Explore HIPAA compliance resources for the healthcare industry. Learn requirements, privacy rules, and best practices to safeguard patient data and avoid violations.
Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) establishes crucial data privacy and security rules for protecting medical information. Despite its age, HIPAA remains pivotal in today’s regulatory landscape. Closely associated with HIPAA is the Health Information Trust Alliance (HITRUST).
If your organization provides services to healthcare entities, such as IT support, cloud storage, billing, or legal services—you may be legally required to sign a HIPAA Business Associate Agreement (BAA).
This agreement ensures that your organization complies with the Health Insurance Portability and Accountability Act (HIPAA) when handling or accessing protected health information (PHI).
Entering into a BAA means committing to partial or full HIPAA compliance, which includes conducting risk assessments, implementing security controls, and maintaining appropriate data protection policies.
Are you ready to fulfill the requirements of a HIPAA BAA? Schedule a consultation to find out!
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) exists to define and safeguard protected health information (PHI). It applies primarily to covered entities within the healthcare field. However, it also contractually requires business associates to safeguard PHI.
Understanding and staying compliant as a business associate requires knowing:
The big takeaway of business associate considerations under HIPAA is that the regulation applies beyond the boundaries of healthcare to many stakeholders adjacent to the industry.
A HIPAA Business Associate Agreement (BAA) is a legally binding contract that requires business associates to follow certain HIPAA compliance standards.
These associates, such as IT providers, billing services, or consultants, must either fully comply with HIPAA or support their covered entity partners in maintaining compliance.
The HIPAA BAA extends HIPAA’s privacy and security requirements beyond healthcare providers, ensuring that any third party with access to protected health information (PHI) also handles it responsibly.
These agreements are mandated and regulated by the Department of Health and Human Services (HHS) as part of HIPAA’s goal to safeguard patient data across the entire healthcare ecosystem.
To fully understand why these agreements are necessary, it’s important to know what qualifies as PHI. Protected health information includes any data that identifies an individual in connection with their physical or mental health, treatments received, or healthcare payments, whether in full documents or individual data points.
Business associate contracts are made between covered entities and their business associates, requiring the latter to (at minimum) help the former meet their HIPAA requirements. As for who these parties are, the HHS has established three categories of HIPAA covered entities:
Business associates are any organizations that work with these entities in a way that requires them to come into contact with PHI.
There is no explicit restriction on which kinds of partners are considered business associates, but common examples include third-party administrators, accounting and legal services providers, consultants, and benefits managers working on plans.
Covered entities are the parties who produce, use, and otherwise come into contact with PHI the most. Business associates also come into contact with it regularly, so it applies to them too.
HIPAA explicitly requires covered entities who work with business associates to operate under a business associate contract.
The specific requirements for what it must include are sparse, so covered entities have discretion over the particular terms. The only guarantee is that the contract ensures a business associate helps the covered entity ensure HIPAA compliance.
Under a business associate contract HIPAA can essentially apply to business associates as though they are HIPAA covered entities.
The practical upshot is that business associates need to prepare for HIPAA compliance just like covered entities to avoid any future complications.
The HIPAA Privacy Rule is the first and most fundamental part of the entire HIPAA framework. It defines both PHI and covered entities, along with their (and their business associates’) essential responsibilities with respect to safeguarding PHI.
Namely, PHI needs to be made available to its subjects (persons identified within the PHI) at their request. But it also needs to be protected such that no unauthorized disclosures or uses, except for a set of permitted ones, can happen.
Some practical examples of permitted disclosures include using limited data sets for approved research or making certain information available for disease prevention or other public benefits.
See the HHS’s summary of the Privacy Rule for a comprehensive list of permitted PHI uses.
The Security Rule builds on the Privacy Rule, adding specific controls organizations need to apply to ensure the confidentiality, integrity, and availability of PHI.
There are two major kinds of measures the Security Rule requires covered entities and business associates to implement.
The first prescriptive requirement is programmatic risk analysis and management, including regular risk assessments that document, address, and ideally neutralize threats to PHI.
