The OnlyHIPAA Guide to HIPAA

1. What HIPAA is (and isn’t)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law with two parts that matter to you operationally:

• The Privacy Rule — governs how protected health information (PHI) can be used and disclosed.
• The Security Rule — governs the safeguards required to protect electronic PHI (ePHI).

The HITECH Act (2009) and the Omnibus Rule (2013) layered on the Breach Notification Rule and extended direct liability to business associates and their subcontractors.

HIPAA is not a checklist or a certification. It is a risk-based framework. Two organizations of the same size with the same data can validly implement very different controls, as long as both have done a defensible risk analysis and addressed the risks they identified.

2. Who HIPAA covers

• Covered entities: healthcare providers that transmit health information electronically, health plans, and healthcare clearinghouses.
• Business associates: any vendor, contractor, or subcontractor that creates, receives, maintains, or transmits PHI on behalf of a covered entity.
• Subcontractors of business associates: same obligations flow down through the chain.

If you handle PHI for a covered entity, you are a business associate, you are directly liable under HIPAA, and you need a BAA. See our BAA guide.

3. The Privacy Rule

The Privacy Rule sets the rules for using and disclosing PHI in any form — oral, paper, or electronic.

Core concept — minimum necessary: when using or disclosing PHI for purposes other than treatment, you must limit the disclosure to the minimum amount required to accomplish the purpose.

Required infrastructure:

• A Notice of Privacy Practices given to patients
• A designated Privacy Officer
• Workforce training on the Privacy Rule
• A complaints process and sanctions policy
• Procedures for honoring patient access, amendment, and accounting-of-disclosures requests

4. The Security Rule

The Security Rule applies only to electronic PHI and organizes its requirements into three categories of safeguards:

• Administrative safeguards — the policies, procedures, training, and management oversight of the security program (this is where the risk analysis lives).
• Physical safeguards — facility access, workstation security, device and media controls.
• Technical safeguards — access control, audit controls, integrity controls, transmission security.

Each safeguard contains standards (required) and implementation specifications that are either required or addressable. “Addressable” does not mean optional — it means you must either implement it, implement an equivalent alternative, or document why neither is reasonable for your environment.

5. The Breach Notification Rule

A breach is an acquisition, access, use, or disclosure of PHI that compromises its security or privacy — presumed unless you can demonstrate, through a four-factor risk assessment, a low probability of compromise.

Notification clocks:

• Affected individuals — within 60 days of discovery, by first-class mail (or email if they’ve agreed).
• HHS Office for Civil Rights — within 60 days for breaches affecting 500+ individuals, or annually by March 1 for smaller breaches.
• Prominent media outlets — within 60 days for breaches affecting 500+ residents of a state or jurisdiction.
• Business associates must notify the covered entity within 60 days (often sooner under the BAA).

6. The Risk Analysis

An accurate and thorough risk analysis is the single most-cited control in OCR enforcement actions. It is required by 45 CFR § 164.308(a)(1)(ii)(A) and must be:

• Comprehensive — covers all ePHI you create, receive, maintain, or transmit, in every location and system.
• Threat- and vulnerability-based — identifies real threats, real vulnerabilities, and the likelihood and impact of each combination.
• Documented — in writing, with enough detail that an auditor can follow your reasoning.
• Updated — reviewed at least annually and whenever there’s a material change to your environment.

OnlyHIPAA’s assessment module walks through every required element and produces a defensible written report. See how it works.

7. Penalties & enforcement

OCR enforces HIPAA through investigations and may impose civil money penalties in four tiers based on culpability, with adjusted annual caps that change with inflation:

• Tier 1 — No knowledge: penalties from a few hundred to several tens of thousands of dollars per violation.
• Tier 2 — Reasonable cause: higher per-violation floor; same annual cap as Tier 1 historically.
• Tier 3 — Willful neglect, corrected: per-violation penalties in the tens of thousands.
• Tier 4 — Willful neglect, uncorrected: per-violation penalties in the tens to hundreds of thousands, with annual caps in the millions.

State attorneys general can also bring HIPAA enforcement actions. Criminal penalties apply for knowing misuse of PHI.

8. Getting started in 30 days

If you’re starting from zero, a realistic 30-day plan looks like this:

• Week 1: Inventory your ePHI — where it lives, who can reach it, how it flows.
• Week 2: Complete a Security Rule risk analysis against that inventory.
• Week 3: Draft (or adopt) the policy set required by the Security and Privacy Rules; designate Privacy and Security Officers.
• Week 4: Train your workforce, sign BAAs with every vendor that touches PHI, and document your remediation roadmap for risks identified above the threshold.

OnlyHIPAA collapses every step here into guided workflows. See pricing or start a trial.