HIPAA Compliance Requirements: Complete 2026 Guide for Healthcare

Posted: March 5, 2026 to Compliance.

HIPAA compliance in 2026 requires healthcare organizations and their business associates to implement administrative, physical, and technical safeguards that protect the confidentiality, integrity, and availability of protected health information (PHI). The core requirements are defined across four rules: the Privacy Rule (who can access PHI and how it can be used), the Security Rule (technical and physical protections for electronic PHI), the Breach Notification Rule (reporting requirements when PHI is compromised), and the Enforcement Rule (penalties for violations). In January 2025, the HHS Office for Civil Rights published a proposed update to the HIPAA Security Rule that represents the most significant regulatory change since the 2013 Omnibus Rule, introducing mandatory encryption, multi-factor authentication, network segmentation, and 72-hour restoration requirements.

After helping hundreds of healthcare organizations, dental practices, behavioral health providers, and business associates achieve and maintain HIPAA compliance over the past two decades, I have seen firsthand how the requirements continue to evolve in response to escalating cyber threats. Healthcare data breaches affected over 133 million individuals in 2024 alone, making this the worst year on record. This guide provides a comprehensive, practical overview of every HIPAA requirement you need to know in 2026.

Who Must Comply with HIPAA

HIPAA applies to two categories of organizations:

Covered entities include healthcare providers (hospitals, physicians, dentists, chiropractors, nursing homes, pharmacies, and any provider that transmits health information electronically), health plans (health insurance companies, HMOs, employer-sponsored health plans, Medicare, and Medicaid), and healthcare clearinghouses (entities that process health information between providers and payers).

Business associates are any organization or individual that performs functions or services on behalf of a covered entity that involve access to PHI. Common business associates include IT service providers and managed service providers, cloud hosting companies storing PHI, medical billing and coding companies, EHR vendors, law firms handling PHI, accounting firms accessing patient financial data, shredding and document destruction companies, consultants with PHI access, and medical transcription services.

Business associates have been directly liable for HIPAA compliance since the 2013 HITECH Omnibus Rule. They must implement their own safeguards, conduct their own risk assessments, and can be directly fined for violations. If your organization accesses, stores, processes, or transmits PHI on behalf of a healthcare provider or health plan, you are a business associate and must comply with HIPAA.

The HIPAA Privacy Rule

The Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards for the protection of individually identifiable health information. It governs how PHI can be used and disclosed.

What constitutes PHI: Protected Health Information is any individually identifiable health information held or transmitted by a covered entity or its business associate, in any form including electronic, paper, and oral. PHI includes 18 specific identifiers when associated with health information: names, geographic data smaller than state, dates (except year) related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers and serial numbers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.

Permitted uses and disclosures: PHI may be used or disclosed without patient authorization for treatment, payment, and healthcare operations (TPO). These three purposes cover the vast majority of routine healthcare activities. Other permitted disclosures without authorization include public health activities, abuse or neglect reporting, health oversight activities, judicial and administrative proceedings, law enforcement purposes, decedent information to medical examiners, organ donation, research with appropriate waivers, serious threat to health or safety, workers' compensation, and government functions including military and veterans' activities.

The Minimum Necessary Standard: When using or disclosing PHI, covered entities must make reasonable efforts to limit the information to the minimum amount necessary to accomplish the intended purpose. This standard does not apply to disclosures for treatment purposes, disclosures to the individual, or disclosures authorized by the individual.

Patient rights under the Privacy Rule: Patients have the right to access their PHI and receive copies within 30 days of request, request amendments to their records, receive an accounting of disclosures, request restrictions on certain uses and disclosures, request confidential communications through alternative means, and file complaints with the covered entity and HHS.

Notice of Privacy Practices: Every covered entity must provide patients with a notice describing how their PHI may be used and disclosed, their rights regarding their PHI, the entity's legal duties, and who to contact for more information or to file a complaint.

The HIPAA Security Rule

The Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) establishes national standards specifically for protecting electronic PHI (ePHI). It requires covered entities and business associates to implement three categories of safeguards: administrative, physical, and technical.

The Security Rule is technology-neutral by design, meaning it does not mandate specific technologies but instead requires organizations to implement protections that are reasonable and appropriate for their size, complexity, and capabilities. However, the 2025 proposed update adds significantly more prescriptive requirements.

Administrative Safeguards (Section 164.308)

Administrative safeguards are the policies, procedures, and management processes that govern the security of ePHI. They represent the foundation of a HIPAA security program.

1. Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. This includes conducting a risk analysis of all ePHI, implementing a risk management program, establishing a sanction policy for workforce members who violate security policies, and reviewing information system activity records on a regular basis.

