The Complete Guide

What is HIPAA compliance?

HIPAA compliance means meeting the federal standards that protect patient health information. Who it applies to, what it requires, what it costs to fail, and how modern healthcare organizations actually pass an OCR audit — updated for 2026.

100% audit success rate

Penalties up to $2,067,813 per violation

$142M+ collected by OCR since 2003

2026 HIPAA Update — New encryption, MFA, and technical safeguards. Effective July 1, 2026.

Quick Answer

What is HIPAA compliance, in 60 seconds?

Read

HIPAA compliance means meeting the federal Health Insurance Portability and Accountability Act’s standards for protecting patient health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates (any vendor or partner that handles PHI on their behalf). Compliance requires four things: a documented risk analysis; written policies and procedures; documented workforce training; and signed Business Associate Agreements with every vendor that touches PHI.

Failure carries civil penalties up to $2,067,813 per violation per calendar year (2024 inflation-adjusted figures), criminal penalties up to $250,000 and 10 years imprisonment, and state-level civil actions. Recent settlements range from $100,000 (Doctors’ Management Services, 2024) to $16,000,000 (Anthem, 2018).

Reviewed by

Jim Johnson

Reviewed by · Last updated April 2026

Jim Johnson — Founder, Live Compliance · Senior HIPAA compliance specialist with 15+ years serving healthcare organizations since 2010. Reviewed quarterly against current OCR enforcement guidance and the HIPAA Security Rule overhaul scheduled for mid-2026.

About the author

Definition

The HIPAA definition, formally

HIPAA (the Health Insurance Portability and Accountability Act) is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. HIPAA compliance means meeting these standards through administrative, physical, and technical safeguards that protect the privacy and security of protected health information (PHI).

PHI includes any individually identifiable health information — medical records, lab results, billing information, insurance details, and even conversations between providers about a patient’s care — whether stored electronically, on paper, or communicated verbally. When PHI is stored or transmitted electronically, it is referred to as electronic protected health information (ePHI), and it is subject to additional security requirements under the HIPAA Security Rule.

HIPAA is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Since 2003, OCR has investigated over 300,000 HIPAA complaints and has collected more than $142 million in enforcement actions. Civil penalties range from $137 to $2,067,813 per violation (2024 inflation-adjusted), and criminal penalties include up to 10 years of imprisonment.

Want to skip the reading?

Take a free 10-minute audit-readiness assessment and find out exactly where you stand.

Applicability

Who needs to be HIPAA compliant?

HIPAA applies to two categories of organizations: covered entities and business associates. If your organization falls into either category, you are legally required to comply with all applicable HIPAA rules.

Covered Entities

Organizations that directly handle protected health information as part of their core operations:

Health Plans — Health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid, and military/veterans' health programs.
Healthcare Providers — Hospitals, physicians, clinics, dentists, chiropractors, nursing homes, pharmacies, and any provider that transmits health information electronically.
Healthcare Clearinghouses — Entities that process nonstandard health information into standard formats, such as billing services and repricing companies.

Business Associates

Third-party vendors and contractors that create, receive, maintain, or transmit PHI on behalf of a covered entity:

IT Service Providers — Managed service providers, cloud hosting companies, EHR vendors, and data storage services that handle ePHI.
Billing and Coding Companies — Medical billing services, claims processors, and practice management companies with access to patient data.
Professional Services — Accountants, attorneys, consultants, and accreditation organizations that access PHI during their work.
Subcontractors — Any downstream vendor hired by a business associate that will also handle PHI. The HITECH Act extended HIPAA requirements directly to subcontractors.

Regulatory Framework

The four HIPAA rules

HIPAA’s regulatory framework is built on four interconnected rules. Together, they establish what organizations must protect, how they must protect it, what must happen when protections fail, and what consequences follow non-compliance.

The Privacy Rule

45 CFR Part 160 and Subparts A and E of Part 164

The HIPAA Privacy Rule establishes national standards for when and how protected health information may be used and disclosed. It gives patients fundamental rights over their health information, including the right to examine and obtain a copy of their health records, the right to request corrections, and the right to know who has accessed their information. The Privacy Rule applies to all forms of PHI — electronic, paper, and verbal. It requires covered entities to implement policies that limit the use of PHI to the minimum necessary for the intended purpose, train all workforce members on privacy procedures, designate a Privacy Officer, and provide patients with a Notice of Privacy Practices explaining how their information will be used.

