Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesPrivacy & Data Protection

What is HIPAA compliance?

HIPAA governs how US healthcare data is protected. Here is what it requires of covered entities and their vendors.

7 min read

HIPAA (the US Health Insurance Portability and Accountability Act) sets national rules for protecting health information. It applies to covered entities such as healthcare providers, health plans, and clearinghouses, and to the business associates that handle protected health information (PHI) on their behalf.

For health-tech, biotech, and any vendor serving US healthcare, HIPAA is both a legal obligation and a customer requirement. This guide covers its core rules and how to meet them.

Key takeaways
  • Applies to covered entities and their business associates handling PHI.
  • The Security Rule requires administrative, physical, and technical safeguards for electronic PHI.
  • The Breach Notification Rule sets time-bound reporting duties after a breach.
  • A Business Associate Agreement (BAA) is required whenever a vendor handles PHI.

The three core rules

HIPAA compliance centres on three rules:

  • Privacy Rule: governs how PHI may be used and disclosed, and patients' rights over it.
  • Security Rule: requires administrative, physical, and technical safeguards for electronic PHI (ePHI).
  • Breach Notification Rule: requires notifying affected individuals, and regulators, within set timeframes after a breach.

Security Rule safeguards

The Security Rule is where most technical work lives. It expects risk analysis and safeguards such as access controls, audit controls, encryption of ePHI in transit and at rest where appropriate, and workforce training. It is risk-based, so the exact controls scale with your size and the sensitivity of the data you hold.

How to become compliant

Start with a risk analysis: know where PHI lives, how it flows, and where it is exposed. Put the Security Rule safeguards in place, sign Business Associate Agreements with any vendor that touches PHI, and prepare an incident and breach-notification process.

Because a breach is both a security and a HIPAA event, continuous monitoring of your external exposure and third parties is central, not optional.

Frequently asked questions

Who has to comply with HIPAA?
Covered entities (healthcare providers, health plans, clearinghouses) and their business associates, which includes many health-tech vendors and processors that handle PHI on a covered entity's behalf.
What is a Business Associate Agreement?
A BAA is a required contract between a covered entity and a vendor that handles PHI, obligating the vendor to protect that data under HIPAA. You generally cannot handle PHI for a customer without one.
Is there a HIPAA certification?
There is no official HIPAA certificate. Compliance is demonstrated through your risk analysis, safeguards, policies, and evidence, often alongside a SOC 2 report for customers.
How does NMT help with HIPAA?
NMT helps you find and reduce exposure of systems that hold PHI, monitor third parties, automate Security Rule evidence, and detect the incidents the Breach Notification Rule requires you to report.

Protect PHI from day one

See where health data is exposed with a free outside-in check, then close the gaps.

Run a free check
Related
Compliance & Assurance solution Guide: What is SOC 2? Cybersecurity for healthcare