HIPAA Compliance 101: What Every Covered Entity Must Do
Quick Answer: HIPAA compliance requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). At minimum, this means conducting an annual Security Risk Analysis (SRA), maintaining written policies, executing Business Associate Agreements (BAAs), training your workforce, and having a breach notification plan. The proposed 2026 HIPAA Security Rule adds mandatory encryption, multi-factor authentication (MFA), and vulnerability scanning.
HIPAA compliance can feel like a maze — especially when you’re running a healthcare practice and patient care always comes first. If you’re a healthcare provider, health plan, or business associate responsible for protecting ePHI, this guide cuts through the complexity. We’ll cover exactly what’s required, what the 2026 Security Rule changes mean for you, and how to build a HIPAA security program that actually holds up under audit.
Key Takeaways:
- Document everything: if it isn’t documented, it didn’t happen
- Conduct a Security Risk Analysis (SRA) annually — it’s the #1 deficiency cited in OCR enforcement actions
- Execute Business Associate Agreements (BAAs) with every vendor who touches ePHI
- The proposed 2026 HIPAA Security Rule makes encryption and MFA mandatory (no longer “addressable”)
It’s no secret that HIPAA compliance can be complicated — even for experienced healthcare industry professionals. But it doesn’t have to be overwhelming. If you’re responsible for HIPAA security, compliance, or cybersecurity in healthcare and want to establish your organization as compliant with regulatory standards, this is your guide. We’ll cut through the red tape and break down exactly what needs to be done so you can build your foundation for HIPAA security with confidence.
What Is HIPAA Compliance?
HIPAA compliance means adhering to the Health Insurance Portability and Accountability Act’s requirements for protecting patient data. It applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and their business associates: any vendor, contractor, or service provider who creates, receives, maintains, or transmits protected health information (PHI) on your behalf.
The five pillars of the HIPAA Security Rule:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Organizational standards
- Policies, procedures, and documentation requirements
When it comes to HIPAA, keeping your organization defensible is the goal — and that means documenting not just what you plan to do, but what you are actually doing today. In hundreds of engagements across healthcare organizations over the years, the gap between stated policy and actual practice is where most compliance programs break down.
Step 1: Conduct a Security Risk Analysis (SRA)
The Security Risk Analysis is the single most important HIPAA compliance requirement — and the most commonly cited deficiency in OCR enforcement actions. If you do one thing, do this.
An SRA requires you to:
- Identify all systems that create, receive, maintain, or transmit ePHI (EHR systems, email, cloud storage, mobile devices, connected medical devices)
- Document all identified risks and vulnerabilities, with likelihood and impact ratings
- Create a remediation plan for every medium or high risk, with responsible parties and timelines
- Review and update the SRA annually, and after any significant environmental change (new system, office move, security incident)
- Retain all SRA documentation for a minimum of six years
HHS offers a free self-assessment tool. RealCISO’s platform conducts a guided SRA that maps directly to HIPAA Security Rule requirements — and cross-maps to SOC 2, PCI-DSS, and NIST CSF simultaneously, so you’re not managing separate assessments for every framework.
Step 2: Implement the Three Safeguard Categories
Administrative Safeguards
The policies and workforce activities that protect ePHI:
- Designate a HIPAA Security Officer (and a Privacy Officer — can be the same person in smaller organizations)
- Develop and maintain written policies covering access control, incident response, workforce training, device management, and business associate management
- Train all workforce members at hire and annually — document dates, topics, and attendees
- Establish a sanctions policy for policy violations and apply it consistently
- Grant access to ePHI based on minimum necessary standard; terminate access immediately on workforce separation
- Conduct periodic security evaluations (the proposed 2026 rule requires at least annually)
- Maintain an incident response plan with specific procedures for detecting, responding to, and recovering from security incidents
Physical Safeguards
Protecting the physical infrastructure that stores or processes ePHI:
- Control facility access to server rooms, filing areas, and anywhere ePHI is visible
- Implement workstation security: screen positioning, automatic locks, privacy screens
- Secure mobile devices with MDM policies (encryption, remote wipe, passcode requirements)
- Maintain a complete technology asset inventory — the proposed 2026 rule requires this, including a network map showing how ePHI moves through your systems
- Document all device and media disposal procedures; maintain disposal records
Technical Safeguards
The technology controls protecting ePHI and controlling access:
- Use unique user IDs — never share login credentials
- Deploy multi-factor authentication (MFA) — the proposed 2026 rule makes MFA mandatory for all ePHI systems
- Encrypt ePHI at rest and in transit — the proposed 2026 rule removes the “addressable” designation, making encryption required; use TLS 1.2 or higher for data in transit
- Implement audit logging for all ePHI access (who, what, when, where)
- Deploy anti-malware protection on all systems
- Conduct vulnerability scanning every six months and penetration testing annually (proposed 2026 rule)
- Implement network segmentation to isolate ePHI systems from general-purpose networks
Step 3: Execute Business Associate Agreements (BAAs)
If any third party — cloud provider, billing service, IT vendor, EHR company, shredding company — creates, receives, maintains, or transmits ePHI on your behalf, they are a business associate, and you must have a signed Business Associate Agreement (BAA) before sharing any PHI.
