What is HIPAA Compliance? Key Requirements, Covered Entities, Checklists, Certification Steps, Violations, and Penalties

HIPAA compliance is critical for U.S. healthcare providers, insurers, and their business associates—including international organizations handling protected health information (PHI). Since its inception in 1996, HIPAA has evolved to safeguard patient privacy, with stricter enforcement and significant penalties for non-compliance. Cyber threats like ransomware have made compliance even more urgent.

In January 2025, Northeast Surgical Group, P.C. paid $10,000 to settle a HIPAA ransomware cybersecurity investigation—the 10th such action by the Department of Health and Human Services Office for Civil Rights (OCR). These attacks often expose PHI and trigger HIPAA’s breach notification rule, making them a top regulatory concern. With enforcement tightening, healthcare organizations must understand HIPAA requirements, compliance checklists, and potential violations.

Whether you’re a healthcare provider, insurer, or vendor handling PHI, this HIPAA compliance guide offers practical insights to help ensure compliance and protect patient data.

What is HIPAA compliance?

The Health Insurance Portability and Accountability Act (HIPAA) is a United States (US) federal law enacted in 1996 to safeguard patient's'' health information through privacy and security standards. It also aims to ensure health insurance portability and allow employees to retain coverage between jobs.

HIPAA compliance requires organizations in the US that manage PHI to protect patient data by adhering to security, privacy, and breach notification rules. PHI refers to any identifiable health information that is created, stored, or shared during the delivery of care or related operations, whether in physical, electronic, or verbal form. HIPAA includes guidelines for how healthcare organizations and their business associates must collect, store, use, and share PHI to ensure its confidentiality, integrity, and availability.

HIPAA Covered entities

Covered entities are individuals or organizations directly handling PHI. These entities include health service providers such as hospitals, pharmacies, nursing homes, and doctors who access PHI to carry out treatment, payment, and other healthcare operations.

Other covered entities include Hhealth insurance companies, health maintenance organizations (HMOs), healthcare clearing houses. Employer-sponsored health plans also fall under this category when they manage PHI, although the employer itself may not always be directly subject to HIPAA.

Role of Business associates in HIPAA

Business associates provide support services handling PHI for covered entities and other associates, such as IT service providers, cloud platforms, and consultancies.

Read Our Dedicated Article on HIPAA Covered Entities , Non- Covered Entities and Business Associates

How HIPAA compliance applies to startups, enterprises, and telehealth providers?

PHI and HIPAA compliance aren’t limited to traditional healthcare providers. Startups and telehealth providers offering wellness programs, fitness apps, and wearable health devices may need to comply with HIPAA regulations. This applies if they collect sensitive health-related data—such as heart rate, sleep patterns, or workout routines—that could be considered PHI.

If these programs and apps collect, store, or share the user’s health information on behalf of a covered entity—like a hospital, insurance company, or provider network, then it could be considered PHI, and the organizations are responsible for protecting their users’ data as per HIPAA regulations.

For example, mobile apps such as Fitbit partnering with payers, providers, and employers collect user health data, including heart rate and dietary habits, to track users’ fitness progress.

Wearable health devices, such as the Apple Watch, track users’ physical activity and vital health signs like heart rate and blood pressure. Apple stores user health data in a secure system in accordance with HIPAA privacy and security standards. Users maintain control over sharing health data with providers and other apps. Any health data from Apple Watch that users choose to share with other healthcare organizations is treated in accordance with the organization’s data policy.

Even as these health tech companies implement encryption to protect user data and give users greater control, security incidents still occur. A notable example is the MyFitnessPal app, which experienced a data breach in 2018 when an unauthorized party acquired data associated with 150 million app users.

HIPAA regulations may apply if your fitness app, wellness program, or wearable device collects, processes, or shares data that can be considered PHI with covered entities (such as health insurers or medical providers).

HIPAA compliance rules and requirements in 2025

HIPAA regulations are organized into distinct rules, which ensure that covered entities and business associates safeguard PHI through reasonable physical, administrative, and technical measures.

1. The HIPAA privacy rule

The privacy rule requires covered entities to create processes and procedures to keep PHI confidential. It defines standards for protecting patients' personally identifiable health information, including medical diagnoses, prescriptions, procedures, social security numbers, and more. The rule also applies to business associates accessing PHI.

