HIPAA Compliance & Security Services

HIPAA compliance refers to meeting the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 and its subsequent rules — the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. Two categories of organizations must comply: covered entities (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and business associates (any person or organization that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity). This includes cloud hosting providers, IT service companies, software vendors, billing services, and any subcontractor in the data processing chain. If your organization creates, receives, maintains, or transmits protected health information in any form, you are required to comply with the applicable HIPAA rules.

A HIPAA security risk assessment (SRA) is the foundational requirement of the Security Rule under §164.308(a)(1)(ii)(A). It requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. The SRA must identify every system that stores, processes, or transmits ePHI, evaluate the threats specific to your environment, assess the likelihood and impact of each threat, and determine whether your current security controls adequately mitigate the identified risks. While HIPAA does not specify an exact frequency, the OCR expects organizations to review and update their risk assessment at least annually and whenever significant changes occur — such as new systems, organizational restructuring, or security incidents. Failing to conduct an adequate SRA is the most frequently cited deficiency in OCR enforcement actions.

HIPAA compliant software must implement the technical safeguards specified in §164.312 of the Security Rule. At minimum, this includes unique user identification so every user has a distinct identifier, access controls that restrict ePHI access based on role and authorization level, audit controls that record and examine activity in systems containing ePHI, integrity mechanisms that protect ePHI from improper alteration or destruction, and transmission security including encryption for ePHI sent over electronic networks. Beyond the technical controls, the software must support the administrative requirements — including the ability to implement the minimum necessary standard, enforce access termination when workforce members leave, and generate audit logs sufficient for security incident investigation. The development process itself must follow secure software development lifecycle practices, and the hosting environment must meet HIPAA physical and technical safeguard requirements with a signed Business Associate Agreement from every infrastructure provider.

A Business Associate Agreement (BAA) is a written contract required under §164.314(a) between a covered entity and any person or organization that performs functions involving the use or disclosure of protected health information on the covered entity's behalf. The BAA must establish the permitted and required uses and disclosures of PHI by the business associate, require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure, require reporting of security incidents and breaches, ensure that any subcontractors agree to the same restrictions, and mandate the return or destruction of PHI at the end of the relationship. A BAA is required before any business associate accesses PHI — this includes cloud hosting providers like AWS and Azure, SaaS application vendors, IT managed service providers, medical billing companies, and even shredding services that handle paper records containing PHI. Without a valid BAA, sharing PHI with a third party is itself a HIPAA violation.

HIPAA technical safeguards are the technology-based protections required under §164.312 of the Security Rule to control access to electronic protected health information (ePHI) and protect it during storage and transmission. There are five technical safeguard standards: access control (§164.312(a)), which requires unique user identification, emergency access procedures, automatic logoff, and encryption/decryption of ePHI; audit controls (§164.312(b)), which require hardware, software, and procedural mechanisms to record and examine access to ePHI; integrity controls (§164.312(c)), which require mechanisms to authenticate ePHI and protect it from improper alteration or destruction; person or entity authentication (§164.312(d)), which requires procedures to verify that a person or entity seeking access to ePHI is who they claim to be; and transmission security (§164.312(e)), which requires encryption and integrity controls for ePHI transmitted over electronic networks. Unlike administrative safeguards that focus on policies and procedures, technical safeguards are implemented directly in your IT systems, EHR platforms, integration engines, and cloud infrastructure. Each specification is classified as either required or addressable — addressable does not mean optional, but rather that the organization must assess whether the specification is reasonable and appropriate, and if not, document why and implement an equivalent alternative.

The HIPAA Breach Notification Rule (§§164.400-414) requires covered entities to notify affected individuals, HHS, and in some cases the media, after a breach of unsecured protected health information. A breach is presumed whenever PHI is improperly accessed, used, or disclosed unless the covered entity demonstrates through a documented risk assessment that there is a low probability the PHI was compromised. For breaches affecting 500 or more individuals, the covered entity must notify affected individuals within 60 calendar days of discovery, report to HHS without unreasonable delay, and notify prominent media outlets serving the affected state or jurisdiction. Breaches affecting fewer than 500 individuals must be reported to HHS within 60 days of the end of the calendar year in which they were discovered. Business associates must notify the covered entity of a breach within 60 days of discovery so the covered entity can fulfill its notification obligations.

A comprehensive HIPAA compliance checklist should cover all three safeguard categories plus organizational and documentation requirements. For administrative safeguards: risk analysis completion, security officer designation, workforce training records, contingency planning, and BAA tracking for all vendors. For physical safeguards: facility access controls, workstation use policies, device and media disposal procedures, and visitor management. For technical safeguards: access control implementation, audit logging configuration, encryption at rest and in transit, integrity controls, and automatic session termination. Beyond the safeguards, your checklist should verify that you have a current Notice of Privacy Practices, patient rights request procedures, minimum necessary policies, incident response and breach notification procedures, and documentation retention practices meeting the six-year HIPAA requirement. Organizations pursuing additional certifications like HITRUST CSF, SOC 2, or ISO 27001 should align their HIPAA checklist with those frameworks — our healthcare compliance consulting team can help map overlapping controls. The checklist should be reviewed and updated annually alongside your security risk assessment to capture regulatory changes and new systems.

Preparing for an OCR audit requires organized documentation, verified controls, and staff readiness across every HIPAA requirement. Start with your security risk assessment — it is the single most scrutinized document in any OCR audit, and it must be current, thorough, and specific to your environment rather than a generic template. Assemble your complete policy library and verify that each policy has been reviewed and updated within the past year. Compile evidence of workforce training including attendance records, training materials, and completion dates. Document all Business Associate Agreements with current signatures and verify that each vendor relationship has been assessed for compliance. Test your technical controls by reviewing audit logs, verifying encryption settings, confirming access control configurations, and validating backup and recovery procedures. Finally, conduct a mock audit using the OCR Audit Protocol as your framework — it covers 180 audit inquiries across the Privacy, Security, and Breach Notification Rules and gives you a precise picture of what investigators will examine.

HIPAA penalties are structured in four tiers based on the level of culpability established during an OCR investigation. Tier 1 covers violations where the covered entity was unaware and could not have reasonably avoided the violation, with penalties ranging from $137 to $68,928 per violation. Tier 2 applies to violations due to reasonable cause rather than willful neglect, with penalties from $1,379 to $68,928 per violation. Tier 3 addresses willful neglect that is corrected within 30 days, with penalties from $13,785 to $68,928 per violation. Tier 4 covers willful neglect that is not corrected, carrying penalties from $68,928 to $2,067,813 per violation. The annual maximum for identical violations within a calendar year is capped at $2,067,813 per violation category. Beyond civil monetary penalties, criminal penalties under §1177 can include fines up to $250,000 and imprisonment up to 10 years for offenses committed with intent to sell or use PHI for personal gain. State attorneys general may also bring enforcement actions, and class-action lawsuits following breaches can add millions in litigation costs.