The other prescriptive requirement is implementing three sets of safeguards:
Originally, these protections applied only to electronic PHI (ePHI), but the HITECH Act extended its requirements to all PHI that covered entities and business associates come into contact with.
Covered entities and business associates also need to comply with the Breach Notification Rule, which requires monitoring and communication infrastructure to be in place to report on breaches as swiftly as possible.
HIPAA considers a breach to have happened if identifiable PHI is accessed without authorization in any way beyond the permitted uses and disclosures.
If a breach has occurred, the covered entity or business associate who becomes aware of it needs to provide notice to one or more parties.
In particular, notice needs to be given to all pirates impacted by the breach. The secretary of the HHS must also be notified. And, if the breach impacts 500 or more people, media outlets serving their community must be notified.
If the breach is discovered by the business associate, their responsibility may be to provide these notices or to inform the covered entity proper to handle other required notices.
The business associate agreement will detail all specific responsibilities related to this rule.
Unlike some other regulatory contexts, HIPAA does not require a certification assessment to affirm compliance. Instead, the HHS mandates that organizations operating in the field are HIPAA compliant, and assessments happen if a breach or other non-compliance incident occurs.
If a covered entity (or business associate) is found to be in violation, one or both parties may be subject to HIPAA enforcement, including fines and criminal charges.
In particular, business associate contracts often distribute the liability for noncompliance issues between the business associate and covered entity, depending on the responsible party for the particular data breach or incident in question.
In practice, causing a HIPAA violation might be a breach of contract, and it can open the business associate up to the HHS’s enforcement arm.
To avoid these possibilities, covered entities and business associates are encouraged to work with third-party HIPAA advisors and assessors to optimize all elements of their cyberdefenses.
If your organization works directly in healthcare, or it partners with other organizations that are covered entities, you may need to comply with HIPAA—or at least help a partner comply. If that’s the case, you’ll need to ensure that your cyberdefenses meet HIPAA standards.
RSI Security has helped countless organizations in and adjacent to healthcare comply with HIPAA. We know that the right way is the only way to keep sensitive data and patients safe.
Protect your organization from costly HIPAA violations, download our HIPAA Checklist today to ensure you’re fully compliant
If your organization needs to comply with HIPAA, you’ll need to safeguard protected health information (PHI) and keep an eye out for:
The Health Insurance Portability and Accountability Act (HIPAA) exists to ensure that protected health information (PHI) is safeguarded. The kinds of information that can qualify as PHI are defined in the Privacy Rule.
The first of these is any record that contains or pertains to an individual’s past, present, or future health conditions—including physical and mental health.
The first example is the most straightforward and involves the least abstraction. Records that contain identifiable information about a patient (i.e., their name—see below) alongside any information about their health conditions can qualify as PHI.
One common pitfall in this respect is the mishandling of demographic data pertaining to individuals’ disabilities. Even if collected or used in good faith, this information needs to be safeguarded to protect these individuals’ rights.
Closely related to the example above, yet distinct from it, PHI includes all records of healthcare services provided to an individual. The distinction is that the first example specifically hinges on whether or not a person is being identified alongside a condition (permanent or otherwise). But, in this case, a document is PHI if it associates an individual with a procedure they’ve received.
Common examples of service-provision PHI documents include:
Any organization that is subject to HIPAA needs to de-identify and/or protect these kinds of documents, and any traces of this kind of information. See below for guidance on how.
In addition, according to the HIPAA Privacy Rule protected health information includes records of past, present, or future payment made in exchange for the provision of healthcare. If #2 is an abstraction of #1, this type of PHI further abstracts the individual from their health concerns, qualifying a document as PHI if it associates an individual with a payment made for healthcare.
One common instance of payment information qualifying as PHI under HIPAA is credit card and other transaction records being maintained digitally. Often, records of this nature are kept for standard bookkeeping or even for compliance with other regulatory frameworks.
However, if they include patients’ names and other identifiable criteria, they may qualify as electronic protected information (ePHI). If so, they need to be de-identified and/or safeguarded.
Under HIPAA protected health information needs to be treated such that, if it were leaked or otherwise fell into the wrong hands, the individual it concerns could not be identified by it.
