HIPAA Compliance Requirements You Must Know in 2026

Unauthorized access to sensitive data results in financial and reputational damage for both individuals and businesses in the healthcare industry. Here is a recent case example supporting this statement.

In January, 2025, Northeast Surgical Group, P.C. paid almost $10,000 to resolve a cybersecurity investigation related to HIPAA ransomware. In April 2023, business associates in the USA disclosed 13 breach incidents that affected approximately 4,077,019 patients.

These incidents and penalties highlight a major regulatory problem and that is violation of HIPAA rules. Therefore, healthcare organizations should be aware of HIPAA regulations, and must make checklists to implement them.

In this guide you will learn about what are HIPAA requirements that you must follow to avoid HIPAA non compliance penalties, what are the mandatory rules and detailed step-by-by-step guide to compliance checklist. So, let’s get started.

What Are HIPAA Compliance Requirements?

What is HIPAA?

HIPAA is an abbreviation to the Health Insurance Portability and Accountability Act. It is a federal law in the United States (US) that was passed in 1996 to protect Patient Health Information (PHI).

Who enforces HIPAA?

The Office for Civil Rights (OCR) enforces HIPAA compliance and the Department of Health and Human Services (HHS) regulates it.

What is PHI?

PHI refers to any verbal, electronic or physical information that is generated, stored, or shared during healthcare delivery. It includes medical records, diagnoses, treatment details, billing data, and personal identifiers such as Social Security numbers and medical record numbers.

What are HIPAA requirements?

HIPAA compliance requirements include the rules and regulations that organizations must follow to protect PHI. These requirements mainly include complying with the following rules:

HIPAA Security Rule

The Security Rule contains security measures to safeguard the availability, confidentiality, and integrity of patients’ electronic Protected Health Information (ePHI).

Breach Notification Rule

If there is a breach involving PHI, you have to abide by the Breach Notification Rule. This implies that you have to inform HHS, impacted patients, and sometimes the media. A breach often occurs when PHI is used or disclosed in a way that violates the HIPAA Privacy Rule and damages the information’s security.

HIPAA Omnibus Rule

The HIPAA Omnibus regulation, which was passed in 2013, broadens the application of HIPAA, particularly with relation to business connections. It strengthens patient privacy and security. Furthermore, the omnibus rule makes business associates directly accountable for HIPAA compliance and clarifies earlier regulations to improve patient control and data protection.

HIPAA Enforcement Rule

This rule, which was added to HIPAA in 2006, gives the HHS Office for Civil Rights (OCR) the power to look into covered companies and business associates for HIPAA violations, such as ePHI breaches, inadequate security measures, and non-compliance with the privacy rule.

Not Sure Which HIPAA Rules Apply to You?

Find out if you qualify as a covered entity, business associate, or channel partner.

But how can you determine if you need to follow HIPAA rules or not? Here is the answer.

Determining If You're Required to Comply with HIPAA

Any institution, business, or individual involved in processing PHI is required to comply with HIPAA. Below we have mentioned a list of entities that must follow HIPAA rules. Have a look.

1. Covered Entities

Individuals or organizations who directly handle PHI are considered HIPAA covered entities. These entities include health service providers such as:

Hospitals, doctors and pharmacies.
Nursing homes
Health insurance companies
Health maintenance organizations (HMOs)
Health care clearinghouse
Employer-sponsored health plans

2. Business Associates

Business associates are people or organizations who carry out specific tasks on behalf of a covered entity or offer specific services that involve the use of PHI.

3. Channel Partner

Organizations that support, integrate, or resell healthcare technology or services that might involve PHI are known as channel partners.

4. Cybersecurity Firms

Cybersecurity compliance consulting firms that collaborate with healthcare institutions frequently deal with extremely sensitive PHI. So, HIPAA compliance is required even for short-term or indirect access to PHI.

Now, you have gained insights into who is required to follow the HIPAA requirements, let’s discuss the rules in detail.

