What Is HIPAA Compliance?

What HIPAA Regulates

HIPAA regulates how protected health information (PHI) is used, disclosed, stored, and transmitted.

PHI includes any individually identifiable health information, such as:

• Patient names connected to medical data
• Diagnoses and treatment records
• Appointment histories
• Insurance and billing details
• Contact information linked to health services

If health information can identify a person and relates to their medical condition, care, or payment, it likely qualifies as PHI.

HIPAA applies to:

• Covered Entities (healthcare providers, health plans, and clearinghouses)
• Business Associates (vendors that create, receive, maintain, or transmit PHI on behalf of a covered entity)

When PHI is involved, compliance is mandatory — not optional.

The Four Core HIPAA Rules

HIPAA compliance is structured around four major rules:

1. The Privacy Rule

Defines when PHI may be used or disclosed and establishes patient rights over their health information.

2. The Security Rule

Defines safeguards required to protect electronic PHI (ePHI).

3. The Breach Notification Rule

Requires notification procedures if PHI is accessed, disclosed, or compromised improperly.

4. The Enforcement Rule

Defines how violations are investigated and the penalties that may apply.

These rules work together to create a legal framework governing both organizational behavior and technical systems.

The Three Categories of Safeguards

Under the Security Rule, HIPAA compliance requires safeguards across three categories:

Administrative Safeguards

Policies and procedures that govern workforce behavior and risk management. This includes formal risk assessments, training programs, governance documentation, and incident response planning.

Physical Safeguards

Controls that protect facilities, devices, and hardware that store or process PHI. Examples include facility access controls and device management procedures.

Technical Safeguards

Technology-based protections for electronic PHI, such as authentication controls, access management, encryption, and audit logging.

These categories establish the compliance foundation. How they are implemented varies depending on the organization and the systems in use.

Who Must Be HIPAA Compliant?

HIPAA compliance applies directly to:

• Healthcare providers transmitting electronic health information
• Health insurance plans
• Healthcare clearinghouses

It also applies to any vendor that handles PHI on behalf of those organizations. These vendors are known as Business Associates.

If a software provider stores, processes, transmits, or has access to PHI, it falls within HIPAA’s regulatory scope and must operate under appropriate contractual and security safeguards.

The Role of the Business Associate Agreement (BAA)

A Business Associate Agreement (BAA) is a legally required contract between a covered entity and any vendor that handles PHI on its behalf.

The BAA:

• Defines how PHI may be used
• Establishes security responsibilities
• Requires breach notification cooperation
• Allocates compliance obligations

Without a signed BAA, a vendor cannot legally process PHI for a covered entity.

Compliance is not simply about technology — it is contractual and operational.

For an extended description of BAAs, see our separate guide: What is a Business Associate Agreement (BAA)?

Common Misconceptions About HIPAA Compliance

HIPAA is frequently misunderstood in marketing and technology discussions.

There is no official “HIPAA certification.”
No federal agency issues a compliance badge.

Compliance is not automatic.
Using a HIPAA-capable platform does not make an organization compliant by default.

Encryption alone is not enough.
Technical safeguards must operate alongside policies, contracts, and governance.

HIPAA sets a minimum standard.
Organizations may choose to exceed these requirements.

Understanding these distinctions is critical when evaluating healthcare technology vendors.

How HIPAA Applies to Healthcare Software and Digital Platforms

As healthcare has moved into cloud infrastructure, telehealth systems, messaging platforms, AI tools, and mobile apps, HIPAA compliance has expanded beyond physical medical offices.

When PHI flows through digital systems, compliance must extend to:

• Hosting environments
• Communication platforms
• APIs and SDKs
• Video conferencing systems
• AI processing services
• Analytics tools with PHI access

Each system in the technology stack must support the safeguards required under HIPAA and operate under appropriate contractual agreements.

For application-specific requirements, see: What Makes a Telehealth Platform HIPAA Compliant?

What Happens If an Organization Is Not HIPAA Compliant?

HIPAA violations can result in:

• Civil monetary penalties
• Criminal charges in severe cases
• Mandatory corrective action plans
• Federal oversight agreements
• Reputational damage

Civil monetary penalties are tiered by culpability and range from $145 to $2,190,294 per violation, with an annual cap of $2,190,294 per violation category. For current penalty schedules, see the HHS Federal Register Notice (January 2026).

Compliance is therefore both a legal and operational priority.