‍

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996 that sets standards for handling sensitive patient health information.

‍

If your organization handles protected health information (PHI) and is in-scope under HIPAA, compliance isn’t optional—you’re legally required to align with its requirements to avoid fines and legal penalties. 

‍

Yet, according to Vanta’s 2025 HIPAA Violation Survey, 60% organizations say they’ve experienced a HIPAA-related incident or near miss. If you don’t want to be a part of this statistic, it's essential to act quickly.

‍

In this article, we’ll break down the HIPAA compliance process step-by-step to support your efforts by covering:

‍

• What is HIPAA compliance
• Who must comply
• How to become HIPAA compliant
• Potential challenges of HIPAA

‍

What is HIPAA compliance?

HIPAA compliance means adhering to the rules, regulations, and procedures described by the framework to effectively secure protected health information. 

‍

PHI refers to any individually identifiable information that is maintained, stored, or transmitted by a covered entity (CE) or business associate (BA), and that was created or shared in the course of providing healthcare services, or processing payment for them. Common examples include:

‍

• Personal names
• Email addresses
• Telephone numbers
• Biometric identifiers

‍

As the nature of PHI and threats to it have evolved over the years, HIPAA has been expanded through additional rules to remain effective. The four most important are:

‍

1. The Privacy Rule: Established national standards for protecting PHI and the conditions for its permissible uses and disclosures
2. The Security Rule: Implements strict requirements for safeguarding the integrity, availability, and confidentiality of electronic PHI (ePHI)
3. The Breach Notification Rule: Introduces strict breach reporting timelines and defines criteria for what constitutes a breach
4. The Omnibus Rule: Clarifies many provisions introduced in the previous rules while expanding the scope of HIPAA to include business associates and their contractors

‍

HIPAA is enforced by the HHS Office for Civil Rights (OCR), which can audit in-scope organizations following complaints, breaches, or even at random. When it finds a HIPAA violation, the OCR can impose non-punitive corrective measures, financial penalties, or criminal charges, depending on the severity.

‍

{{cta_withimage13="/cta-blocks"}}   | HIPAA compliance checklist

‍

Who must comply with HIPAA?

Any individual or entity that creates, receives, maintains, or transmits PHI as part of their work must comply with HIPAA. Organizations subject to HIPAA requirements fall into two categories: covered entities and business associates. Consult the table below for more details:

‍

‍

To ensure the security of PHI at all levels, business associates must sign a business associate agreement (BAA) before the covered entity allows them access. This agreement outlines:

‍

• The permitted and required uses of PHI
• Assurance of HIPAA compliance
• Limitations on PHI handling based on HIPAA and contract terms

‍

The BAA can also define breach reporting duties, either by delegating them to the BA or by establishing a stricter notification timeline than what the Breach Notification Rule mandates (no later than 60 days after discovery of a breach).

‍

How to become HIPAA compliant?

Although HIPAA is a robust framework, it applies to a wide range of organizations of varying sizes, resources, and security needs. To account for this, HIPAA was designed to be flexible in how its requirements are implemented.

‍

While this flexibility helps organizations tailor their approach, it also introduces a challenge—HIPAA outlines the criteria that must be met, but doesn’t explain how organizations should meet them.

‍

To ensure efficient HIPAA compliance, you should follow these seven steps:

‍

1. Establish the scope of PHI assets and assess risk
2. Create policies and procedures
3. Appoint compliance officers
4. Implement training and awareness programs
5. Establish reporting procedures
6. Develop a breach response plan
7. Continuously monitor compliance and make necessary adjustments

‍

We’ll examine each step and its importance in the sections below.

‍

‍

Step 1: Establish the scope of PHI and assess risks

Before implementing your compliance program, you should determine which information your organization handles qualifies as PHI. Document PHI in all forms, such as paper files, electronic records, and images, and store it in a central repository to streamline access and reviews.

‍

Be thorough while cataloging; many organizations overlook key areas that can introduce vulnerabilities, such as:

‍

• Shadow IT: Programs that have not gone through IT or procurement reviews, which often leads to security and IT teams not knowing of their existence or use
• Personal devices: Phones, laptops, and software that aren’t covered by security policies
• Other approved systems: Tools that are sanctioned but not fully configured
• Outdated documentation: Spreadsheets, printed reports, and other documents that should have been deleted 

‍

Once you have a clear overview of your in scope PHI, conduct a risk assessment—consider risks such as human error, loss, and mishandling, and evaluate both the likelihood and impact of each. With this information, you can prioritize areas that need the most attention during the compliance process, ensuring you implement appropriate safeguards, training programs, and policies to secure your PHI.

‍

“

The HIPAA Security Rule mandates a risk analysis; running this as a checkbox do-once exercise can lead to problems down the line. To avoid violations, make sure your risk analysis is kept up to date and is not superficial or incomplete.”

Evan Rowse

GRC Subject Matter Expert, Vanta

|

LinkedIn

‍

Step 2: Create policies and procedures

Once you’ve established a clear scope of PHI, it’s time to start working on compliance. Establish clear policies and procedures that will help align your day-to-day workflows with the HIPAA Rules.

‍

Although the Security, Privacy, and Breach Notification Rules are essential, they primarily focus on operational processes. To successfully achieve and maintain HIPAA compliance, you’ll also need to develop a strong compliance culture across all levels of your organization.

‍

Pay additional attention to the Privacy Rule—improper PHI disclosures are among the most common causes of HIPAA compliance violations.

‍

“

PHI is really sensitive, and so improper access controls can easily lead to mistakes and inappropriate sharing. Weak access controls also don't protect in the event of unauthorized access to patient records.”