The Department of Health and Human Services (HHS) prescribes two de-identification methods:
Organizations subject to HIPAA, including both covered entities and their business associates, should utilize one or both methods as much as possible to minimize the scope of identifiable PHI within their systems. HIPAA data breaches concern identifiable PHI exclusively.
All protected health information, identifiable or not, needs to be safeguarded according to HIPAA’s prescriptive rules. The Privacy Rule, noted above, requires controlling use and disclosure and preventing all but a select set of permitted disclosures while also ensuring information subjects have the ability to access PHI about or concerning them on demand.
The Security Rule augments the Privacy Rule, adding proactive protections and controls that organizations need to install. These include administrative, physical, and technical safeguards, along with programmatic risk assessments that often necessitate the use of penetration tests.
Finally, there is the Breach Notification Rule, which requires monitoring and communication infrastructure to identify and report on any breach of identifiable PHI as soon as possible.
Critically, PHI is a relatively wide category of information that includes both health-specific documentation and more generalized records, such as payment data.
Organizations in and adjacent to healthcare need to be aware of these common PHI types that they may come across so that they can de-identify and safeguard them to maintain HIPAA compliance.
RSI Security has helped healthcare organizations and their strategic partners steer clear of HIPAA enforcement for over a decade.
We believe that discipline up-front unlocks greater freedom to grow down the road, and we’ll help you rethink and optimize your compliance.
To learn more about protected health information and HIPAA, contact RSI Security today!
The rise of cloud computing has transformed how industries manage data, and healthcare is no exception. From electronic medical records to telehealth platforms, cloud solutions now play a critical role in modern care delivery.
However, with this advancement comes increased responsibility. Due to strict legal and regulatory requirements, organizations in or affiliated with healthcare must prioritize cloud security in healthcare, specifically by securing sensitive systems and protected health information (PHI).
Ensuring robust cloud infrastructure security is essential to maintain compliance, protect patient data, and reduce cybersecurity risks.
Complying with HIPAA regulations doesn’t have to be overwhelming. By following these four essential steps, organizations can ensure they meet federal requirements and protect sensitive patient data:
From major hospitals to solo practitioners, nearly every organization in the healthcare industry, or anyone handling protected health information (PHI), must comply with the Health Insurance Portability and Accountability Act (HIPAA). This federal law establishes national standards for the privacy and security of patient data. Violations can result in significant penalties, both financial and reputational.
However, achieving and maintaining HIPAA compliance is often overwhelming. The HIPAA Privacy and Security Rules are complex, lengthy, and frequently updated, leaving many covered entities unsure of how to begin. Even when requirements are understood, building a complete, actionable HIPAA compliance checklist can be a daunting task.
To reduce risk and avoid costly non-compliance, both covered entities and business associates should proactively implement clear compliance strategies and safeguard patient data from the start.
The good news is once you get past all of the jargon and legalese, HIPAA compliance does break down into four main rules that medical providers and covered entities can address step by step: Privacy, Security, Enforcement, and Breach Notification.
By following our HIPAA compliance checklist that covers these four key areas of HIPAA regulations, you’ll know specifically what rules and regulations you need to follow to be fully protected. However, to be completely sure that they are checking all of the boxes, most professionals seek cyber security solutions with matters like these.
The first area of HIPAA compliance that any covered entity needs to consider is the Privacy Rule. From a 10,000-foot view, the Privacy Rule is designed to protect patients’ Protected Health Information (PHI) with regards to storage, communications, and transmissions of all shapes and sizes.
Whether it’s sending PHI via postage, email, or fax, all covered entities must take HIPAA specified precautions designed to ensure that all PHI does, indeed, remain private.
That being said, here are the five steps you should take to ensure that you are completely Privacy Rule Compliant:
Appoint a Privacy Officer – Make sure you assign someone whose responsibility it is to implement the Privacy Rule, aka a HIPAA Privacy Officer.
In small practices the Privacy Officer can be the actual doctor or an office manager. In large practices it may be a full-time job for a few weeks or months in the beginning, and a part-time job thereafter.
Either way, HIPAA requires that you have a Privacy Officer named, so make sure they’re officially designated and always in the loop.
