HIPAA Laws and Compliance: A Complete Guide
The Health Insurance Portability and Accountability Act sets the national floor for protecting patient health information in the United States. Whether you run a medical practice, develop healthcare software, or manage a business that handles patient data, HIPAA compliance is not optional. This hub covers every major aspect of the law, from Business Associate Agreements to breach reporting to compliant communication tools.
What Is HIPAA?
HIPAA was signed into law in 1996, but the privacy and security provisions that most people associate with HIPAA came later. The Privacy Rule took effect in 2003, establishing standards for when and how protected health information (PHI) can be used and disclosed. The Security Rule followed in 2005, requiring administrative, physical, and technical safeguards for electronic PHI (ePHI).
The law applies to two groups. Covered entities include healthcare providers who conduct electronic transactions (hospitals, physicians, pharmacies, dentists, chiropractors), health plans (insurers, HMOs, employer-sponsored plans, Medicare, Medicaid), and healthcare clearinghouses. Business associates are organizations or individuals that perform functions involving PHI on behalf of a covered entity, such as billing services, cloud hosting providers, IT contractors, attorneys, and accountants.
The HITECH Act (2009) significantly expanded HIPAA by making business associates directly liable for compliance, establishing mandatory breach notification rules, and increasing penalties. The 2013 Omnibus Rule finalized these changes into the HIPAA regulatory framework.
As of 2026, HHS has received over 374,000 HIPAA complaints and imposed more than $144 million in settlements and penalties since the Privacy Rule took effect. The most common complaint categories are impermissible uses and disclosures, lack of safeguards, lack of patient access, and failures to implement minimum necessary standards.
HIPAA Compliance Topics
Explore our in-depth guides on specific HIPAA requirements, tools, and scenarios.
What Is a Business Associate Agreement (BAA)?
How BAAs work, what they must include, and why every HIPAA-covered vendor relationship requires one.
When Is a Business Associate Agreement Required?
Scenarios that trigger BAA requirements, common exceptions, and how to determine if your vendor needs one.
What Is TPO in HIPAA?
Treatment, Payment, and Healthcare Operations explained, including what disclosures TPO permits without patient authorization.
HIPAA Compliance Companies
Platforms and services that help healthcare organizations achieve and maintain HIPAA compliance.
HIPAA Compliant Texting
Secure messaging apps that meet HIPAA requirements for transmitting protected health information.
HIPAA Compliant Email
Email services and encryption tools that satisfy HIPAA security requirements for electronic PHI.
HIPAA and Subpoenas
When healthcare providers can disclose PHI in response to subpoenas, court orders, and legal proceedings.
Reporting HIPAA Breaches
Breach notification requirements, timelines, and how to file a complaint with HHS Office for Civil Rights.
Business Associate Agreements
A Business Associate Agreement (BAA) is a written contract required by HIPAA whenever a covered entity engages a vendor, contractor, or subcontractor that will create, receive, maintain, or transmit PHI. Without a signed BAA in place, sharing PHI with a third party is itself a HIPAA violation, regardless of whether the third party actually mishandles the data.
BAA requirements extend beyond obvious healthcare vendors. Cloud storage providers, email services, texting platforms, billing companies, answering services, EHR vendors, shredding companies, and even certain legal and accounting firms may qualify as business associates if they access PHI. HHS provides sample BAA provisions as a starting point.
Not every vendor relationship triggers a BAA. The key question is whether the vendor will access PHI. A janitorial service cleaning a clinic does not need a BAA unless it has access to patient records. A conduit exception applies to entities that merely transport PHI (like the postal service or an internet service provider) without routine access to the information. See our full guide on when a BAA is required for common scenarios.
HIPAA Compliant Communication
Standard consumer texting and email services do not meet HIPAA requirements for transmitting ePHI. The Security Rule requires encryption in transit, access controls, audit logging, and automatic session termination for any system handling electronic protected health information. Using iMessage, standard SMS, Gmail, or Outlook to discuss patient information without appropriate safeguards constitutes a potential HIPAA violation.
HIPAA compliant texting platforms provide end-to-end encryption, message expiration, remote wipe capabilities, and audit trails designed for healthcare communication. These platforms sign BAAs with their healthcare customers, accepting liability as business associates under HIPAA.
HIPAA compliant email services take several approaches: some encrypt all outbound messages by default, others use portal-based encryption where recipients access messages through a secure web portal, and others layer encryption onto existing email platforms like Microsoft 365 or Google Workspace. The right choice depends on your organization's volume, workflow, and whether you primarily communicate with patients or other providers.
Enforcement and Breach Reporting
HIPAA is enforced by the HHS Office for Civil Rights (OCR). OCR investigates complaints filed by individuals, conducts compliance reviews, and can impose civil monetary penalties. State attorneys general also have authority to bring civil actions under HITECH on behalf of state residents harmed by HIPAA violations. The Department of Justice handles criminal enforcement for knowing violations.
The Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. A breach is presumed whenever PHI is accessed, used, or disclosed in a manner not permitted by the Privacy Rule, unless the covered entity can demonstrate through a risk assessment that there is a low probability the data was compromised. Our guide to reporting HIPAA breaches covers timelines, requirements, and the complaint process.
