HIPAA — the Health Insurance Portability and Accountability Act — is among the most familiar regulatory acronyms in US compliance and among the most consistently misunderstood. Organisations new to HIPAA often arrive expecting either a checklist or an overwhelming legal regime, when the reality sits between the two. HIPAA is a structured set of rules with specific implementation specifications, several of which are surprisingly demanding, and several of which are routinely overlooked.
The Three Rules That Matter Most
The Privacy Rule covers permissible uses and disclosures of protected health information (PHI), individual rights, and notice obligations. The Security Rule covers administrative, physical, and technical safeguards for electronic PHI (ePHI). The Breach Notification Rule covers what to do when a breach occurs — notification to affected individuals, HHS, and in some cases media, on defined timelines. Most of the day-to-day operational compliance work runs against the Security Rule; most of the legal exposure runs across all three.
Are You a Covered Entity, a Business Associate, or Neither?
HIPAA applies to covered entities (health plans, healthcare clearinghouses, and most healthcare providers that conduct certain electronic transactions) and to business associates (entities that handle PHI on behalf of covered entities). The classification matters because the obligations are different. Many organisations assume they are not covered because they are not healthcare providers, only to discover that handling PHI as a vendor to a healthcare provider makes them a business associate with substantial obligations of their own.
The Security Rule Implementation Specifications
The Security Rule organises requirements into administrative, physical, and technical safeguards, with specific implementation specifications under each. Some specifications are required (must be implemented). Others are addressable — they must be implemented if reasonable and appropriate, with documented justification if a different approach is taken. The "addressable" label is sometimes misread as optional. It is not. An organisation that does not implement an addressable specification must document why and what alternative is in place.
A pattern in HIPAA breaches: an organisation has a security programme that would compare reasonably to an ISO 27001 ISMS, but specific HIPAA requirements (the risk analysis, sanctions for workforce members, required training records, business associate agreements with downstream vendors) are missing or out of date. The Office for Civil Rights (OCR) finds these gaps during breach investigations, and the resolution agreements are punitive precisely because the gaps are basic.
The Risk Analysis That Auditors Always Ask For
The Security Rule requires organisations to conduct an accurate and thorough risk analysis of vulnerabilities to ePHI confidentiality, integrity, and availability. The analysis must be documented, kept current, and used to inform the security measures actually implemented. This is the document OCR consistently asks for early in any investigation. Generic risk registers from a parent ISMS programme rarely satisfy the requirement — the analysis needs to be specifically about ePHI in the organisation's actual environment.
Business Associate Agreements: A Common Failure Point
Covered entities must have business associate agreements (BAAs) in place with every business associate handling PHI on their behalf. Business associates must have BAAs with their subcontractors who handle PHI. The chain has to be unbroken, the agreements have to contain specific provisions, and they have to be current. OCR investigations regularly find BAA gaps — vendors handling PHI without a BAA, BAAs from a previous regulatory cycle missing current required provisions, subcontractor BAAs missing entirely. None of these are technical issues; all of them are common.
Practical Implementation Sequence
- Determine HIPAA applicability — covered entity, business associate, or neither, by activity not by company name
- Conduct a HIPAA-specific risk analysis on ePHI flows
- Implement required and addressable Security Rule specifications, with documented decisions for the addressable ones
- Establish workforce training, sanctions, and access management practices
- Build the BAA programme — every relationship handling PHI, with current required provisions
- Set up breach detection, classification, and notification capability against the 60-day timeline
- Document everything — HIPAA compliance is heavily evidence-driven, especially under investigation