The Security Rule

45 CFR Part 160 and Subparts A and C of Part 164

The HIPAA Security Rule focuses specifically on electronic protected health information (ePHI) and requires covered entities and business associates to implement three categories of safeguards: administrative (risk assessments, workforce training, access management policies), physical (facility access controls, workstation security, device disposal procedures), and technical (access controls, audit controls, integrity controls, transmission security). The proposed 2026 update to the Security Rule introduces new mandatory requirements: organization-wide multi-factor authentication, encryption of all ePHI at rest and in transit (no longer 'addressable'), network segmentation, six-monthly vulnerability scanning, and annual penetration testing.

The Breach Notification Rule

45 CFR Sections 164.400–414

The Breach Notification Rule establishes specific procedures that covered entities and business associates must follow when a breach of unsecured PHI occurs. A breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. When a breach occurs, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery. If the breach affects 500 or more individuals, the covered entity must also notify the HHS Secretary and prominent media outlets in the affected jurisdiction. Business associates must notify the covered entity of a breach no later than 60 days after discovery. All breaches affecting fewer than 500 individuals must be logged and reported to HHS annually.

The Enforcement Rule

45 CFR Part 160, Subparts C, D, and E

The Enforcement Rule defines the procedures for investigating HIPAA complaints, conducting compliance reviews, and imposing penalties for violations. It grants the HHS Office for Civil Rights the authority to investigate complaints filed by individuals, conduct proactive compliance audits, and negotiate resolution agreements with organizations found in violation. The Enforcement Rule establishes a tiered penalty structure based on the level of culpability — from violations where the organization was unaware and could not have reasonably known, to violations resulting from willful neglect. It also establishes procedures for hearings and appeals. The HITECH Act of 2009 significantly strengthened the Enforcement Rule by increasing penalty amounts, requiring HHS to investigate all complaints involving willful neglect, and extending enforcement authority directly to business associates.

“Live Compliance is much more than a portal; it has transformed our operations by streamlining employee onboarding and policy management. This platform has significantly improved our compliance posture and simplified our processes.”

Ryan Furlough

CTO · Premier Radiology

100+ more

Requirements

Key HIPAA requirements

The HIPAA Security Rule organizes its requirements into three categories of safeguards. Each category addresses a different dimension of protecting electronic PHI — from organizational policies and workforce behavior to the physical environment and the technology infrastructure.

Administrative Safeguards

The policies, procedures, and internal processes that govern compliance management. Account for more than half of the Security Rule’s requirements and the most frequently cited category in OCR enforcement actions.

Risk Analysis and Management — Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Implement security measures sufficient to reduce those risks to a reasonable and appropriate level.
Workforce Training and Management — Train all workforce members on your organization's security policies and procedures. Apply appropriate sanctions against workforce members who violate policies. Implement procedures for authorizing and supervising workforce access to ePHI.
Information Access Management — Implement policies and procedures for authorizing access to ePHI that are consistent with the Privacy Rule's minimum necessary standard. Establish role-based access so each workforce member can access only the ePHI needed for their job function.
Contingency Planning — Establish and implement a data backup plan, a disaster recovery plan, and an emergency mode operation plan. Test and revise contingency plans regularly. Analyze the criticality of applications and data to prioritize recovery efforts.
Security Incident Procedures — Implement policies and procedures to detect, report, and respond to security incidents. Document security incidents and their outcomes. Use incident data to refine safeguards and reduce future risk.

Physical Safeguards

Address the physical infrastructure and environment where ePHI is accessed, stored, and transmitted. Protect against unauthorized physical access, tampering, and theft.

Facility Access Controls — Implement procedures to control and validate physical access to facilities that house information systems containing ePHI. Maintain access control lists, visitor logs, and locked areas for server rooms and records storage.
Workstation Use and Security — Specify the proper functions and physical attributes of workstations that access ePHI. Implement physical safeguards for workstations — such as positioning screens away from public view, using privacy filters, and enabling automatic screen locks.
Device and Media Controls — Implement policies governing the receipt, removal, and disposal of hardware and electronic media that contain ePHI. Maintain records of hardware movements. Ensure ePHI is securely erased from devices before disposal or re-use.