2. Assigned Security Responsibility. Designate a security official responsible for developing and implementing security policies and procedures. This person does not need to be a full-time security professional but must have the authority and resources to manage the security program.

3. Workforce Security. Implement procedures for authorization, supervision, clearance, and termination of workforce members who access ePHI. Ensure that access is granted based on job function and revoked promptly when employment ends or roles change.

4. Information Access Management. Implement policies for authorizing access to ePHI. This includes role-based access control, processes for granting access, and regular review of access rights to ensure they remain appropriate.

5. Security Awareness and Training. Implement a security awareness program for all workforce members including security reminders, procedures for guarding against malicious software, login monitoring, and password management training. Training must occur at hire and periodically thereafter.

6. Security Incident Procedures. Implement policies for identifying, responding to, and mitigating security incidents. Document all incidents and their outcomes.

7. Contingency Plan. Establish a data backup plan, disaster recovery plan, emergency mode operation plan, and procedures for testing and revising contingency plans. The 2025 proposed rule adds a mandatory 72-hour system restoration requirement.

8. Evaluation. Perform periodic technical and non-technical evaluations to assess compliance with security policies and the Security Rule. The evaluation should be conducted at least annually and after any significant environmental or operational change.

9. Business Associate Contracts. Obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI through a written Business Associate Agreement.

Physical Safeguards (Section 164.310)

Physical safeguards protect the physical infrastructure and equipment that stores and processes ePHI.

1. Facility Access Controls. Implement policies to limit physical access to electronic information systems and the facilities in which they are housed. This includes contingency operations procedures, a facility security plan, access control and validation procedures, and maintenance records for physical security.

2. Workstation Use. Implement policies that specify the proper functions to be performed at workstations, the manner in which those functions are performed, and the physical attributes of workstation environments. Ensure workstations accessing ePHI are positioned to prevent unauthorized viewing.

3. Workstation Security. Implement physical safeguards for all workstations that access ePHI. This includes restricting access to authorized users, implementing screen locks, and securing portable devices.

4. Device and Media Controls. Implement policies for the receipt, removal, and disposal of hardware and electronic media containing ePHI. This includes proper disposal and media re-use procedures, accountability tracking for hardware and media, and data backup and storage procedures when equipment is moved.

Technical Safeguards (Section 164.312)

Technical safeguards are the technology and related policies that protect ePHI and control access to it.

1. Access Control. Implement technical policies and procedures to allow access only to authorized persons and software programs. Required implementations include unique user identification (every user must have a unique login), emergency access procedures for obtaining ePHI during an emergency, automatic logoff after a period of inactivity, and encryption and decryption of ePHI (addressable under current rule, mandatory under proposed 2025 update).

2. Audit Controls. Implement hardware, software, and procedural mechanisms to record and examine activity in information systems that contain or use ePHI. Audit logs must capture who accessed what information, when, and from where.

3. Integrity. Implement policies and procedures to protect ePHI from improper alteration or destruction. Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed.

4. Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. Multi-factor authentication is currently addressable but becomes mandatory under the 2025 proposed update.

5. Transmission Security. Implement technical measures to guard against unauthorized access to ePHI during electronic transmission. This includes integrity controls and encryption. Encryption of ePHI in transit is addressable under the current rule but will become mandatory under the 2025 proposed update.

Breach Notification Rule

The Breach Notification Rule (45 CFR Sections 164.400-414) requires covered entities and business associates to provide notification following a breach of unsecured PHI.

What constitutes a breach: An impermissible use or disclosure of PHI that compromises the security or privacy of the information. A breach is presumed unless the covered entity demonstrates a low probability that PHI was compromised based on a four-factor risk assessment: the nature and extent of PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk to PHI has been mitigated.

Notification requirements for breaches affecting 500 or more individuals:

• Notify affected individuals within 60 days of discovery by first-class mail or email (if authorized)
• Notify the HHS Secretary within 60 days via the HHS breach reporting portal
• Notify prominent media outlets serving the state or jurisdiction within 60 days
• Post the breach on the covered entity's website for 90 days if 10 or more individuals cannot be contacted

Notification requirements for breaches affecting fewer than 500 individuals:

• Notify affected individuals within 60 days of discovery
• Notify the HHS Secretary annually (within 60 days of the end of the calendar year)
• Media notification is not required

Business associate responsibilities: Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. The covered entity is then responsible for the individual and HHS notifications.

