and security.

If your team does not have a lead for this, our HIPAA compliance officer guide explains what that role should cover.

What a Basic HIPAA Risk Analysis Covers

A risk analysis is the single most cited gap in OCR enforcement actions. At minimum, your risk analysis should:

  • Identify where ePHI is created, received, maintained, or transmitted across all systems and devices
  • Identify threats and vulnerabilities to those systems, including human, environmental, and technical threats
  • Assess current safeguards already in place
  • Determine the likelihood and impact of each identified risk
  • Assign risk levels and document your rationale
  • Create a remediation plan with timelines and responsible parties

Risk analysis is not a one-time event. You should review and update it when your setup changes - such as new tech, a new vendor, or a security incident. For a step-by-step guide, see our HIPAA risk assessment guide.

Incident Response and Breach Review Process

  1. Detect and document: Record the date and time of discovery, how the incident was detected, the systems and data potentially involved, and any immediate containment steps taken.
  2. Triage and categorize: Determine whether the event involves unsecured PHI and whether the data was potentially acquired, accessed, or viewed. Classify the incident by severity, scope, and number of affected individuals.
  3. Perform a breach-risk review: Assess the nature and extent of the PHI, who received it, whether it was actually viewed or acquired, whether the data was encrypted or destroyed, and the likelihood of compromise. Document the reasoning.
  4. Make the notification decision: If the event is reportable, prepare individual notices without unreasonable delay and no later than 60 days after discovery, and prepare HHS/OCR and media notices where required.
  5. Remediate and mitigate: Contain the root cause, apply technical and administrative fixes, and provide affected individuals with appropriate mitigation steps when warranted.
  6. Assign corrective actions: Give remediation items named owners, deadlines, and policy or training updates so the same failure does not repeat.
  7. Review and archive: Conduct a lessons-learned review, update the risk analysis and response plan, and retain documentation for audit or regulatory review.

Primary Sources

  • HIPAA statute: Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
  • HIPAA rules: 45 C.F.R. Parts 160 and 164, including the Privacy Rule, Security Rule, and Breach Notification Rule
  • HHS/OCR guidance and enforcement materials, including resolution agreements, breach reports, and enforcement guidance
  • NIST Special Publication 800-66 Revision 2 and related NIST 800-series guidance used to map Security Rule controls to implementation steps
  • Federal Civil Penalties Inflation Adjustment Act updates and OCR penalty adjustment notices

Frequently Asked Questions

What is a healthcare organization covered under HIPAA regulations?

A healthcare organization covered under HIPAA regulations is a covered entity. Covered entities include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions such as claims, eligibility checks, or referrals. Business associates that handle protected health information on behalf of covered entities also fall under HIPAA requirements.

What does HIPAA stand for?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.

Who complies with HIPAA?

HIPAA applies to covered entities and business associates.

Covered entities include:

  • Health plans
  • Healthcare clearinghouses
  • Healthcare providers that conduct certain standard electronic transactions

Business associates are vendors and service providers that handle PHI on behalf of those covered entities.

What is PHI under HIPAA?

PHI means protected health information. It is health data tied to a person that is held or sent by a covered entity or business associate.

Examples include:

  • Medical records
  • Billing records
  • Diagnoses
  • Lab results
  • Patient identifiers tied to health information

What is the difference between PHI and ePHI?

PHI is protected health information in any form. ePHI is protected health information in digital form.

Does HIPAA apply to employers?

Not by default. HIPAA usually does not apply to employers in their role as employers. It depends on whether the group is a covered entity or business associate. It also depends on how they handle PHI.

Does HIPAA apply to software vendors?

Sometimes. A software vendor is a BA when it creates, receives, stores, or sends PHI on behalf of a covered entity or another business associate.

What are the main HIPAA rules?

The three rules most groups deal with:

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Breach Notification Rule

What should a small practice do first for HIPAA compliance?

Start by finding out whether you are a covered entity or business associate. Then map PHI flows, confirm which vendors need BAAs, and run a documented risk analysis. This lets you focus on the highest-risk gaps first.

Bottom Line

HIPAA bottom line - understanding HIPAA compliance fundamentals

HIPAA is federal law. It protects certain health data in the United States.

For healthcare groups and vendors, the real question is how HIPAA applies to the way PHI is handled every day.

HIPAA by Practice Type

Every practice handles PHI in its own way. See our guides for dental offices, therapists and counselors, pharmacies, and medical practices.

HIPAA Rules at a Glance

RuleCFR PartWhat It CoversKey Requirement
Privacy Rule164 Subpart EUses and disclosures of PHILimit PHI use to minimum necessary
Security Rule164 Subpart CProtection of ePHIAdministrative, physical, technical safeguards
Breach Notification164 Subpart DReporting breaches of unsecured PHINotify within 60 days of discovery
Enforcement Rule160 Subpart DPenalties and investigationsFour-tier penalty structure
Transactions Rule162Electronic healthcare transactionsStandard code sets and formats

Key stat: HIPAA was enacted in 1996, but the Privacy Rule did not take effect until 2003 and the Security Rule until 2005. The HITECH Act of 2009 significantly expanded enforcement by introducing breach notification requirements, increasing penalties, and extending HIPAA obligations directly to business associates. The proposed 2025 Security Rule update represents the most significant regulatory change since HITECH.

Sources

Related Reading