HIPAA has been around since 1996, but I still regularly encounter healthcare organizations — and their vendors — with fundamental misunderstandings about what it actually requires. Let's fix that.
HIPAA's Three Rules
Most people know about HIPAA without knowing that it's actually three distinct rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. They work together, but they address different things.
The Privacy Rule governs how Protected Health Information (PHI) can be used and disclosed. The Security Rule specifically covers electronic PHI (ePHI) and requires covered entities and business associates to implement safeguards to protect it. The Breach Notification Rule dictates what you have to do when something goes wrong.
Security professionals primarily focus on the Security Rule, so that's where we'll spend our time.
What the Security Rule Requires
The Security Rule is organized around three categories of safeguards:
Administrative safeguards are the policies, procedures, and training that form the governance foundation. This includes a documented risk analysis (required, not optional), a risk management plan, security awareness training, and access management procedures.
Physical safeguards cover controls on physical access to systems and facilities — workstation policies, device controls, media handling.
Technical safeguards are your technical controls: access control (unique user IDs, automatic logoff, encryption), audit controls (activity logging), integrity controls, and transmission security.
The Risk Analysis Problem
HHS OCR — the enforcement arm of HIPAA — has stated repeatedly that failure to conduct an adequate, organization-wide risk analysis is the most common finding in HIPAA investigations and audits. It is also specifically required under the Security Rule.
An adequate risk analysis isn't a security questionnaire or a vendor-provided tool output. It requires:
- Identifying where all ePHI lives in your environment
- Identifying the threats and vulnerabilities to that ePHI
- Assessing the likelihood and impact of those threats materializing
- Documenting your existing controls and the residual risk
This is a meaningful exercise, not a box-checking activity. And it needs to be updated when significant changes occur in your environment.
Business Associates Get Covered Too
If you're a vendor providing services to a healthcare organization and you touch ePHI, you're a Business Associate (BA) under HIPAA. You need a Business Associate Agreement with your covered entity customers, and you're directly subject to the Security Rule's requirements. The 2013 Omnibus Rule made this explicit.
I've seen many technology vendors get surprised by this. "We just store the data, we don't look at it" isn't a meaningful distinction under HIPAA.
Enforcement Is Real
HHS OCR has levied hundreds of millions in civil monetary penalties, with individual settlements ranging from tens of thousands to multiple millions of dollars. Small providers get hit too — some of the largest proportional penalties have been against small practices and regional health systems.
The Breach Notification Rule requires notifying affected individuals, HHS, and (for breaches affecting 500+ individuals in a state) prominent local media within specified timeframes. The Wall of Shame — HHS's public breach database — is publicly searchable.
Where to Start
If your HIPAA compliance program is thin, start with the risk analysis. Document your ePHI inventory and assess your risks systematically. From there, you can build a prioritized remediation roadmap and policies that actually reflect how your organization operates.