2025 Security Rule Update: What Is Changing

On January 6, 2025, the HHS Office for Civil Rights published a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule. If finalized as proposed, these changes will represent the most significant update to HIPAA security requirements in over a decade. Key changes include:

Elimination of "addressable" vs. "required" distinction. Under the current Security Rule, some implementation specifications are "addressable," meaning organizations can implement alternative measures or document why the specification is not reasonable and appropriate. The proposed rule makes nearly all specifications required, with limited exceptions.

Mandatory encryption. Encryption of ePHI at rest and in transit becomes a hard requirement rather than addressable. This means every system storing ePHI must use encryption, and every transmission of ePHI must be encrypted. The proposed rule specifies minimum encryption standards.

Multi-factor authentication required. MFA becomes mandatory for all systems accessing ePHI. This applies to workforce members, vendors with remote access, and any system-to-system authentication involving ePHI.

Network segmentation. Organizations must implement network segmentation to isolate systems containing ePHI from general-purpose networks. This is similar to the CUI enclave concept in CMMC and prevents lateral movement by attackers.

72-hour restoration requirement. Organizations must be able to restore critical systems and data within 72 hours following a disruption. This requires tested backup and disaster recovery procedures and effectively mandates business continuity planning.

Annual security risk assessment. Risk assessments must be conducted at least annually (the current rule requires periodic assessments without specifying frequency). The proposed rule also adds more specific requirements for risk assessment methodology and documentation.

Technology asset inventory. Organizations must maintain a current inventory of all technology assets that create, receive, maintain, or transmit ePHI, including a network map showing how ePHI flows through the organization.

Vulnerability scanning and penetration testing. Regular vulnerability scanning (at least every six months) and penetration testing (at least annually) become explicit requirements.

Anti-malware protection. Deploy anti-malware on all systems that can support it, with automatic updates.

Compliance timeline: The proposed rule is expected to be finalized in mid-to-late 2025, with a compliance deadline approximately 180 days after the final rule is published. Organizations should begin preparing now, as many of these requirements take months to implement.

Risk Assessment Requirements

The HIPAA Security Rule risk assessment is the single most important compliance requirement and the one most frequently found deficient in OCR investigations. A proper risk assessment must:

1. Identify all ePHI. Document every location where ePHI is created, received, maintained, or transmitted. This includes EHR systems, email, file shares, cloud storage, mobile devices, backup systems, and any other system that touches ePHI.

2. Identify threats and vulnerabilities. Evaluate reasonably anticipated threats (malware, ransomware, insider threats, natural disasters, hardware failure) and vulnerabilities (unpatched software, weak passwords, lack of encryption, insufficient training) for each system containing ePHI.

3. Assess current security measures. Document what safeguards are currently in place and evaluate their effectiveness.

4. Determine the likelihood and impact of threat occurrence. For each identified threat-vulnerability pair, assess how likely it is to occur and what the impact would be on the confidentiality, integrity, and availability of ePHI.

5. Determine the level of risk. Combine likelihood and impact to determine the overall risk level for each threat scenario.

6. Document the findings. The risk assessment must be documented. OCR has consistently enforced this requirement. An undocumented risk assessment is treated as no risk assessment at all.

7. Implement measures to reduce risk to a reasonable level. Based on the risk assessment, implement safeguards to reduce identified risks. Not every risk can or needs to be eliminated, but your organization must demonstrate that it has reduced risks to a reasonable and appropriate level.

Use frameworks like NIST SP 800-30 (Guide for Conducting Risk Assessments) to structure your assessment. HHS also provides a free Security Risk Assessment Tool (SRA Tool) for small and medium practices.

Business Associate Agreements

A Business Associate Agreement (BAA) is a written contract between a covered entity and a business associate that establishes the permitted uses and disclosures of PHI, requires the business associate to implement appropriate safeguards, requires reporting of breaches and security incidents, requires the business associate to ensure its subcontractors agree to the same obligations, grants the covered entity the right to terminate the contract for material breach, and requires the return or destruction of PHI upon termination.

Every vendor, contractor, or service provider that accesses PHI must have a BAA in place before they receive access to any PHI. Common areas where BAAs are overlooked include cloud storage providers, IT support and managed service providers, email hosting providers (if email contains PHI), medical billing and coding companies, answering services, shredding and destruction companies, and consultants and temporary staff.

The BAA must be specific to the services provided and the PHI involved. Generic template BAAs may not adequately address the specific risks of a particular vendor relationship.

