HIPAA BAA Generator
← Back to blog

HIPAA Compliance Basics: A Quick-Start Guide

HIPAA compliance can feel overwhelming. This guide breaks down the essentials every healthcare provider and vendor needs to understand.


The Three HIPAA Rules


HIPAA compliance revolves around three main rules:


1. The Privacy Rule (45 CFR Part 164, Subpart E)


The Privacy Rule establishes standards for protecting PHI in any form — paper, electronic, or oral. Key requirements include:


- **Notice of Privacy Practices (NPP)** — Patients must receive notice of how their PHI is used

- **Minimum Necessary Standard** — Only the minimum amount of PHI needed should be used or disclosed

- **Patient Rights** — Patients have the right to access, amend, and receive an accounting of disclosures of their PHI

- **Authorization requirements** — Certain uses of PHI (marketing, sale of PHI) require patient authorization


2. The Security Rule (45 CFR Part 164, Subpart C)


The Security Rule applies specifically to electronic PHI (ePHI) and requires three types of safeguards:


- **Administrative safeguards** — Risk assessments, workforce training, security management processes, contingency plans

- **Physical safeguards** — Facility access controls, workstation security, device and media controls

- **Technical safeguards** — Access controls, audit controls, integrity controls, transmission security


3. The Breach Notification Rule (45 CFR Part 164, Subpart D)


When a breach of unsecured PHI occurs, specific notifications are required:


- **Individual notice** — Affected individuals must be notified within 60 days

- **HHS notice** — Breaches affecting 500+ individuals must be reported to HHS immediately; smaller breaches reported annually

- **Media notice** — Breaches affecting 500+ individuals in a state require media notification


Business Associate Obligations


Since the HITECH Act, business associates must:


- Comply with the Security Rule

- Report breaches to covered entities

- Enter into BAAs with their own subcontractors

- Follow the minimum necessary standard

- Accept direct liability for HIPAA violations


Risk Assessment: The Foundation


The single most important compliance activity is conducting a thorough risk assessment. OCR has stated that failure to perform a risk assessment is the most common HIPAA violation found during investigations.


A risk assessment should:

- Identify all systems that store, process, or transmit ePHI

- Identify threats and vulnerabilities

- Assess current security measures

- Determine the likelihood and impact of threats

- Document findings and implement remediation plans


Penalties for Non-Compliance


HIPAA penalties are tiered based on the level of culpability:


- **Tier 1 (Did Not Know):** $100–$50,000 per violation

- **Tier 2 (Reasonable Cause):** $1,000–$50,000 per violation

- **Tier 3 (Willful Neglect, Corrected):** $10,000–$50,000 per violation

- **Tier 4 (Willful Neglect, Not Corrected):** $50,000 per violation


Annual maximum per violation category: $1.5 million. Criminal penalties can include imprisonment.


Getting Started


If you're just beginning your compliance journey:


1. Appoint a Privacy Officer and Security Officer

2. Conduct a comprehensive risk assessment

3. Develop and implement privacy and security policies

4. Train your workforce

5. Execute BAAs with all business associates

6. Establish breach notification procedures

7. Document everything

Stay HIPAA compliant

Get free guides and updates on HIPAA compliance delivered to your inbox.