What Is HIPAA Compliance? Everything Healthcare Organizations Need to Know
HIPAA compliance means meeting the requirements of the Health Insurance Portability and Accountability Act of 1996 and the regulations that implement it. For most organizations, though, the practical question is narrower: which of HIPAA’s rules apply to us, and what do we actually have to do to satisfy them? HIPAA compliance is not a certificate you earn once and hang on the wall. It is an ongoing program of safeguards, documentation, and accountability that has to adapt as your systems, your vendors, and the threats against them change.
Who Has to Comply
HIPAA divides the regulated world into two groups. Covered entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with standard transactions such as claims or eligibility checks. Business associates are the vendors that create, receive, maintain, or transmit protected health information (PHI) on a covered entity’s behalf — billing companies, IT providers, cloud platforms, transcription services, and many others. Since the HITECH Act and the 2013 Omnibus Rule, business associates are directly liable for their own HIPAA obligations, not merely contractually responsible to their clients. If your organization handles health data but fits neither category, HIPAA may not reach you — though state consumer-health-data laws and the Federal Trade Commission often do.
The Three Rules That Make Up HIPAA Compliance
The Privacy Rule governs PHI in every form — paper, spoken, and electronic. It defines the uses and disclosures you are permitted to make without authorization (treatment, payment, and healthcare operations), establishes the minimum necessary standard, and grants patients rights over their own information, including the right to access and amend their records. The Security Rule applies specifically to electronic PHI and requires three categories of safeguards: administrative, physical, and technical. The Breach Notification Rule sets out what counts as a breach of unsecured PHI and the obligation to notify affected individuals, HHS, and sometimes the media — generally within 60 days of discovery. Together, these three rules are what people mean when they say a healthcare organization is or isn’t “HIPAA compliant.”
The Security Risk Analysis Is the Foundation
If there is a single starting point for HIPAA compliance, it is the Security Risk Analysis. The Security Rule, at 45 CFR § 164.308(a)(1)(ii)(A), requires an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic PHI your organization holds. This is not optional paperwork. The absence of a genuine, current risk analysis is the single most frequently cited failing in HHS Office for Civil Rights enforcement actions. The analysis is also what makes the rest of compliance rational: it tells you where your real exposure is, so you can prioritize the safeguards that matter most rather than spreading effort evenly across risks that aren’t equal.
A Major Update Is on the Horizon
In December 2024, HHS published a Notice of Proposed Rulemaking (NPRM) proposing the most significant changes to the Security Rule in two decades — including making many currently “addressable” safeguards mandatory and adding explicit requirements such as asset inventories, multi-factor authentication, and encryption. This proposal is not final. If it is finalized, organizations would have a 240-day compliance window from the publication of the final rule. Treat it as a strong signal of where expectations are heading, not as current law — but an organization with a solid risk analysis and modern safeguards already in place will have little to scramble for if it lands.
How Medcurity Helps
Medcurity gives covered entities and business associates a structured path through HIPAA compliance: a guided Security Risk Analysis, the policies and documentation that support it, and a clear record you can show an auditor or a prospective partner. Pricing is $499/year (about $42/month), and larger organizations with more complex environments can request a quote. To go deeper on the individual rules, see our HIPAA Privacy Rule guide and our overview of HIPAA Security Rule requirements.
Frequently Asked Questions
Is HIPAA compliance a certification?
No. There is no official government HIPAA certification, and no one can certify you as permanently “HIPAA certified.” Compliance is an ongoing state demonstrated through your risk analysis, safeguards, policies, training, and documentation. Vendors who claim to make you “certified” are offering training or assessment services, not a legal status.
Does HIPAA apply to small practices?
Yes. HIPAA has no small-organization exemption. A solo provider who bills electronically is a covered entity with the same core obligations as a hospital, though the scale of the safeguards is proportional to the size and complexity of the practice.
What is the difference between the Privacy Rule and the Security Rule?
The Privacy Rule governs all PHI in any form and is about who may use or disclose it and the rights patients have over it. The Security Rule applies only to electronic PHI and is about the administrative, physical, and technical safeguards that protect it.
Where should an organization start with HIPAA compliance?
Start with a Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A). It identifies where your protected health information lives and where it is exposed, which is the information you need to prioritize every other safeguard, policy, and investment.