HIPAA Violation Penalties

HIPAA violations carry substantial penalties that have increased significantly under the HITECH Act:

Tier	Knowledge Level	Penalty Per Violation	Annual Maximum
Tier 1	Did not know (and would not have known)	$137-$68,928	$2,067,813
Tier 2	Reasonable cause, not willful neglect	$1,379-$68,928	$2,067,813
Tier 3	Willful neglect, corrected within 30 days	$13,785-$68,928	$2,067,813
Tier 4	Willful neglect, not corrected	$68,928-$2,067,813	$2,067,813

Penalty amounts are adjusted annually for inflation. Figures shown are 2025 adjusted amounts.

Criminal penalties: Individuals who knowingly obtain or disclose PHI in violation of HIPAA face criminal penalties up to $250,000 in fines and 10 years imprisonment for violations committed with intent to sell PHI or for personal gain.

State attorneys general can also bring actions for HIPAA violations on behalf of state residents, with additional penalties up to $25,000 per violation category per year.

Recent enforcement trends: OCR has significantly increased enforcement activity, with record fines in 2024 and 2025. The most common enforcement triggers are failure to conduct a risk assessment, failure to implement encryption, insufficient access controls, lack of BAAs with vendors, and delayed breach notification. OCR investigates every breach affecting 500 or more individuals and conducts random compliance audits of covered entities and business associates.

HIPAA Compliance Checklist

Use this checklist to evaluate your organization's HIPAA compliance posture:

Administrative safeguards:

1. Conduct and document a comprehensive risk assessment (at least annually)
2. Develop and implement a risk management plan addressing identified risks
3. Designate a HIPAA Security Officer and Privacy Officer
4. Implement workforce security policies (background checks, sanctions, termination procedures)
5. Conduct security awareness training for all workforce members at hire and annually
6. Develop and test an incident response plan
7. Develop and test a contingency/disaster recovery plan
8. Execute BAAs with all business associates
9. Implement information access management policies
10. Document all policies and procedures

Physical safeguards:

1. Implement facility access controls (badge access, visitor logs, locked server rooms)
2. Establish workstation use and positioning policies
3. Secure all workstations that access ePHI
4. Implement device and media disposal procedures
5. Maintain hardware and media accountability logs

Technical safeguards:

1. Implement unique user identification for all users
2. Implement automatic logoff on all workstations
3. Encrypt ePHI at rest and in transit
4. Implement audit controls and regularly review audit logs
5. Implement integrity controls for ePHI
6. Implement multi-factor authentication
7. Deploy anti-malware protection on all endpoints
8. Implement network segmentation isolating ePHI systems
9. Conduct vulnerability scans at least every six months
10. Conduct penetration testing at least annually

Most Common HIPAA Violations

Based on OCR enforcement actions and our experience with hundreds of healthcare organizations, the most common HIPAA violations are:

1. Failure to perform a risk assessment. This is the number one finding in OCR investigations and the single most important thing you can do for compliance. Every settlement and corrective action plan issued by OCR includes a risk assessment requirement.

2. Lack of encryption. Unencrypted laptops, portable devices, and email are involved in a disproportionate number of breaches. Encryption is the most effective single technical control because encrypted data that is lost or stolen is not considered a breach under HIPAA.

3. Insufficient access controls. Giving all employees access to all patient records rather than limiting access based on job function. Failing to revoke access promptly when employees leave or change roles.

4. Missing or inadequate BAAs. Using cloud services, IT vendors, or billing companies without executed BAAs. Using generic BAA templates that do not address the specific services and PHI involved.

5. Insufficient training. One-time training at hire with no ongoing reinforcement. Training that covers privacy but not security. No documentation of training completion.

6. Delayed breach notification. Failing to report breaches within the 60-day window. Not having a breach identification and response process in place.

7. Impermissible disclosures. Discussing patient information in public areas, sharing PHI via unsecured email or text messages, posting patient information on social media, and disposing of records without proper destruction.

HIPAA for Small Practices

Small healthcare practices (1 to 10 providers) face the same HIPAA requirements as large health systems but with fewer resources. Here is how to achieve compliance efficiently:

Leverage your EHR vendor. Modern cloud-based EHR systems (Epic, athenahealth, DrChrono, eClinicalWorks) handle many technical safeguards including encryption, access controls, and audit logging. Ensure you have a BAA with your EHR vendor and understand which safeguards they cover versus which you must implement.

Use a managed service provider with HIPAA expertise. A HIPAA-experienced MSP can manage your technical safeguards including encryption, backup, patch management, and monitoring for a predictable monthly fee. This is far more cost-effective than attempting to manage these controls in-house.

Focus on the highest-risk areas. For small practices, the highest-risk areas are typically email (use encrypted email for any communication containing PHI), portable devices (encrypt all laptops and mobile devices), access management (implement unique logins and MFA), training (conduct annual security awareness training), and physical security (secure server rooms and workstations, manage visitor access).

