How does the free plan work?

Sign up and start using PrivaBase immediately. No credit card required. The Starter plan includes 1 compliance framework, 5 checks per month, policy generator, website scanner, and access to the compliance feed.

What compliance frameworks do you support?

We support 132 frameworks including GDPR, CCPA/CPRA, HIPAA, SOC 2 Type II, SOC 1, ISO 27001, PCI DSS, NIST, DORA, NIS2, 18 US state privacy laws, and international frameworks. You can also build custom frameworks.

How many integrations do you support?

Over 214 integrations across 12 categories including cloud infrastructure (AWS, GCP, Azure), identity (Okta, Google Workspace), DevOps (GitHub, GitLab), MDM (Jamf, Intune, Kandji), HR (Gusto, Rippling, BambooHR), and more.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Evidence is stored in Supabase Storage with framework-level access controls. We never share your data with third parties.

Do you offer annual billing?

Yes, save 20% with annual billing on all paid plans.

HIPAA Compliance Guide 2026 — Everything You Need to Know

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient health information. This guide covers everything you need to know about achieving and maintaining HIPAA compliance in 2026.

What is HIPAA?

HIPAA is a US federal law enacted in 1996 that establishes national standards for the protection of health information. It applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates — any organization that handles Protected Health Information (PHI).

HIPAA violations can result in fines ranging from $100 to $50,000 per violation (up to $1.5 million per year for repeated violations), and criminal penalties including imprisonment.

The Five HIPAA Rules

1. The Privacy Rule

The Privacy Rule establishes standards for how PHI can be used and disclosed. It gives patients rights over their health information, including the right to access their records, request corrections, and receive an accounting of disclosures.

Key requirements: Notice of Privacy Practices, minimum necessary standard, individual authorization for most uses, and patient right of access.

2. The Security Rule

The Security Rule establishes standards for protecting electronic PHI (ePHI). It requires three types of safeguards:

Administrative Safeguards: Risk analysis, workforce training, security management process, information access management, contingency planning.
Physical Safeguards: Facility access controls, workstation use policies, device and media controls.
Technical Safeguards: Access controls, audit controls, integrity controls, transmission security (encryption).

3. The Breach Notification Rule

Requires covered entities to notify affected individuals, HHS, and sometimes media within 60 days of discovering a breach of unsecured PHI.

4. The Enforcement Rule

Establishes procedures for investigations, penalties, and hearings for HIPAA violations.

5. The Omnibus Rule

Extended HIPAA requirements to business associates and their subcontractors, strengthened breach notification, and increased penalties.

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

Who Must Comply with HIPAA?

HIPAA applies to two categories of organizations:

Covered Entities: Healthcare providers who transmit health information electronically, health plans (insurers, HMOs, Medicare), and healthcare clearinghouses.
Business Associates: Any organization that performs functions or activities involving PHI on behalf of a covered entity. This includes cloud providers, IT companies, billing services, consultants, and SaaS platforms that handle PHI.

Understanding PHI

Protected Health Information (PHI) includes any individually identifiable health information, including:

• Patient names, addresses, dates of birth, Social Security numbers
• Medical records, diagnoses, treatment information
• Health insurance information, billing records
• Any data that can identify a patient and relates to health conditions, care, or payment

HIPAA identifies 18 types of identifiers that make health information "individually identifiable."

Business Associate Agreements (BAAs)

Before sharing PHI with any business associate, a covered entity must have a signed BAA in place. The BAA establishes what the business associate can and cannot do with PHI, requires appropriate safeguards, and mandates breach reporting.

HIPAA Compliance Checklist

☐ Conduct a thorough risk analysis
☐ Implement administrative, physical, and technical safeguards
☐ Develop and distribute Notice of Privacy Practices
☐ Train all workforce members on HIPAA requirements
☐ Sign BAAs with all business associates
☐ Establish breach notification procedures
☐ Implement minimum necessary access controls
☐ Encrypt ePHI in transit and at rest
☐ Implement audit logging and monitoring
☐ Develop contingency and disaster recovery plans
☐ Document all policies and procedures
☐ Conduct regular compliance audits

HIPAA Penalties

HIPAA penalties are tiered based on the level of negligence:

Tier 1 (Unknowing): $100–$50,000 per violation
Tier 2 (Reasonable Cause): $1,000–$50,000 per violation
Tier 3 (Willful Neglect, Corrected): $10,000–$50,000 per violation
Tier 4 (Willful Neglect, Not Corrected): $50,000 per violation

Annual maximum: $1.5 million per violation category. Criminal penalties can include up to 10 years imprisonment.