Subpoenas and court orders create special disclosure scenarios under HIPAA. The Privacy Rule permits disclosures in response to court orders without patient authorization, but subpoenas alone (without a court order) require the requesting party to provide satisfactory assurances that the patient has been notified or that a qualified protective order has been sought. Understanding these distinctions is critical for any healthcare provider served with legal process.
Related Healthcare Law Guides
HIPAA intersects with several other areas of law covered on Recording Law. Explore these related guides for additional healthcare legal information.
Medical Records Retention by State
How long hospitals and providers must keep your medical records in all 50 states.
52 articlesIs Plaud HIPAA Compliant?
Analysis of Plaud NotePin's HIPAA compliance status for healthcare recording.
HIPAA Compliant CRM Software
CRM platforms that meet HIPAA requirements for managing patient relationships.
How Long Do Hospitals Keep Medical Records?
Federal and state requirements for hospital medical record retention periods.
This information is general legal information, not legal advice. HIPAA regulations are complex and enforcement standards evolve. Consult a healthcare compliance attorney for advice specific to your situation.
Frequently Asked Questions
What does HIPAA stand for?
HIPAA stands for the Health Insurance Portability and Accountability Act. Congress enacted HIPAA in 1996 primarily to help workers maintain health insurance coverage when changing jobs. Title II of the law established national standards for electronic healthcare transactions and required HHS to develop rules protecting the privacy and security of health information, which became the Privacy Rule (2003) and Security Rule (2005).
Who must comply with HIPAA?
HIPAA applies to two groups: covered entities and business associates. Covered entities include healthcare providers who transmit health information electronically (doctors, hospitals, pharmacies, clinics), health plans (insurers, HMOs, Medicare, Medicaid), and healthcare clearinghouses. Business associates are any vendors or contractors that handle PHI on behalf of a covered entity, such as billing companies, cloud storage providers, IT consultants, and communication platforms.
What is protected health information (PHI)?
Protected health information is any individually identifiable health information held or transmitted by a covered entity or business associate. PHI includes 18 specific identifiers: names, dates (birth, admission, discharge, death), phone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifying number or code.
What is the difference between HIPAA and HITECH?
HITECH (Health Information Technology for Economic and Clinical Health Act) was enacted in 2009 as part of the American Recovery and Reinvestment Act. It extended HIPAA requirements directly to business associates (previously only covered entities were liable), established mandatory breach notification requirements, increased civil and criminal penalties, and promoted the adoption of electronic health records. The 2013 HIPAA Omnibus Rule formally incorporated HITECH provisions into the HIPAA regulatory framework.
Can a patient sue for a HIPAA violation?
HIPAA itself does not create a private right of action, meaning patients cannot file lawsuits directly under HIPAA. Enforcement is handled by HHS Office for Civil Rights (OCR) through complaints, investigations, and penalties. However, patients may have legal recourse through state privacy laws, negligence claims, or state consumer protection statutes. Some states, including California and Texas, have health privacy laws that do permit private lawsuits for unauthorized disclosure of medical information.
How long do you have to report a HIPAA breach?
Breach notification timelines depend on the size of the breach. For breaches affecting 500 or more individuals, the covered entity must notify HHS, affected individuals, and prominent media outlets within 60 days of discovering the breach. For breaches affecting fewer than 500 individuals, the covered entity must notify affected individuals without unreasonable delay (within 60 days) and may report to HHS annually. Business associates must notify the covered entity within 60 days of discovering a breach.
Does HIPAA apply to employers?
HIPAA generally does not apply to employers in their role as employers. Employment records containing health information (sick notes, workers compensation claims, drug test results) are not covered by HIPAA even if the employer also sponsors a group health plan. However, the group health plan itself is a covered entity, and the employer must keep plan-related health information separate from employment records. Employers who operate on-site clinics or self-administer health plans may trigger HIPAA obligations for those specific functions.
What are the penalties for HIPAA violations?
HIPAA penalties are tiered based on the level of culpability. Tier 1 (unknowing): $141 to $71,162 per violation. Tier 2 (reasonable cause): $1,424 to $71,162 per violation. Tier 3 (willful neglect, corrected): $14,232 to $71,162 per violation. Tier 4 (willful neglect, not corrected): $71,162 to $2,134,831 per violation. The annual cap is $2,134,831 per identical violation category. Criminal penalties range from $50,000 and one year in prison (unknowing) to $250,000 and 10 years (intent to sell PHI). These amounts are adjusted annually for inflation by HHS.
Sources and References
- HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164)(hhs.gov).gov
- HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164)(hhs.gov).gov
- HHS Breach Notification Rule (45 CFR 164.400-414)(hhs.gov).gov
- Business Associate Contracts (45 CFR 164.502(e), 164.504(e))(hhs.gov).gov
- HIPAA Enforcement Highlights(hhs.gov).gov
- HITECH Act (42 U.S.C. 17921 et seq.)(congress.gov).gov
- HIPAA Administrative Simplification Statute (42 U.S.C. 1320d et seq.)(hhs.gov).gov
- HHS HIPAA Penalty Amounts (45 CFR 160.404)(hhs.gov).gov