2. The HIPAA security rule

The security rule defines multiple standards for protecting patient information.

• Administrative safeguards include policies, training programs, security management plans, and hiring security personnel to help run these programs.
• Technical safeguards include access controls, encryption, audit controls, and user authentication systems to prevent unauthorized access or disclosure.
• Physical safeguards include business access controls, workstation security, and device management to protect PHI from physical threats.

3. The HIPAA breach notification rule

The rule mandates that covered entities and business associates notify affected patients in the event of a PHI breach. Depending on the extent of data compromise, they may also be required to notify the Department of Health and Human Services (HHS) or other stakeholders, and in some cases, the media.

4. The HIPAA enforcement rule

Added to HIPAA in 2006, this rule grants the authority to the HHS Office for Civil Rights (OCR) to investigate covered entities and business associates for HIPAA violations, including breaches of ePHI, failure to implement adequate security safeguards, and non-compliance with the privacy rule.

5. The Omnibus rule

Enacted in 2013, the HIPAA Omnibus rule strengthens patient privacy and security by expanding the scope of HIPAA, specifically regarding business associates. It updates and clarifies previous rules to enhance data security and patient control, making business associates directly liable for HIPAA compliance.

What is HIPAA certification?

HIPAA training is widely called HIPAA certification. The certification or training isare not officially recognized by the Department of Health and Human Services. The training program educates individuals and organizations on HIPAA rules, privacy practices, and security measures. Though it's not officially required, organizations pursue HIPAA certification through accredited training providers to demonstrate their commitment to protecting PHI and ensuring compliance with HIPAA regulations.

What are the available HIPAA certification programs for businesses?

While there's no single, universally accepted HIPAA compliance certification, businesses can demonstrate their compliance through any of the following certification and training programs:

1. HHS

HHS provides free learning resources to organizations and individuals to enable them to understand the basics of HIPAA rules and regulations.

2. 360training

This private HIPAA training and certification program is offered by 360training, an IACET-accredited company. The organization offers 100% online training programs covering all aspects of HIPAA, including privacy, security, and breach notification.

3. Cyber Security Hive

It offers HIPAA compliance certification programs tailored for different roles, such as administrators, security experts, and compliance officers.

When selecting a certification program, consider factors such as accreditation, course relevance, and your organization's specific needs to ensure that the training and certification align with your compliance and business objectives.

Common HIPAA violations and how to avoid them

HIPAA violations result from an organization's failure to comply with regulations. These violations can lead to unauthorized access to PHI, impermissible disclosures, data breaches, and unintentional mistakes, such as mishandling patient information. The consequences for healthcare organizations can be severe, including financial penalties and reputational damage. Some common HIPAA violations are as follows:

1. Unauthorized access to PHI

An impermissible use or disclosure under HIPAA occurs when PHI is accessed, used, or shared without proper authorization or legal justification. While not every unauthorized use qualifies as a breach, it may be considered one if it compromises the privacy or security of the PHI. Sharing patient information without consent or proper authorization is considered an impermissible uses orand disclosures, leading to penalties for HIPAA non-compliance.

2. Lack of proper encryption and security controls

Organizations' fFailure to implement appropriate security measures, such as access control, can lead to employees gaining unauthorized access to PHI and data breach. Additionally, the lack of data encryption increases the likelihood of breaches that compromise patient privacy.

Organizations must implement robust security measures, such as encryption, strict access controls, and audit controls, to monitor access to PHI and reduce the risk of unauthorized access or data breaches.

For example, Gulf Coast Pain Consultants was fined $1.19 million in 2024 for HIPAA security rule violations after a data breach report indicated that a former contractor for the company had impermissibly accessed their electronic record system.

3. Improper data sharing and disposal

Organizations discarding physical records without shredding or leaving electronic data accessible can expose patient information to unauthorized individuals and entities. To avoid this risk, they must follow secure disposal methods such as certified shredding and permanent data deletion.

4. Failure to conduct regular risk assessments

Healthcare organizations must conduct periodic risk assessments to detect vulnerabilities and take timely remedial actions to prevent threats and avoid non-compliance with HIPAA regulations. These evaluations help organizations identify security gaps and take corrective actions before an incident occurs.

