AuditXYZ

Compliance Framework

Health Insurance Portability and Accountability Act of 1996

HIPAA establishes national standards for protecting patient health information in the United States. This guide covers the Privacy Rule, Security Rule, Breach Notification, BAAs, and practical compliance strategies.

$20,000–$250,0003–9 months2013 (Omnibus Rule, with proposed 2024 Security Rule update)
Request a ConsultationSee process
Issuing BodyUnited States Department of Health and Human Services (HHS)
First Published1996-08-21
Latest Version2013 (Omnibus Rule, with proposed 2024 Security Rule update)
Typical Cost$20,000–$250,000
Typical Timeline3–9 months
Audit RequiredNo
Audit FrequencyNo mandatory audit, but OCR conducts random audits and investigates complaints. Risk assessments must be conducted regularly.
Geographyunited-states

HIPAA: Complete Healthcare Privacy and Security Guide

The Health Insurance Portability and Accountability Act (HIPAA) is the foundational US law governing the privacy and security of protected health information (PHI). Since its enactment in 1996 and the subsequent Privacy Rule (2003) and Security Rule (2005), HIPAA has defined how healthcare providers, health plans, and their business associates must handle patient data.

What HIPAA Covers

HIPAA compliance rests on three primary rules. The Privacy Rule establishes standards for the use and disclosure of PHI, granting patients rights over their health information including the right to access, request amendments, and obtain an accounting of disclosures. The Security Rule specifies administrative, physical, and technical safeguards for electronic PHI (ePHI). The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media, within 60 days of discovering a breach affecting 500 or more individuals.

The Security Rule is organized around three safeguard categories: administrative (risk analysis, workforce training, contingency planning), physical (facility access controls, workstation security, device controls), and technical (access controls, audit controls, integrity controls, transmission security).

Who Needs HIPAA Compliance

HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates — any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This includes health tech companies, cloud providers hosting ePHI, billing services, EHR vendors, and consultants with PHI access.

Implementation Approach

Start with a comprehensive risk assessment — this is the single most important HIPAA requirement and the first thing OCR investigates during enforcement actions. Develop and implement policies addressing the Privacy Rule, Security Rule, and Breach Notification Rule. Execute Business Associate Agreements with all vendors handling PHI. Train all workforce members and document everything.

Cost Considerations

Costs range from $20,000 for small practices with limited ePHI to $250,000 for health tech companies building HIPAA-compliant platforms. The cost of non-compliance is far higher — OCR has issued penalties exceeding $16 million for single HIPAA violations, and the average healthcare data breach costs over $10 million.

Get the HIPAA starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

hitechhitrustsoc-2iso-27001

Get matched with a HIPAA auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

HITECH
Framework
The HITECH Act strengthened HIPAA enforcement, extended requirements to business associates, and mandated breach notification. This guide covers HITECH's impact on healthcare data security and compliance.
View
HITRUST CSF
Framework
HITRUST CSF is the most widely adopted security framework in US healthcare. This guide covers the e1, i1, and r2 assessment types, certification process, costs, and why health systems require it.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
SOC 2
Framework
SOC 2 is the leading security compliance framework for SaaS companies selling to US enterprises. This guide covers Type I vs Type II, trust service criteria, costs, and the audit process.
View

Recommended Tools

Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Aravo Review 2026: Pricing, Features, and Verdict
Tool
Review of Aravo, an enterprise third-party governance platform. Covers anti-bribery compliance, ESG due diligence, and supply chain risk management.
View
AuditBoard Review 2026: Pricing, Features, and Verdict
Tool
Review of AuditBoard, an internal audit and GRC platform. Covers SOX compliance, audit management, pricing, and comparison with legacy GRC platforms.
View