What is HIPAA Compliance?

HIPAA Compliance refers to meeting the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which sets national standards for protecting sensitive patient health information. It involves following the Privacy Rule, Security Rule, and Breach Notification Rule.

What are the three HIPAA rules for compliance?

The three HIPAA rules are: (1) Privacy Rule – governs permitted uses and disclosures of protected health information (PHI), (2) Security Rule – requires safeguards for electronic PHI (ePHI), and (3) Breach Notification Rule – mandates specific actions and notifications when PHI or ePHI is compromised.

Does HIPAA require certification?

No, HIPAA does not require formal certification. Instead, organizations must conduct regular risk assessments and self-audits to ensure ongoing compliance with the Privacy, Security, and Breach Notification Rules.

How can companies conduct a HIPAA compliance self-assessment?

A HIPAA compliance self-assessment involves evaluating adherence to the Privacy, Security, and Breach Notification Rules. This includes inventorying PHI, auditing safeguards for electronic PHI, performing regular risk analyses, and testing breach notification readiness.

Why should organizations work with a HIPAA compliance advisor?

Working with a HIPAA compliance advisor ensures long-term compliance and reduces risk. Experts provide guidance on risk assessments, safeguards, employee training, penetration testing, and breach readiness to help organizations stay audit-ready.

Guide to HIPAA Compliance Self Assessment

RSI Security

4 years ago

Companies directly or indirectly involved in healthcare must navigate HIPAA compliance requirements. A key part of maintaining compliance is performing regular HIPAA self-assessments. Whether conducted independently or with the guidance of experienced professionals, these audits help prevent costly violations while strengthening overall cybersecurity and data protection strategies.

HIPAA Self-Assessment: Optimizing Compliance and Security

Unlike some other cybersecurity regulations, HIPAA compliance does not require formal certification. Instead, audits conducted by the U.S. Department of Health and Human Services (HHS) typically occur only when non-compliance is suspected. However, one HIPAA rule mandates regular risk assessments, and implementing broader self-auditing practices can help organizations maintain long-term compliance and protect sensitive data.

A comprehensive HIPAA compliance self-assessment generally focuses on three major areas:

Privacy Rule Compliance: Ensuring permitted uses and disclosures of protected health information (PHI) are followed.
Security Rule Compliance: Conducting risk analyses and implementing required safeguards to protect electronic PHI (ePHI).
Breach Notification Readiness: Preparing to meet the requirements of the Breach Notification Rule in the event of a data breach.
In the following sections, we’ll explore the most critical requirements of each rule and explain how they should guide your organization’s HIPAA self-assessments.

How to Self-Assess for HIPAA Compliance with the Privacy Rule

The first and most essential focus of any HIPAA compliance self assessment is ensuring adherence to the Privacy Rule. This rule identifies the types of information HIPAA considers sensitive, primarily protected health information (PHI). It also specifies which parties the rule applies to, including covered entities, such as healthcare providers, health plan administrators, and clearinghouses, as well as their business associates.

The Privacy Rule’s main function is to establish clear conditions under which PHI can or must be used or disclosed. PHI may only be used or shared in specific circumstances outlined by the rule or when the individual has provided written authorization.

To effectively self-assess for Privacy Rule compliance, start by inventorying all data to identify what qualifies as PHI. Then, examine your data handling processes for potential misuse or vulnerabilities that could result in a Privacy Rule violation. Regularly performing this assessment helps organizations maintain strong HIPAA compliance and reduce the risk of costly penalties.

Request a Free Consultation

Privacy Rule Permitted and Required Uses and Disclosures

According to the U.S. Department of Health and Human Services (HHS), there are two situations where disclosure of protected health information (PHI) is required:

To the individual who is the subject of the PHI
To HHS, when requested as part of an investigation

Beyond these requirements, the Privacy Rule outlines six categories of permitted uses and disclosures of PHI:

Disclosure to the PHI Subject: Covered entities may provide PHI to the individual or their authorized representative, such as a spouse or immediate family member.
For Specific Operational Purposes: PHI can be shared among covered entities or select parties for healthcare-related operations, including:
- Treatment: Direct provision, coordination, or management of healthcare services
- Payment: Collecting, processing, and managing payments
- Healthcare Operations: Administrative, managerial, and operational tasks
Consent-Based Disclosures: PHI may be disclosed if the subject provides informal consent, or if the individual is incapacitated and the disclosure is in their best interest.
Incidental Disclosures: Minor, unintended disclosures that occur as part of authorized uses are not considered violations.
Public Interest or Benefit Disclosures: PHI may be disclosed for public interest reasons, such as:
- Required by law or court order
- Public health activities
- Protection of abuse victims
- Health oversight agencies
- Judicial or administrative proceedings
- Law enforcement purposes
- Matters concerning deceased individuals
- Organ, eye, or tissue donation
- Research aimed at generating general knowledge
Limited Data Set Disclosures: PHI may be shared in a limited data set with personal identifiers removed, provided recipients follow agreed-upon safeguards.