Technical Safeguards

Technology and related policies that protect ePHI and control access to it. Cover the systems and software used to store, process, and transmit electronic health information.

Access Controls — Implement technical policies and procedures that allow only authorized persons to access ePHI. Includes unique user identification, emergency access procedures, automatic logoff, and encryption/decryption mechanisms.
Audit Controls — Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Maintain audit logs and review them regularly to detect unauthorized access or anomalous activity.
Integrity Controls — Implement policies and procedures to protect ePHI from improper alteration or destruction. Use electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
Transmission Security — Implement technical security measures to guard against unauthorized access to ePHI being transmitted over electronic communications networks. Includes encryption of ePHI in transit and integrity controls to ensure data is not modified during transmission.

Free download · PDF

Want the printable version?

Get the free 2026 HIPAA Compliance Checklist — 50 points across administrative, physical, and technical safeguards. Email only. No call required.

The Stakes

Real OCR settlements. Real organizations.

Every settlement below is on the public HHS “Wall of Shame.” The pattern: most weren’t big-name brands. The smallest organization on this list paid $100,000 for a single ransomware incident.

Anthem Inc.

2018

$16,000,000

78.8M individuals

Largest HIPAA settlement in history

A series of cyberattacks led to the largest health-data breach ever recorded. OCR cited inadequate technical safeguards, insufficient ePHI access reviews, and failure to implement minimum-necessary access controls.

Premera Blue Cross

2020

$6,850,000

10.4M individuals

Risk-analysis failures

An undetected attacker had access to the ePHI of 10.4 million members for nearly a year. OCR found systemic failures to conduct an enterprise-wide risk analysis and to implement risk-management measures sufficient to reduce risks to a reasonable level.

Excellus Health Plan

2021

$5,100,000

9.3M individuals

Unencrypted PHI exposed for 18 months

A multi-year network intrusion exposed names, dates of birth, SSNs, financial account information, and clinical treatment data. OCR's investigation focused on inadequate risk analysis, risk management, information-system activity review, and access controls.

Memorial Healthcare System

2017

$5,500,000

Multiple breaches

Inadequate access termination

Former employees retained access to systems containing PHI long after termination. OCR cited the failure to implement procedures to terminate access promptly when workforce members left the organization.

Lesson

Lifespan Health System

2020

$1,040,000

20,431 individuals

One stolen laptop

A single unencrypted laptop was stolen from an employee's car. The cost: over a million dollars in penalties and a multi-year corrective action plan. The episode is the textbook reason every small organization needs encryption — not just the big ones.

Lesson

Doctors' Management Services

2024

$100,000

206,695 individuals

First-ever ransomware settlement

A medical-management company experienced a ransomware attack that exposed PHI for two years before discovery. The first OCR settlement specifically for a ransomware incident — establishing precedent that ransomware victims are still subject to HIPAA enforcement.

All settlements above are matters of public record. Source: HHS Office for Civil Rights resolution agreements and corrective action plans, published at hhs.gov/hipaa/for-professionals/compliance-enforcement/ resolution-agreements.

Enforcement

HIPAA violation penalties (2024 amounts)

Civil monetary penalties for HIPAA violations are inflation-adjusted annually under the Federal Civil Penalties Inflation Adjustment Act. The figures below reflect the current 2024 amounts as published by HHS. The annual cap per violation category was $2,067,813 as of 2024.

Tier 1

Lack of Knowledge

$137 – $68,928 per violation

Up to $2,067,813/year

The covered entity or business associate did not know, and by exercising reasonable diligence would not have known, that a provision was violated.

Tier 2

Reasonable Cause

$1,379 – $68,928 per violation

Up to $2,067,813/year

The violation was due to reasonable cause and not willful neglect. The organization knew, or should have known, about the violation but could not have avoided it with reasonable care.

Tier 3

Willful Neglect (Corrected)

$13,785 – $68,928 per violation

Up to $2,067,813/year

The violation resulted from willful neglect of HIPAA requirements, but the organization corrected the violation within 30 days of discovery.

Tier 4

Willful Neglect (Not Corrected)

$68,928 – $2,067,813 per violation

Mandatory OCR investigation

The violation resulted from willful neglect and was not corrected within 30 days. This tier carries the maximum penalty and a mandatory OCR investigation.