Evan Rowse

GRC Subject Matter Expert, Vanta

|

LinkedIn

‍

Step 3: Appoint compliance officers

HIPAA compliance requires comprehensive efforts across various departments. As part of the process, you must appoint a Privacy and Security Officer to oversee the relevant workflows.

‍

While the regulation doesn’t mandate that your organization have a general compliance officer, both the Privacy and Security Rule require designating officials responsible for developing and implementing the policies required by each.

‍

The Officers don’t necessarily have to be different stakeholders. For smaller organizations, one team member can fill both positions, while larger ones may need to designate separate Privacy and Security Officers to ensure the most comprehensive coverage.

‍

{{cta_withimage39="/cta-blocks"}} | The Healthcare compliance checklist

‍

Step 4: Implement training and awareness programs

Proper training procedures are essential for ensuring that all parts of your organization understand HIPAA requirements. Due to the regulation’s complex nature, adherence can be overwhelming without proper guidance and understanding.

‍

Your training shouldn’t only focus on following compliance procedures. Ensure your staff understands the consequences that leaked PHI can have through real-world scenarios that illustrate potential harm to individuals. They should also be aware of the financial and reputational impact that breaches can have on your organization.

‍

Conduct regular training sessions at least annually and after policy or regulatory changes. This frequency ensures new employees learn HIPAA fundamentals early, while longtime staff stay aware of any updates and new practices.

‍

Step 5: Establish reporting procedures

Two-way communication is essential for identifying potential HIPAA violations early. Create reporting procedures that enable both top-down communication and bottom-up feedback. That way, leadership can communicate expectations and policy changes while employees can highlight real-world challenges that might not have been initially predicted. 

‍

As part of these efforts, encourage a “speak up” culture in your teams through training and awareness programs, and enable them to raise concerns promptly. One effective way to do this is by creating an anonymous channel through which your stakeholders can escalate potential threats or breaches as soon as they notice them without fear of retaliation.

‍

When building your compliance teams, include cross-functional stakeholders with experience in different aspects of the organization, such as IT, legal, and operations. Their varied expertise will help you evaluate policies more efficiently and adapt your approach to HIPAA compliance.

‍

Step 6: Develop a breach response plan

To comply with the Breach Notification Rule, you must be prepared to notify the HHS Secretary, affected individuals, and in some cases, the media, within 60 days of discovering a breach (or, if you are a business associate, the relevant covered entity). With such strict timelines, you must establish clear breach reporting procedures that outline:

‍

• Who is responsible for identifying, documenting, and escalating incidents
• When notifications are sent to each required party
• What each role is responsible for, such as who identifies the breach, who conducts the risk assessment, and who sends out the notices

‍

You should also set up internal service-level agreements (SLAs) that establish timeframes for HIPAA-related reports, such as:

‍

• All privacy incident reports will be acknowledged within 24 hours
• Triage and risk assessment will be completed within 72 hours

‍

Track SLA performance over time and treat it as a compliance metric. This will help ensure consistency, highlight potential delays, and demonstrate good faith efforts in case of an audit.

‍

Step 7: Continuously monitor compliance and make necessary adjustments

HIPAA compliance is not a one-and-done process, but an ongoing effort. The regulation continues to evolve to address emerging threats, meaning you should be prepared to adapt to regulatory changes as they happen.

‍

To ensure your controls remain up to date, establish continuous monitoring workflows such as:

‍

• Compliance tracking
• Access logging
• Evidence collection

‍

Evidence collection is particularly important—thorough documentation allows you to demonstrate your compliance efforts to auditors and potential partners more efficiently.

‍

{{cta_withimage13="/cta-blocks"}}   | HIPAA compliance checklist

‍

Potential challenges of HIPAA compliance

HIPAA’s comprehensive and robust nature can make pursuing compliance challenging, especially for resource-constrained organizations that may not be able to invest in the required training, audits, and safeguards.

‍

Even for organizations that have already achieved compliance, maintaining it can be complex. Because all departments must comply with HIPAA, compliance teams need to continually oversee and log all PHI access, check for updates, and collect documentation from various departments that often use siloed technologies.

‍

When performed manually, these workflows put significant pressure on your teams. They can distract them from other workflows, such as managing third-party risks, and increase the possibility of delays and inefficiencies.

‍

However, you can mitigate many of these challenges with an automation solution that enables you to track compliance and collect documentation all within a centralized platform.

‍

Streamline HIPAA compliance with Vanta

Vanta is an end-to-end trust management platform that can support your HIPAA compliance efforts by offering clear guidance, resources, and automation for up to 85% of the necessary workflows, depending on your tech stack.

‍

Vanta’s dedicated HIPAA product can make your compliance teams more efficient through features such as:

‍

• Automated evidence collection through integration with 375+ tools
• Ready-to-use document templates
• Policy templates and a policy editor
• Built-in guidance and training solutions
• A unified dashboard to monitor compliance

‍

If your organization is already compliant with or pursuing other industry-leading frameworks and standards—such as NIST, SOC 2, ISO 27001, or HITRUST—Vanta can cross-map your existing controls to HIPAA requirements, eliminating duplicative work and speeding up compliance.

‍

With the solution, you’ll also get access to HIPAA training videos that can bring your staff up to speed with HIPAA requirements. These include:

‍

• HIPAA overview and key definitions
• Covered entities and business associates
• Business Associate Agreements (BAAs)
• HIPAA Privacy Rule and patient rights
• Protecting patient data and security best practices
• Reporting potential incidents and violations

‍

Schedule a custom demo to explore Vanta’s features and experience firsthand how it can streamline HIPAA compliance.

‍

{{cta_simple18="/cta-blocks"}}  | HIPAA product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

‍