All permitted uses of PHI, except for most disclosures to the individual, must adhere to the Minimum Necessary Requirement, limiting access to only what is required for the purpose. Additional Privacy Rule considerations include notifying individuals about how their PHI is used and stored. However, the most critical factors for a HIPAA compliance self-assessment are ensuring proper restrictions and controls over PHI access.

HIPAA Compliance

How to Self-Assess for HIPAA Compliance with the Security Rule

The HIPAA Security Rule extends Privacy Rule protections to all electronic protected health information (ePHI). Its purpose is to ensure the confidentiality, integrity, and availability of ePHI:

Confidentiality: Preventing unauthorized access to sensitive data (aligned with Privacy Rule protections).
Integrity: Ensuring information is accurate, complete, and free from improper changes or deletions.
Availability: Guaranteeing authorized users can quickly and reliably access ePHI for approved use cases.

The Security Rule requires covered entities and business associates to implement safeguards that prevent unauthorized access and protect against anticipated security threats. For a HIPAA compliance self-assessment, organizations should focus on two core steps:

Conduct Regular Risk Assessments: Evaluate potential vulnerabilities and risks to ePHI, a requirement under the Security Rule.
Audit Safeguards and Infrastructure: Review administrative, technical, and physical safeguards to ensure compliance and identify gaps.

While Security Rule protections specifically apply to electronic PHI, the required safeguards often affect the handling of all PHI. For that reason, organizations should test all systems and storage environments to confirm data protection across every format.

Security Rule Risk Analysis Requirements and Available Toolkits

The HIPAA Security Rule requires organizations to perform a risk assessment, but it does not mandate a specific format or official HIPAA self-assessment questionnaire. Instead, the U.S. Department of Health and Human Services (HHS) provides detailed guidance and resources that organizations can use, but are not required to follow to support compliance efforts. These tools should inform and strengthen your self-assessment process.

HHS recommends an analytical approach based on the National Institute of Standards and Technology (NIST) Special Publication 800-30 (SP 800-30), Guide for Conducting Risk Assessments. This framework outlines how to:

Identify internal vulnerabilities and external threats
Analyze the relationships between vulnerabilities and threats
Evaluate likelihood and potential impact
Assign risk levels and prioritize mitigation strategies

The recommended scope includes measuring these factors, documenting results, and continuously reviewing and updating safeguards to reduce identified risks.

Additionally, HHS points covered entities and business associates to resources such as:

NIST’s Security Content Automation Protocol (SCAP)
The Security Risk Assessment (SRA) Tool, jointly maintained by HHS and the Office of the National Coordinator for Health Information Technology (ONC) at HealthIT.gov

Incorporating these resources into your HIPAA compliance self-assessment ensures a structured, repeatable process for managing risk and protecting electronic protected health information (ePHI).

Security Rule Administrative, Physical, and Technical Safeguards

In addition to risk assessments, the HIPAA Security Rule requires covered entities and business associates to implement a set of administrative, physical, and technical safeguards. These safeguards are prescriptive requirements designed to protect electronic protected health information (ePHI) and are a critical focus of any HIPAA compliance self-assessment.

According to HHS, organizations must establish the following safeguards:

1. Administrative Safeguards: Policies and procedures that govern overall security management:

Security management processes based on risk assessments and mitigation strategies
Designated security personnel with defined roles and responsibilities
Information access management aligned with Privacy Rule use cases
Ongoing workforce training covering PHI and ePHI security practices
Regular evaluations of security programs to ensure ongoing compliance

2. Physical Safeguards: Measures that restrict physical access to systems and facilities:

Controlled access to buildings and facilities, limited to authorized personnel
Secure workstations and devices, including safe transport and disposal practices

3. Technical Safeguards: Technology-based controls to protect and monitor ePHI:

Access controls, using authentication and authorization policies
Audit controls, including secure logging and regular monitoring
Integrity controls, such as dashboards and monitoring tools to prevent unauthorized changes
Transmission security, ensuring safe handling of ePHI across networks

Covered entities should regularly assess existing infrastructure to confirm these safeguards are in place and functioning as intended. Ideally, controls should not only meet HIPAA’s minimum requirements but exceed them to strengthen overall cybersecurity resilience.