Safeguard PHI – More than likely, you’re already taking a number of precautions to ensure that PHI is safe and secure.
While HIPAA does not provide specific guidance as to the exact measures that need to be taken, it does require that all covered entities take reasonable effort to ensure that PHI is protected. You may discuss patient PHI verbally, for instance, but be sure to take reasonable efforts to protect said PHI, such as discussing PHI only in a private room and not mentioning the patient by name.
Implement Policy & Procedures – One of the main duties of the Privacy Officer is to develop written policies and procedures for secure storage and communication of PHI, as well as training all staff to make sure all procedures are followed. You’ll need to require that all staff review these guidelines, hold meetings and training to review them, and have all staff sign documents certifying that they’ve received training, understand the policies, and will enforce them at all times.
Inform Patients – Under HIPAA, you’re required to inform patients of their rights under the Privacy Rule. This includes their right to access and view their PHI, their right to request changes or amendments to PHI, and their right to receive assistance with regards to any complaints. You can use a variety of forms and formats to describe to patients their rights, but to be HIPAA compliant it must be written in plain language that patients can understand.
Limit Third-Party Access – Finally, to be fully compliant with the Privacy Rule, you must be sure not to sell, share or grant access to patient data to outside companies, businesses, or organizations without patient consent. This normally includes lawyers, consultants, accountants, and the like. Truthfully, this is the easiest part of Privacy Rule compliance, as most covered entities won’t need to allow access to any third parties.
While the Privacy Rule covers policy, procedures, and patient consent, the HIPAA Security Rule requires covered entities to take appropriate physical, technical, and administrative safeguards. You’ll need to focus on each of these three areas to ensure the confidentiality, integrity, and security of all PHI. Potential breaches and violations can occur at any time, so you’ll want to follow the HIPAA risk assessment checklist below that covers all aspects of Security Rule compliance.
Technical Safeguards – This area focuses on the technology which protects PHI, as well as who controls and has access to those systems. While the Security Rule does not require the use of any specific technology (the standards were designed to be technology-neutral), there are areas in your technical safeguard risk assessment that need to be covered for compliance:
Physical Safeguards – As the name indicates, this aspect of the security rules pertains to physical access to PHI. Typically, this includes access to hard-copy files, computer hard drives, and other hardware that contains PHI. Your physical safeguard risk assessment should encompass the following:
Administrative Safeguards – Finally, you’re required to develop, document and implement policies and procedures to assess and manage administrative PHI risk:
Security Rule compliance goes much deeper, but these are the main areas you need to consider. It’s wise to work with a HIPAA compliance expert to ensure that you’re not missing anything with regards to the Security Rule.
Also commonly referred to as the Final Rule, the Enforcement Rule outlines the financial and criminal penalties for HIPAA non-compliance. This relates to any organizations, businesses, or healthcare-related entities that fail to adhere to various aspects of the other three rules.
Knowing the consequences of non-compliance is a key part to any HIPAA checklist you are developing, so here is an outline of the various levels of violations along with potential fines and penalties:
Unknowing Violation – You have taken safeguards, but they were not enough and somehow (unintentionally) PHI security was violated. This carries a minimum penalty of $100 per record and an annual maximum of $25,000 for repeat violations.
Reasonable Cause Violation – It’s been determined that you had reasonable cause to suspect lack of security of PHI was violated, but failed to take action. Fine of $1,000 per violation, with an annual maximum of $100,000.
Willful Neglect – The most severe form of violation possible, willful neglect penalties range from $10,000 to $50,000 per infraction, depending on whether or not you correct the problem within the HIPAA specified time period. Willful neglect penalties carry a maximum of $1.5 million per year.
As you can see, Enforcement Rule penalties can be quite severe and (in some cases) financially crippling. Make sure that your core compliance team knows the ins and outs of the Enforcement Rule as a precaution.
The final stage of your HIPAA compliance audit checklist is ticking all the right boxes as it relates to the Breach Notification Rule. This requires most providers to notify patients when there is a breach of unsecured PHI. The Breach Notification Rule also requires the entities to promptly notify the Department of Health and Human Services (HHS) if there is any breach of unsecured PHI, and notify the media and public if the breach affects more than 500 patients.