Without a BAA, every PHI disclosure to that vendor is technically a HIPAA violation.
A BAA must:
- Define permitted uses and disclosures of PHI
- Restrict use and disclosure to those contractually permitted or legally required
- Require appropriate safeguards for ePHI
- Mandate breach notification to you within a specified timeframe
The proposed 2026 rule requires business associates to provide annual written verification of their compliance status. Request and document this verification — don’t treat BAA execution as the finish line.
Step 4: Build Your Breach Notification Plan
When a breach of unsecured PHI occurs, the HIPAA Breach Notification Rule requires:
- Notifying affected individuals within 60 days of discovery
- Reporting breaches of 500 or more individuals to HHS and local media within 60 days
- Logging all breaches — including those affecting fewer than 500 individuals — and reporting to HHS annually
- Conducting a four-factor risk assessment to determine whether an incident constitutes a reportable breach
Penalties for HIPAA violations range from $100 to $50,000 per violation, with a maximum of $1.5 million per category per year. OCR enforcement has increased significantly in recent years — preparation before a breach is what separates defensible programs from expensive investigations.
Have notification templates ready, with required elements: description of the breach, types of information involved, recommended protective steps, your response actions, and contact information.
Step 5: Report Your Findings and Get Organizational Buy-In
This step might seem obvious, but it’s where most HIPAA programs stall. Even the best security program can’t run without organizational support — and that support comes from clear, credible reporting.
When you can present leadership with a clear set of shortcomings and a prioritized, achievable set of corrective actions, you turn “no” into “go.” That’s the power of a well-documented compliance report.
It’s best practice not to maintain separate policy documents for every compliance framework. If you already have security policies, work HIPAA requirements into them — fewer documents means easier annual maintenance. If you do build a separate HIPAA policy set, keep it accessible to staff and update it annually (or upon any significant change).
Step 6: Remediate — Do What You Said You’re Doing
Now comes the work: implementing what your documentation says is already in place. In most cases, this means continuing existing practices and closing the gaps the SRA identified.
Many low-to-no-cost tools can support a growing cybersecurity program at any size — many of which are available in the RealCISO marketplace.
The reality for healthcare providers: you have an enormous number of moving parts — ICUs with strict access protocols, emergency rooms that can be chaotic and short-staffed. Keeping your HIPAA security program as simple and sustainable as possible while still meeting the minimum required standards is the right target until you have room to build out a more sophisticated program. Maintaining the delicate balance between protecting ePHI and delivering the care your patients need is truly the hardest part of HIPAA security.
The 2026 HIPAA Security Rule: What’s Changing
The proposed 2026 HIPAA Security Rule is the most significant update to HIPAA in over 20 years. Key changes to prepare for now:
| Requirement | Current status | Proposed 2026 status |
|---|---|---|
| Encryption of ePHI | Addressable | Required |
| Multi-factor authentication | Addressable | Required |
| Technology asset inventory + network map | Not explicit | Required |
| Vulnerability scanning | Not explicit | Every 6 months |
| Penetration testing | Not explicit | Annually |
| System restoration after incident | Not specified | Within 72 hours |
| Compliance audits | As needed | Annually |
| BA compliance verification | Contractual | Annual written verification |
New hard requirement New specific standard Current status
The final rule is expected mid-2026, with a compliance deadline approximately 180 days after the effective date. Organizations that begin implementing these controls now — especially MFA, encryption, and SRA processes — are building toward compliance rather than scrambling after a deadline.
RealCISO’s platform is already mapped to the proposed 2026 rule requirements, so your assessments track where you stand against both current and forthcoming standards.
Start Your HIPAA Compliance Program Today
Three actionable steps — Assess, Report, Remediate — will get your HIPAA security program built and keep it running. You don’t need to be a security expert, spend endless money, or lose sleep. Just follow these steps, document your work, and partner with the right tools.
RealCISO offers a free HIPAA assessment that covers the full Security Rule — and maps your results to other frameworks like SOC 2, PCI-DSS, and NIST CSF simultaneously, so one assessment goes further. Our remediation management tools, policy library, and reporting features are designed for healthcare organizations of every size.