HIPAA Privacy Rule Requirements

Required Privacy Practices

The Privacy Rule requires you to:

Inform patients about their privacy rights and how their data is used.
Establish privacy policies and teach staff members to abide by them.
Assign an employee to ensure that privacy procedures are adopted and adhered.
Protect patient records so that unauthorized people can’t easily access them.
Implement reasonable administrative and physical safeguards.
Designate a Privacy Officer responsible for overseeing compliance with privacy requirements.

However, healthcare providers can share patient information with other healthcare professionals for treatment, as long as appropriate safeguards are in place. Moreover, providers can also share limited information with family members, friends, or others involved in the patient’s care.

Incidental Disclosures

Policies that safeguard PHI and restrict its usage and sharing are essential. However, even if you are adhering to HIPAA regulations, you may not always be able to prevent incidental disclosures.

For instance, a hospital visitor may see a patient’s name on a sign-in sheet or overhear a doctor and nurse having a private conversation. If you take precautions to protect patient privacy wherever possible, these incidental disclosures won’t be considered HIPAA violations.

HIPAA Security Rule Requirements

To comply with the security rule, organizations must implement:

Required Administrative safeguards

The first thing to look at is the security officer designation. Organizations must consider hiring a person who can oversee the development, implementation, and supervision of HIPAA Security Rule compliance. Apart from that the administrative measures include the following:

1. Security Management Process

Organizations must establish a security management process to ensure the availability, and integrity of every ePHI.

2. Information Access Management

Access to ePHI must be granted only to authorized members to enhance workforce security. Moreover, give role-based access to data, so that users can only access the data that is required based on their position.

3. Security Awareness and Training

The most popular attack method in US healthcare cyberattacks is phishing. According to the 2021 HIMSS Healthcare Cybersecurity Survey, the most important security events were caused by ransomware attacks and phishing, with 57% of respondents stating that phishing was the cause of their most significant security incident. Therefore, train employees to manage passwords and give them awareness about phishing scams.

4. Contingency Plan

Plans for data backup, disaster recovery, and emergency operations must be in place to guarantee ongoing access to ePHI during emergencies.

5. Evaluation Procedure

Routinely assess operations, dangers, and technology evolution to make sure that everything is in place and then make improvements based on that evaluation report.

Required Physical Safeguards

To protect patient’s electronic data, businesses and healthcare providers must implement the below mentioned practices.

Establish advanced facility access controls to ensure that unauthorized persons cannot reach the systems.
Policies must define workstation use that access ePHI, including location, usage, and security responsibilities.
The receipt, transportation,and reuse of equipment, maintain device and media controls.
Implement physical measures to prevent unauthorized access to offices and screens for better workstation security.

Next, let’s check the technical preventive measures that you must take for securing data.

Required Technical Safeguards

Now, you have learned about the administrative and physical guards. What if someone tries to access the system? What will you do then? That’s why you must put strict measures in place to avoid any technology related issues. Follow these guidelines:

Install access controls via unique user IDs, role based access and passwords. Make sure you have established the access procedure for emergency situations.
Develop audit controls to analyze activities involving ePHI for misuse detection and maintaining integrity.
Technical safeguards must protect ePHI during electronic exchange for better transmission security.

Overwhelmed by Security Requirements?

We help healthcare teams implement HIPAA safeguards without disrupting operations.

So, that’s all about security rules. So, what’s next? Hold on! Revise what you have learned till now. We have only discussed two of HIPAA rules. Now, let’s discuss about the third rule and that is:

Breach Notification Rule

Required Breach Assessment

Unless there is little chance that the PHI has been compromised, any unauthorized use or disclosure of PHI is regarded as a breach. To conduct risk assessment, determine:

The kind of PHI involved
Identifiers and the likelihood that a patient’s identity could be exposed
Who obtained or used the PHI without authorization?
If anyone saw or stored the PHI
What actions did you take to lower the risk following the incident?