Finally, note that the Security Rule preempts most conflicting state or local laws. As a federal regulation, HIPAA compliance takes priority in nearly all applicable cases.

HIPAA Compliance

How to Self-Assess Preemptive Breach Notification Readiness

The final prescriptive requirement under the HIPAA framework is the Breach Notification Rule. Unlike the Privacy and Security Rules, it does not mandate specific safeguards or security architecture. Instead, it outlines the actions organizations must take when a data breach occurs, including timely notifications to affected parties and regulators.

Under this rule, a data breach is defined as any instance where PHI or ePHI is used or disclosed in a way that violates the Privacy Rule or compromises the Security Rule’s principles of confidentiality, integrity, or availability.

Exceptions to this definition include:

Situations where the probability of compromise is proven to be low
Disclosures between authorized parties with access to the same information
Instances where the recipient cannot retain or use the disclosed information (e.g., if the data is encrypted)

For a strong HIPAA compliance self-assessment, organizations should evaluate their readiness for breach response by ensuring:

Incident Detection and Visibility: Systems can quickly identify unauthorized access or disclosures of PHI/ePHI.
Communication Infrastructure: Processes are in place to notify affected individuals, HHS, and (in some cases) the media within the required timelines.
Documentation and Review: All breaches and responses are logged, investigated, and used to strengthen security going forward.

By testing and refining breach response procedures, organizations can maintain compliance with the Breach Notification Rule and minimize the impact of potential incidents.

Required Individual, Secretary, and Media Notification of Breaches

If a breach of PHI or ePHI occurs and violates the Privacy or Security Rule, covered entities are legally required to notify specific parties within strict timelines. These requirements fall under the HIPAA Breach Notification Rule and apply not only to covered entities but also to business associates involved in the incident.

Here’s what compliance requires:

1. Individual Notice

All affected individuals must be notified in writing without unreasonable delay, and no later than 60 days after discovery of the breach.
Notices may be sent via email if the individual has previously agreed to electronic communication.
If the entity does not have contact information for 10 or more affected individuals, it must provide substitute notice. This can be through local print or broadcast media or a prominently posted notice on the organization’s website homepage for at least 90 days.

2. Secretary of HHS Notice

All breaches must also be reported to the Secretary of Health and Human Services (HHS).
For breaches affecting fewer than 500 individuals, notice can be submitted annually, no later than 60 days after the end of the calendar year in which the breach occurred.
For breaches involving 500 or more individuals, the notice must be submitted within the same timeframe as the individual notice (within 60 days of discovery).

3. Media Notice

If a breach affects 500 or more residents of a single state or jurisdiction, covered entities must also notify at least one prominent media outlet in that area.
This notification, often in the form of a press release, must follow the same 60-day timeline and include the same information provided to affected individuals.

Business Associate Responsibility
If a business associate discovers a breach, it must notify the covered entity as soon as possible, but no later than 60 days after discovery. The covered entity then assumes responsibility for issuing all required notices.

Self-Assessment Tip:
To ensure HIPAA compliance, organizations should regularly test their incident response and notification processes, including coordination with third-party vendors, to confirm they can meet all federal reporting timelines.

Professional HIPAA Compliance Advisory and Assessment

While self-assessments are an essential step toward HIPAA compliance, covered entities and business associates often need additional expertise to stay fully aligned with the Privacy, Security, and Breach Notification Rules. The most effective way to ensure long-term compliance is by partnering with a trusted HIPAA compliance advisory firm.

At RSI Security, our team has over a decade of experience helping healthcare organizations and their business associates:

Conduct in-depth HIPAA self-assessments to identify compliance gaps.
Implement and optimize security architecture that meets HIPAA requirements.
Deliver awareness and training programs to reduce employee-related risks.
Perform penetration testing and vulnerability assessments to safeguard PHI and ePHI.

Our proven approach goes beyond checklists, We help organizations build sustainable compliance programs that reduce regulatory risk and strengthen overall cybersecurity.

Contact RSI Security to schedule a consultation and see how our HIPAA compliance experts can help you achieve, maintain, and demonstrate full compliance.