GUIDE

Complete HIPAA Compliance Guide (2026)

Last updated: February 2026 · 15 min read

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient health information. This guide covers everything you need to know about achieving and maintaining HIPAA compliance in 2026.

What is HIPAA?

HIPAA is a US federal law enacted in 1996 that establishes national standards for the protection of health information. It applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates — any organization that handles Protected Health Information (PHI).

HIPAA violations can result in fines ranging from $100 to $50,000 per violation (up to $1.5 million per year for repeated violations), and criminal penalties including imprisonment.

The Five HIPAA Rules

1. The Privacy Rule

The Privacy Rule establishes standards for how PHI can be used and disclosed. It gives patients rights over their health information, including the right to access their records, request corrections, and receive an accounting of disclosures.

Key requirements: Notice of Privacy Practices, minimum necessary standard, individual authorization for most uses, and patient right of access.

2. The Security Rule

The Security Rule establishes standards for protecting electronic PHI (ePHI). It requires three types of safeguards:

  • Administrative Safeguards: Risk analysis, workforce training, security management process, information access management, contingency planning.
  • Physical Safeguards: Facility access controls, workstation use policies, device and media controls.
  • Technical Safeguards: Access controls, audit controls, integrity controls, transmission security (encryption).

3. The Breach Notification Rule

Requires covered entities to notify affected individuals, HHS, and sometimes media within 60 days of discovering a breach of unsecured PHI.

4. The Enforcement Rule

Establishes procedures for investigations, penalties, and hearings for HIPAA violations.

5. The Omnibus Rule

Extended HIPAA requirements to business associates and their subcontractors, strengthened breach notification, and increased penalties.

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

Who Must Comply with HIPAA?

HIPAA applies to two categories of organizations:

  • Covered Entities: Healthcare providers who transmit health information electronically, health plans (insurers, HMOs, Medicare), and healthcare clearinghouses.
  • Business Associates: Any organization that performs functions or activities involving PHI on behalf of a covered entity. This includes cloud providers, IT companies, billing services, consultants, and SaaS platforms that handle PHI.

Understanding PHI

Protected Health Information (PHI) includes any individually identifiable health information, including:

  • • Patient names, addresses, dates of birth, Social Security numbers
  • • Medical records, diagnoses, treatment information
  • • Health insurance information, billing records
  • • Any data that can identify a patient and relates to health conditions, care, or payment

HIPAA identifies 18 types of identifiers that make health information "individually identifiable."

Business Associate Agreements (BAAs)

Before sharing PHI with any business associate, a covered entity must have a signed BAA in place. The BAA establishes what the business associate can and cannot do with PHI, requires appropriate safeguards, and mandates breach reporting.

HIPAA Compliance Checklist

  • Conduct a thorough risk analysis
  • Implement administrative, physical, and technical safeguards
  • Develop and distribute Notice of Privacy Practices
  • Train all workforce members on HIPAA requirements
  • Sign BAAs with all business associates
  • Establish breach notification procedures
  • Implement minimum necessary access controls
  • Encrypt ePHI in transit and at rest
  • Implement audit logging and monitoring
  • Develop contingency and disaster recovery plans
  • Document all policies and procedures
  • Conduct regular compliance audits

HIPAA Penalties

HIPAA penalties are tiered based on the level of negligence:

  • Tier 1 (Unknowing): $100–$50,000 per violation
  • Tier 2 (Reasonable Cause): $1,000–$50,000 per violation
  • Tier 3 (Willful Neglect, Corrected): $10,000–$50,000 per violation
  • Tier 4 (Willful Neglect, Not Corrected): $50,000 per violation

Annual maximum: $1.5 million per violation category. Criminal penalties can include up to 10 years imprisonment.

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

Related Guides

Complete GDPR Compliance Guide (2026)

The complete guide to GDPR compliance in 2026. Learn about lawful bases, data subject rights, DPIAs, breach notification, and how to build a compliance program.

Complete CCPA/CPRA Compliance Guide (2026)

The complete guide to CCPA and CPRA compliance. Learn about consumer rights, business obligations, opt-out requirements, and how to comply with California privacy law.

Guide to Automating Data Subject Requests (DSRs)

Learn how to automate data subject requests (DSRs) under GDPR, CCPA, and other privacy laws. Reduce response time, cut costs, and ensure compliance.

Developer's Guide to Privacy Compliance

A developer's guide to building privacy-compliant applications. Learn about privacy by design, data minimization, encryption, consent management, and API-first compliance.