Here are the key aspects to the Breach Notification Rule to familiarize yourself with and develop a compliance strategy for in the event of a security breach:
Breach Definition – Acquisition, access, use or disclosure of PHI in violation of privacy rules is presumed to be a breach. There are exceptions to this definition, such as inadvertent or good faith PHI disclosures within your office.
Individual Notice – You must notify individuals without unreasonable delay, but no more than 60 days after a breach. Notice must be written, provide a description of the breach, describe actions taken in response, and suggest actions that the individual take to protect themselves.
HHS Notice – If the breach involves fewer than 500 people, you must submit annually to HHS by the March 1st deadline. If the breach involves more than 500 people, then HHS must be notified within 60 days.
Media Notice – Again, if the breach involves more than 500 people, you’re required to notify local and prominent state media within 60 days. You must issue a press release with the same basic information that’s required by HIPAA in the individual notice.
Associate Notice – Also be aware that if any of your business associates, vendors, or contractors are involved in a PHI breach, they’re required to notify the covered entity within 60 days no matter how large or small the breach is.
The bottom line for your Breach Notification checklist is that you be prepared to cover the above four bases in the event of a potential breach. Have policies and procedures in place that will serve to make contacting patients as quick as possible, and make sure that your HHS notices are filed properly and within the allotted amount of time.
No matter how you choose to structure your path to compliance, you need to make sure that your HIPAA checklist includes strategies to tackle all four key rules. Appoint a privacy officer and conduct regular training to ensure Privacy Rule compliance. Complete a risk assessment and audit of your physical, administrative and technical systems for HIPAA Security Rule compliance. Know the penalties and consequences of non-compliance as outlined by the Enforcement Rule. Have a Breach Notification and response plan in place so that, in the event that something does happen, you’ll know how to limit the damage and avoid further fines.
Most importantly, find an experienced HIPAA compliance partner to help you customize a checklist and roadmap that’s tailor-made for your specific practice. Each area of medicine is unique and deals with different forms of PHI in different manners, and speaking with a HIPAA expert like RSI Security will help ensure that you’re checking each and every single compliance box.
Most people agree that privacy is a fundamental human right. However, the rise of social media, digital communication, and the Internet has weakened traditional security barriers, making it easier to share documents and grant access to sensitive information with a single click. As a result, controlling who can access Personally Identifiable Information (PII) has become increasingly difficult. This challenge is especially critical for healthcare providers, who historically relied on paper records until the late 1990s and early 2000s. To address these concerns, the HIPAA Privacy Rule establishes strict guidelines for safeguarding patient data in today’s digital landscape.
In 2025, organizations operating in or alongside the healthcare industry must align with evolving HIPAA data security requirements to avoid costly violations.Whether you’re a healthcare provider, insurer, or third-party vendor handling protected health information (PHI), HIPAA mandates strict security controls for storing, transmitting, and managing patient data.
The HIPAA Security Rule outlines specific administrative, physical, and technical safeguards that covered entities must implement to protect electronic protected health information (ePHI). It applies to healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.
Under this rule, covered entities are required to conduct regular risk assessments, implement access controls, use secure encryption protocols, and establish ongoing training and monitoring processes to ensure compliance. Failure to meet these requirements can lead to severe penalties, including fines and loss of trust
By adhering to the Security Rule, covered entities reduce the likelihood of breaches and ensure that patient information remains confidential, available, and unaltered—core goals of HIPAA compliance.
As digital connectivity grows between healthcare providers and patients, concerns about data privacy and secure access to medical records are front and center. Today’s patients, especially younger generations, expect both transparency and the ability to access their health data through electronic means like mobile devices.
To meet these expectations while protecting sensitive data, organizations must achieve HIPAA compliance, a legal requirement set by the Department of Health and Human Services (HHS).
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to safeguard protected health information (PHI). If your organization works in or adjacent to healthcare, understanding HIPAA compliance is essential.
To ensure your company is HIPAA compliant, check out our HIPAA guide and checklist below.