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

What is HIPAA?

HIPAA violations can result in fines ranging from $100 to $50,000 per violation (up to $1.5 million per year for repeated violations), and criminal penalties including imprisonment.

The Five HIPAA Rules

1. The Privacy Rule

Key requirements: Notice of Privacy Practices, minimum necessary standard, individual authorization for most uses, and patient right of access.

2. The Security Rule

The Security Rule establishes standards for protecting electronic PHI (ePHI). It requires three types of safeguards:

Administrative Safeguards: Risk analysis, workforce training, security management process, information access management, contingency planning.
Physical Safeguards: Facility access controls, workstation use policies, device and media controls.
Technical Safeguards: Access controls, audit controls, integrity controls, transmission security (encryption).

3. The Breach Notification Rule

Requires covered entities to notify affected individuals, HHS, and sometimes media within 60 days of discovering a breach of unsecured PHI.

4. The Enforcement Rule

Establishes procedures for investigations, penalties, and hearings for HIPAA violations.

5. The Omnibus Rule

Extended HIPAA requirements to business associates and their subcontractors, strengthened breach notification, and increased penalties.

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

Who Must Comply with HIPAA?

HIPAA applies to two categories of organizations:

Covered Entities: Healthcare providers who transmit health information electronically, health plans (insurers, HMOs, Medicare), and healthcare clearinghouses.
Business Associates: Any organization that performs functions or activities involving PHI on behalf of a covered entity. This includes cloud providers, IT companies, billing services, consultants, and SaaS platforms that handle PHI.

Understanding PHI

Protected Health Information (PHI) includes any individually identifiable health information, including:

• Patient names, addresses, dates of birth, Social Security numbers
• Medical records, diagnoses, treatment information
• Health insurance information, billing records
• Any data that can identify a patient and relates to health conditions, care, or payment

HIPAA identifies 18 types of identifiers that make health information "individually identifiable."

Business Associate Agreements (BAAs)

HIPAA Compliance Checklist

☐ Conduct a thorough risk analysis
☐ Implement administrative, physical, and technical safeguards
☐ Develop and distribute Notice of Privacy Practices
☐ Train all workforce members on HIPAA requirements
☐ Sign BAAs with all business associates
☐ Establish breach notification procedures
☐ Implement minimum necessary access controls
☐ Encrypt ePHI in transit and at rest
☐ Implement audit logging and monitoring
☐ Develop contingency and disaster recovery plans
☐ Document all policies and procedures
☐ Conduct regular compliance audits

HIPAA Penalties

HIPAA penalties are tiered based on the level of negligence:

Tier 1 (Unknowing): $100–$50,000 per violation
Tier 2 (Reasonable Cause): $1,000–$50,000 per violation
Tier 3 (Willful Neglect, Corrected): $10,000–$50,000 per violation
Tier 4 (Willful Neglect, Not Corrected): $50,000 per violation

Annual maximum: $1.5 million per violation category. Criminal penalties can include up to 10 years imprisonment.

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

Complete HIPAA Compliance Guide (2026)

What is HIPAA?

The Five HIPAA Rules

1. The Privacy Rule

2. The Security Rule

3. The Breach Notification Rule

4. The Enforcement Rule

5. The Omnibus Rule

Automate Your Compliance with PrivaBase

Who Must Comply with HIPAA?

Understanding PHI

Business Associate Agreements (BAAs)

HIPAA Compliance Checklist

HIPAA Penalties

Automate Your Compliance with PrivaBase

Related Guides

Complete GDPR Compliance Guide (2026)

Complete CCPA/CPRA Compliance Guide (2026)

Guide to Automating Data Subject Requests (DSRs)

Developer's Guide to Privacy Compliance

Complete HIPAA Compliance Guide (2026)

What is HIPAA?

The Five HIPAA Rules

1. The Privacy Rule

2. The Security Rule

3. The Breach Notification Rule

4. The Enforcement Rule

5. The Omnibus Rule

Automate Your Compliance with PrivaBase

Who Must Comply with HIPAA?

Understanding PHI

Business Associate Agreements (BAAs)

HIPAA Compliance Checklist

HIPAA Penalties

Automate Your Compliance with PrivaBase

Related Guides

Complete GDPR Compliance Guide (2026)

Complete CCPA/CPRA Compliance Guide (2026)

Guide to Automating Data Subject Requests (DSRs)

Developer's Guide to Privacy Compliance