Document everything. Small practices often implement reasonable security measures but fail to document them. HIPAA compliance requires written policies, documented risk assessments, training records, incident logs, and evidence of ongoing compliance activities. Without documentation, you cannot demonstrate compliance to an auditor or investigator.

Frequently Asked Questions

What is the difference between HIPAA and HITECH?

HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996 and established the Privacy, Security, and Breach Notification Rules. HITECH (Health Information Technology for Economic and Clinical Health Act) was enacted in 2009 and strengthened HIPAA by extending requirements directly to business associates, increasing penalties for violations, establishing the breach notification requirements, and promoting adoption of electronic health records. The 2013 Omnibus Rule implemented the HITECH provisions into the HIPAA regulations. In practice, when people refer to HIPAA compliance, they mean the combined HIPAA and HITECH requirements.

How often do I need to conduct a HIPAA risk assessment?

The current HIPAA Security Rule requires risk assessments to be conducted periodically without specifying an exact frequency. However, OCR guidance and enforcement practice makes clear that annual risk assessments represent the minimum expectation. The 2025 proposed Security Rule update would formally require annual risk assessments. Additionally, risk assessments should be updated whenever there are significant changes to your environment such as new technology implementations, facility changes, or security incidents.

Do I need cyber insurance for HIPAA compliance?

HIPAA does not explicitly require cyber insurance. However, it is strongly recommended and increasingly considered a standard business practice for healthcare organizations. Cyber insurance helps cover breach notification costs (typically $3 to $5 per affected individual), forensic investigation expenses, legal defense costs, regulatory fines and penalties (where insurable), credit monitoring for affected individuals, and business interruption losses. When selecting a policy, ensure it specifically covers HIPAA-related incidents and regulatory proceedings.

Is using Gmail or Outlook HIPAA compliant?

Google Workspace (which includes Gmail) and Microsoft 365 (which includes Outlook) can be HIPAA compliant, but only if you execute a BAA with Google or Microsoft, enable the HIPAA-specific security configurations they recommend, configure email encryption for messages containing PHI, and train staff on proper email handling procedures. Free consumer versions of Gmail and Outlook do not offer BAAs and cannot be used for PHI. Enterprise versions with proper configuration and BAAs are acceptable.

What is the penalty for a first-time HIPAA violation?

Penalties depend on the level of negligence, not whether it is a first offense. A first-time violation due to lack of knowledge (Tier 1) starts at $137 per violation. A first-time violation due to willful neglect that is not corrected (Tier 4) can reach $68,928 per violation up to an annual maximum of $2,067,813 per violation category. OCR can and does impose substantial penalties on first-time offenders, particularly when the violation involves willful neglect or systemic failures like never having conducted a risk assessment.

Does HIPAA apply to employee health information?

Generally, no. HIPAA applies to covered entities and their business associates, not to employers acting in their capacity as employers. Health information in employment records (sick notes, workers' compensation files, drug test results) is generally not subject to HIPAA. However, if the employer also operates a self-insured health plan, the plan component is a covered entity and the health information it processes is subject to HIPAA. Additionally, if an employer provides on-site healthcare services, the healthcare provider component must comply with HIPAA for the health information it generates.

How much does HIPAA compliance cost for a small practice?

For a small practice of 1 to 5 providers, typical annual HIPAA compliance costs include risk assessment services at $3,000 to $8,000, managed IT and security services at $1,000 to $3,000 per month, encrypted email solution at $5 to $15 per user per month, security awareness training at $500 to $2,000 per year, and policy development and documentation at $2,000 to $5,000 (first year). Total first-year costs typically range from $20,000 to $50,000, with ongoing annual costs of $15,000 to $40,000. This represents a fraction of potential breach costs, which average $10.93 million per healthcare breach according to IBM's 2024 Cost of a Data Breach Report.

HIPAA compliance is not a one-time project but an ongoing program that requires continuous attention, regular assessment, and adaptation to evolving threats and regulations. The 2025 Security Rule update will raise the bar significantly, making now the ideal time to assess your current posture and close any gaps. Petronella Technology Group provides comprehensive HIPAA compliance services including risk assessments, security implementation, policy development, training, and ongoing compliance management. Contact us for a free HIPAA readiness assessment to evaluate your compliance posture and develop a practical roadmap.

About the Author: Craig Petronella is the CEO of Petronella Technology Group, a cybersecurity and compliance firm in Raleigh, NC. With over 30 years of experience and 15 published books, Craig has helped hundreds of healthcare organizations achieve and maintain HIPAA compliance since the Security Rule took effect in 2005.