5. Non-compliance with business associate agreements (BAAs)

Covered entities must have business associate agreements (BAAs) with third parties that handle PHI on their behalf. A lack of proper agreements conforming to HIPAA guidelines can lead to significant compliance issues.

Covered entities must ensure all business associates sign HIPAA-compliant agreements before sharing PHI with them.

6. Failure to comply with individuals' rights

Patients have the right to access their records and request corrections in their PHI. Healthcare organizations' failure to uphold these rights can result in compliance violations. Organizations must establish a defined mechanism to process patient requests.

For example, Oregon Health & Science University was penalized with a fine of $200,000 in March 2025 for its failure to provide timely access to patient records.

7. Lost or stolen devices

Unsecured laptops, smartphones, or USB drives with patient data pose a significant security risk. Organizations must encrypt all portable devices and enforce strict access policies to mitigate this risk. Admins must also ensure that the access credentials and permissions of employees leaving the organization are revoked to prevent unauthorized access to patient information.

HIPAA penalties and fines in 2025

HIPAA violations are classified as civil and criminal and can be penalized with fines, a corrective action plan, or even jail time. Depending on the severity and nature of the violation, the penalty can range from thousands to millions of dollars.

Civil penalties

When HIPAA violations occur due to non-compliance, negligence, or lack of security measures, the Office for Civil Rights (OCR) imposes civil penalties on organizations. Based on the severity of violations, civil penalties are categorized into four tiers.

• Tier 1: Unaware of the violation due to lack of knowledge. The penalty ranges from a minimum of $141 to a maximum penalty of $71,162 per violation.
• Tier 2: Violation due to reasonable cause but not willful neglect. The penalty can range from a minimum of $1,424 to a maximum penalty of $71,162 per violation.
• Tier 3: Willful neglect, though corrective actions were later taken. The penalty can range from a minimum of $14,232 to a maximum penalty of $71,162 per violation.
• Tier 4: Willful neglect with no correction within 30 days. The penalty can range from a minimum of $71,162 to a maximum of $2,134,831 per violation.

Criminal penalties

HIPAA violations involving malicious intent, fraud, or knowingly obtaining and unlawfully disclosing PHI result in criminal penalties. The Department of Justice (DOJ) handles these penalties, classifying them into three levels. A judge decides the jail term and accompanying fine based on the specifics of each case.

• Tier 1: The violation was committed unknowingly or due to negligence. The penalty can be up to one year in jail.
• Tier 2: PHI was obtained under false pretenses but without malicious intent. The jail term can be up to five years.
• Tier 3: PHI was obtained for personal gain or with malicious intent. Penalty: Up to 10 years in jail.

Each tier may also include monetary fines, as determined by the judge.

HIPAA compliance checklist

A HIPAA compliance checklist is essential for organizations to systematically ensure they meet all security, privacy, and breach notification requirements. A structured checklist enables organizations to protect patient data and demonstrate due diligence in compliance audits.

Step 1: Determine if the HIPAA privacy rule applies to you

The Privacy Rule applies to fewer organizations than the Security Rule; however, it is essential for all organizations to understand the Privacy Rule provisions since they're the foundation of HIPAA compliance and are essential for complying with other rules.

Understand what constitutes PHI, how it can be used and disclosed, and when individual authorization is required. Evaluate risks associated with maintaining PHI confidentiality and implement safeguards to minimize risks to a reasonable and appropriate level.

Step 2: Conduct a HIPAA risk assessment

A comprehensive HIPAA risk assessment checklist includes the following steps for IT and compliance officers:

• Identify all types of PHI handled within the organization and conduct a risk analysis to evaluate vulnerabilities and threats to PHI, considering both electronic and physical risks.
• Assess existing administrative, physical, and technical safeguards to protect PHI.
• Evaluate access controls and authentication methods to ensure PHI access is limited to authorized personnel.
• Assess whether the risk mitigation plan adequately addresses the identified risks and whether responsible personnel have been identified to manage these risks.
• Establish a process for periodic review and update of compliance policies to incorporate the latest regulatory developments.

Step 3: Implement administrative, physical, and technical safeguards

The HIPAA Security Rule checklist includes standards to ensure the confidentiality, integrity, and availability of PHI and ePHI.