Additional penalty provisions

Criminal penalties: Individuals who knowingly obtain or disclose PHI in violation of HIPAA face criminal penalties up to $50,000 and 1 year imprisonment. False pretenses: up to $100,000 and 5 years. Intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm: $250,000 and 10 years.
State attorneys general: The HITECH Act authorizes state attorneys general to bring civil actions on behalf of state residents for HIPAA violations, with damages up to $25,000 per violation category per calendar year. Several states have imposed penalties exceeding those from OCR.

Source: 45 CFR § 102.3, as inflation-adjusted in the Federal Register. Penalty amounts are updated annually each January.

Audit-Pass Guarantee

Skip the $2M risk. Be audit-ready in 60 days.

Live Compliance handles all 18 modules of an OCR-defensible compliance program in one platform — or we keep working at no additional charge until you pass.

Or see how the platform works

Pitfalls

Common HIPAA compliance mistakes

The majority of HIPAA enforcement actions stem from a small number of recurring failures. These are the mistakes that show up in the OCR settlements above — over and over.

Failing to Conduct a Comprehensive Risk Analysis

The Security Rule requires an "accurate and thorough assessment" of risks to ePHI — not a checkbox exercise. OCR has cited inadequate risk analysis in nearly every major HIPAA settlement, including Anthem, Premera, Excellus, and Banner Health. A proper risk analysis must cover all systems that create, receive, maintain, or transmit ePHI; identify all reasonably anticipated threats; assess current safeguards; determine the likelihood and impact of each threat; and assign risk levels.

Inadequate or Infrequent Workforce Training

HIPAA requires that all workforce members receive training on policies and procedures relevant to their job function. "All workforce members" includes employees, volunteers, trainees, contractors, and anyone else under the organization's direct control. Yet many organizations provide training only at hire, fail to update training when policies change, or cannot produce documentation proving training was completed. Annual refresher training with documented completion is the standard that OCR expects to see.

Operating Without Business Associate Agreements

Every vendor, contractor, or service provider that handles PHI on your behalf must have a signed, current BAA before they receive access to any patient information. This includes cloud storage providers, email services used for patient communication, shredding companies, IT support, and answering services. Organizations routinely discover they have dozens of vendors handling PHI without BAAs — each one representing a separate HIPAA violation.

Weak or Non-Existent Access Controls

HIPAA requires that access to ePHI be limited to authorized individuals on a need-to-know basis. Common failures include shared login credentials, failure to terminate access when employees leave (Memorial Healthcare System, $5.5M), granting administrative access to users who do not need it, and failing to implement automatic session timeouts. Every user who accesses ePHI should have a unique identifier, and access logs should be reviewed regularly.

No Documented Incident Response Plan

When a potential breach occurs, organizations without a documented incident response plan waste critical time determining what to do, who to notify, and how to investigate. The Breach Notification Rule imposes strict timelines — affected individuals must be notified within 60 days of discovery. Organizations that scramble to respond after an incident consistently make errors that increase their legal exposure: they miss notification deadlines, fail to preserve evidence, provide incomplete notifications, or fail to conduct the required four-factor breach risk assessment.

Treating Compliance as a One-Time Project

HIPAA compliance is not a checklist that you complete once and file away. It is an ongoing program that requires continuous monitoring, regular updates, and periodic reassessment. Policies must be reviewed and updated annually or whenever there are significant changes to your organization or environment. Risk assessments must be repeated regularly. Training must be refreshed. New vendors must be vetted and covered by BAAs. Organizations that treat compliance as a project rather than a program inevitably fall out of compliance within months of their initial implementation.

Go Deeper

Continue your evaluation

HIPAA Compliance Checklist

Step-by-step checklist with administrative, physical, and technical safeguards.

Read

The Live Compliance Platform

All 18 modules in one platform — security ops, audit prep, vendor management.

Read

Compare Platforms

Side-by-side breakdowns vs. Compliancy Group, Accountable HQ, and others.

Read

Pricing & Plans

Three transparent tiers from $299 to $958/month. No add-on fees.

Read

FAQ

HIPAA compliance FAQ

Find out where you stand in 10 minutes.

Take a free audit-readiness assessment and see exactly where your compliance gaps are. Then, if you want, we’ll get you to 100% audit-ready in 60 days — or we keep working at no additional charge until you are.

Or talk to a specialist

~10 minutes · No credit card · No call required