What is HIPAA compliance?
HIPAA governs how US healthcare data is protected. Here is what it requires of covered entities and their vendors.
HIPAA (the US Health Insurance Portability and Accountability Act) sets national rules for protecting health information. It applies to covered entities such as healthcare providers, health plans, and clearinghouses, and to the business associates that handle protected health information (PHI) on their behalf.
For health-tech, biotech, and any vendor serving US healthcare, HIPAA is both a legal obligation and a customer requirement. This guide covers its core rules and how to meet them.
- Applies to covered entities and their business associates handling PHI.
- The Security Rule requires administrative, physical, and technical safeguards for electronic PHI.
- The Breach Notification Rule sets time-bound reporting duties after a breach.
- A Business Associate Agreement (BAA) is required whenever a vendor handles PHI.
The three core rules
HIPAA compliance centres on three rules:
- Privacy Rule: governs how PHI may be used and disclosed, and patients' rights over it.
- Security Rule: requires administrative, physical, and technical safeguards for electronic PHI (ePHI).
- Breach Notification Rule: requires notifying affected individuals, and regulators, within set timeframes after a breach.
Security Rule safeguards
The Security Rule is where most technical work lives. It expects risk analysis and safeguards such as access controls, audit controls, encryption of ePHI in transit and at rest where appropriate, and workforce training. It is risk-based, so the exact controls scale with your size and the sensitivity of the data you hold.
How to become compliant
Start with a risk analysis: know where PHI lives, how it flows, and where it is exposed. Put the Security Rule safeguards in place, sign Business Associate Agreements with any vendor that touches PHI, and prepare an incident and breach-notification process.
Because a breach is both a security and a HIPAA event, continuous monitoring of your external exposure and third parties is central, not optional.
Frequently asked questions
Protect PHI from day one
See where health data is exposed with a free outside-in check, then close the gaps.
Run a free check