• Administrative safeguards include a security management process, designating security officers, information access management, security awareness and training, security incidentce procedures, a contingency plan, and periodic evaluations.
• Physical safeguards cover facility access control, workstation security and use, and device and media controls.
• Technical safeguards include system access control, audit controls, integrity controls, person or entity authentication, and transmission security.

Step 4: Conduct HIPAA training and awareness programs for employees

A HIPAA training and awareness program ensures employees understand privacy rules, security practices, and their role in protecting patient data. Training helps organizations prevent human errors and violations and reinforces compliance with evolving regulations. A trained workforce helps organizations avoid breaches, civil and criminal penalties, and reputational damage, making HIPAA training an integral component of the compliance checklist.

Step 5: Ensure BAAs are in place

Covered entities must ensure they have BAAs in place for third-party vendors handling PHI on their behalf. A BAA ensures vendors follow the same security and privacy standards. Without a BAA, an organization is liable for any breaches caused by its vendors.

Step 6: Conduct continuous monitoring, auditing, and risk mitigation

IT and compliance officers must implement a robust audit control framework focusing on IT systems and applications.

• Systems containing ePHI must log all access and modifications using automated logging mechanisms to track who accessed what data and when.
• Monitor system activities to identify unauthorized access or unusual behavior and use intrusion detection systems (IDS) to detect anomalies indicating potential breaches.
• Periodically review audit logs to investigate suspicious activities, ensure compliance, and enhance your security posture against data breaches.

How Scrut simplifies HIPAA compliance?

Scrut is a leading HIPAA compliance automation platform that strengthens your HIPAA compliance posture with pre-built controls and continuous compliance monitoring. It simplifies end-to-end HIPAA compliance by managing activities across the value chain, from cloud risk assessments and control reviews to employee policy attestations and vendor risk management. Featuring 1,400+ pre-mapped controls across 50+ frameworks, Scrut minimizes manual effort by up to 70%, ensuring seamless HIPAA compliance.

Protect PHI using in-built and customized policies

Scrut offers a library of 75+ expert-vetted policies while allowing you to upload your custom policies through an in-built editor that also supports version control. The editor enables you to adjust policies to meet your organization's needs.

Automated evidence collection to streamline compliance

Scrut integrates with popular third-party applications to automate evidence collection across your HRIS systems, cloud providers, and IT systems. It automates 80% of the evidence collection, reducing manual efforts and improving efficiency. The evidence is logged and tracked in real-time, ensuring you have a 100% audit-ready view of all evidence mapped to the corresponding HIPAA controls.

Access to in-house HIPAA compliance experts

Scrut provides access to a network of HIPAA compliance specialists, including auditors and consultants, offering guidance on policy implementation, audit readiness, and best practices.

Continuous control monitoring for real-time risk assessment

Scrut continuously monitors compliance across policy management, employee training, vendor risk, access control, and cloud security. The platform automates policy checks, tracks security training completion, ensures timely vendor risk assessments, and highlights outdated access rights. It also scans cloud environments to detect misconfigurations that could lead to compliance failures. Scrut provides real-time visibility into control effectiveness, enhancing HIPAA audit readiness.

Integrations with EHRs, cloud platforms, and security tools

Scrut integrates with electronic health records (EHRs) to monitor data access, enforce role-based permissions, and track PHI usage, ensuring compliance with HIPAA's Privacy Rule.

Scrut's integrations with cloud security tools enable organizations to continuously assess their cloud environments for security risks and misconfigurations while automating compliance reporting to meet HIPAA's technical safeguards. Scrut automatically maps controls to different standards and displays their compliance status in real-time.

Audit-ready documentation to reduce manual effort

The platform’s comprehensive audit logs enable organizations to maintain an audit trail of security controls and remediation actions. The audit logs capture every update, change, and progress made, ensuring a precise compliance record with minimal manual effort.

Protecting patient data and staying compliant with HIPAA regulations can be complex—but the right HIPAA compliance software makes it easier. A strong solution should automate audits, provide continuous monitoring, offer expert support, and integrate easily with your existing tech stack to minimize risk and boost efficiency.

Scrut simplifies HIPAA compliance with continuous monitoring, detailed risk assessments, third-party vendor assessments, real-time, automated evidence collection, and expert guidance—helping you stay secure without the manual hassle.Ensure your organization is always audit-ready. Schedule a demo with Scrut today to see how effortless HIPAA compliance can be.