So, make sure to implement and write these measures as part of risk assessment.

Required Breach Notifications

Most breaches must be reported to authorities as soon as possible within 60 days after the breach is discovered. Notify HHS each year of minor breaches that impact fewer than 500 patients. Additionally, your business associates must notify you of any breaches at or by the business associate in accordance with the Breach Notification Rule.

Required Business Associate Agreements (BAAs)

A Business Associate Agreement (BAA) is a formal contract between a covered entity and a business associate. It defines each party’s responsibilities for protecting PHI and ensures compliance with HIPAA regulations. Failure to have a valid BAA is one of the most common HIPAA violations identified in OCR audits.

Here are theBAAs requirements:

The agreement must clearly define how the business associate can use PHI.
The business associate must implement administrative, physical, and technical safeguards to protect ePHI.
If a business associate violates HIPAA or the agreement, the contract must define termination procedures and steps for handling PHI upon termination.
The BAA must include procedures for reporting security incidents or breaches promptly to the covered entity.

If a business associate mishandles PHI, both the covered entity and the associate may face civil penalties or corrective action.

Step-by-Step HIPAA Compliance Requirements Checklist

Your organization must prepare a comprehensive HIPAA compliance checklist to make sure you have all the information in one place. Below, we have compiled a checklist that you can follow to avoid HIPAA penalties.

Step 1 – Determine Applicability

The very first step requires you to determine whether you fall under covered entities, business associates,channel partners or cybersecurity firms. Read the above rules and check which one is applicable to your business. Learn what PHI is, how information can be used and shared, and when personal consent is needed.

Step 2 – Designate Required Officers

As mentioned above, you can designate a HIPAA Privacy Officer for this position. However in larger companies, it is preferable to allocate the position to an IT team member.

Step 3 – Conduct Required Risk Analysis

Determine every kind of PHI managed by the company and carry out a risk analysis to assess PHI threats and vulnerabilities. Conduct risk assessment while considering both physical and electronic concerns. Furthermore, examine that the technical, administrative, and physical security measures we discussed above in this blog, are in place to protect PHI.

Step 4 – Develop Required Policies and Procedures

Create a procedure for routinely reviewing and updating compliance guidelines to reflect the most recent changes in regulations. Write HIPAA-compliant policies and procedures that cover patient rights, incident response, security, privacy, and access control. The way your company really manages PHI must be reflected in these policies.

Step 5 – Implement Required Safeguards

As we have discussed above the required safeguards to stay HIPAA compliant are of three types: administrative, technical and physical. So, read those guidelines and make sure you follow and implement them clearly.

Step 6 – Execute Required Business Associate Agreements

For third-party providers handling PHI on their behalf, covered entities must make sure they have BAAs in place. A BAA guarantees that vendors adhere to the privacy and security guidelines. An organization is responsible for any breaches brought about by its vendors if it does not have a BAA. So, make sure to add this part in your checklist.

Step 7 – Conduct Required Workforce Training

Employees who participate in a HIPAA training and awareness program must understand security procedures, privacy regulations, and their role in safeguarding patient data. HIPAA training by HIPAA compliance consultants is a crucial part of the compliance checklist as it helps firms avoid violations, financial and criminal penalties, and reputational harm.

Step 8 – Establish Required Breach Response Procedures

In order to comply with HIPAA regulations, you must set rules for breach notification. Business associates must notify covered entities of any PHI breach that takes place at or by a business partner in accordance with HIPAA’s Breach Notification Rule.

Additionally establish procedures to report security incidents, such as attempted or successful unauthorized access, use, disclosure, alteration, or destruction of PHI.

Step 9 – Implement Required Documentation System

All of your HIPAA-related compliance actions must be carefully documented. All actions, from initial steps to audit evaluations to mitigation measures, must be documented in a log. In general, HIPAA documentation requirements consist of the following:

Procedures and policies
Written or digital copies of conversation
Any actions, designations, or activities that call for written or electronic records

Step 10 – Establish Required Evaluation Process

Regularly evaluate and update HIPAA compliance measures to address changes in technology, operations, and risk. Continuous monitoring ensures ongoing compliance rather than one-time implementation.

Need Help Implementing This Checklist?

Let our HIPAA specialists build and document your compliance framework.

Final Thoughts

By now, you must have understood how important it is for the organizations dealing with protected health information to comprehend and implement the privacy, security and breach notification rule. So, by following the guidelines discussed in this blog, organizations can build a sustainable compliance program.

We understand that HIPAA regulations fulfillment can get overwhelming. That’s why we are here to help you. FortnexShield assists healthcare organizations, business associates, and cybersecurity partners to protect ePHI and meet regulatory requirements. So, what are you waiting for? Schedule an appointment now and discuss your queries with us today.

Ready to Achieve HIPAA Compliance with Confidence?

Schedule a consultation and get expert guidance tailored to your healthcare or SaaS organization.

What are the main HIPAA compliance requirements?

The main HIPAA compliance requirements include following the privacy, security, breach notification, omnibus and enforcement rules. Here is a brief overview of each:

Privacy Rule: Protects patients’ medical information and limits how it can be used or shared.
Security Rule: Requires safeguards to protect electronic health information.
Breach Notification Rule: This rule requires notifying affected individuals and authorities after a data breach.
Administrative, physical, and technical safeguards are the security measures to protect data.
Business Associate Agreements (BAAs): These are the contracts with third parties that handle protected health information.

How often is HIPAA training required?

Most organizations conduct annual refresher training to maintain compliance and cover updates. However, there is no specified duration set by HIPAA. So, organizations must conduct awareness training for newly joined team members. Moreover, training must be organized when policies or procedures change, especially if they affect an employee’s role.

Are small organizations required to comply with HIPAA?

Yes. Small organizations must comply with HIPAA if they are covered entities or business associates, regardless of size.

Is encryption required under HIPAA?

It’s not a mandatory requirement. However it is classified as an addressable implementation measure. It means that organizations must implement it to protect electronic PHI.

How long must HIPAA documentation be retained?

No, HIPAA does not set a specific time for keeping medical records. However, it requires covered entities and business associates to retain compliance documentation for at least 6 years from creation or last effective date. This is specified by HIPAA’s record-retention regulation (45 CFR §164.316(b)(2)(i)).

What is required when a breach occurs?

When a covered entity has a HIPAA breach, it is required to notify the impacted parties as soon as possible and within 60 days of the finding. Moreover, Notify the U.S. Department of Health and Human Services (HHS) of any breaches that impact 500 or more people, either right away or once a year.If a state or region has 500 or more residents impacted by the breach, consider notifying the media as well.

Are Business Associates required to comply with HIPAA?

Yes, HIPAA compliance is mandatory for business associates. They are directly responsible for violations of the HIPAA Security Rule, specific aspects of the Privacy Rule, and the Breach Notification Rule.

What safeguards are required under HIPAA Security Rule?

Under the HIPAA Security Rule, covered entities and business associates must implement three types of safeguards:

Administrative safeguards: Policies, workforce training, risk analysis, and access management.
Physical safeguards: Facility access controls, device security, and workstation protection.
Technical safeguards: Access controls, encryption (addressable), audit controls, and secure transmission of electronic PHI.

What is required in a Business Associate Agreement?

A Business Associate Agreement (BAA) must require the business associate to:

Protect PHI in compliance with HIPAA rules.
Use PHI only as allowed by the contract.
Report breaches of unsecured PHI to the covered entity.
Ensure subcontractors also comply with HIPAA.
Terminate the agreement if the associate violates HIPAA.

Design the right physical security setup

Worried About Breaches or Compliance?

Let experts manage your security—24/7

Build security with confidence.