HIPAA-ready cloud teams

Stay HIPAA compliant while shipping product weekly

episki maps administrative, physical, and technical safeguards to your systems and keeps PHI protections verifiable.
Start HIPAA trialBook a demo

What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is the cornerstone US federal law governing the privacy and security of patient health information. Signed into law by President Bill Clinton, the act was originally designed to improve the portability of health insurance coverage when workers changed jobs, combat fraud and waste in healthcare, and simplify the administration of health insurance through standardized electronic transactions. Over the decades since, HIPAA has evolved into the defining US regulation for how healthcare organizations and their partners handle sensitive patient data.

At its core, the law establishes national standards that protect sensitive patient information — known as protected health information, or PHI — from unauthorized use and disclosure. Any organization that creates, receives, maintains, or transmits PHI must comply, whether that organization is a hospital, a health plan, a billing clearinghouse, or a SaaS vendor providing services to healthcare customers. The HIPAA glossary entry provides a concise definition, while this page walks through the full regulatory landscape so you understand how each HIPAA rule fits together.

Enforcement falls to the US Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). State attorneys general also have authority to bring enforcement actions under powers granted by the HITECH Act. The law applies across all 50 states and preempts weaker state privacy laws, though state laws that provide greater protection remain in force.

A brief history of HIPAA

HIPAA was enacted in 1996, but its privacy and security requirements were not finalized overnight. The act directed HHS to develop implementing regulations, and the major rules were rolled out over more than a decade.

  • 1996 — Congress passes HIPAA, directing HHS to issue regulations on privacy, security, and electronic transactions.
  • 2000 — The HIPAA Privacy Rule is published; it takes full effect in 2003.
  • 2003 — The HIPAA Security Rule is finalized, with compliance required by 2005 for most entities.
  • 2009 — The Health Information Technology for Economic and Clinical Health Act (HITECH) is signed into law as part of the American Recovery and Reinvestment Act, extending HIPAA obligations to business associates and introducing breach notification requirements.
  • 2013 — The HIPAA Omnibus Rule implements HITECH and further strengthens HIPAA enforcement, fines, and patient rights.
  • 2024 and beyond — HHS continues to update HIPAA guidance, most recently around cybersecurity expectations, reproductive health privacy, and the proposed modernization of the HIPAA Security Rule to reflect modern threats.

HITECH and the Omnibus Rule

The HITECH Act of 2009 was a watershed moment. Before HITECH, HIPAA obligations technically applied only to covered entities, and business associates were bound solely by contract. HITECH changed that by making business associates directly liable. It also introduced the federal Breach Notification Rule, increased civil monetary penalties, and funded the nationwide adoption of electronic health records — which dramatically expanded the volume of electronic PHI requiring protection.

The 2013 Omnibus Rule then translated HITECH into binding regulation. It extended the Privacy and Security Rules to business associates and their subcontractors, tightened the definition of a breach, strengthened individual rights to access electronic health records, and aligned the law with the Genetic Information Nondiscrimination Act (GINA). For a deeper breakdown of what changed, read HITECH and the Omnibus Rule.

Who HIPAA applies to

HIPAA applies to two broad categories of organizations: covered entities and business associates. Understanding which category your organization falls into is the first and most important step in any HIPAA compliance program.

Covered entities

A covered entity is any of the following:

  • Health plans — health insurance companies, HMOs, employer-sponsored group health plans, government programs like Medicare and Medicaid, and long-term care insurers.
  • Healthcare providers — hospitals, clinics, physician practices, dentists, pharmacies, psychologists, and any other provider that transmits health information electronically for billing or eligibility purposes.
  • Healthcare clearinghouses — entities that process nonstandard health information into standard formats (or vice versa), such as billing services and repricing companies.

If your organization directly delivers healthcare or finances it, you are almost certainly a covered entity.

Business associates

A business associate is any person or organization that performs a function or activity on behalf of a covered entity that involves the use or disclosure of PHI. Typical business associates include cloud hosting providers, billing vendors, EHR vendors, IT service providers, analytics firms, legal counsel, accounting firms, transcription services, and SaaS platforms that process PHI on behalf of covered entities.

Most modern SaaS companies serving healthcare customers are business associates. If your product ingests, stores, processes, or transmits PHI for a covered entity, HIPAA applies to you directly — regardless of whether you consider yourself a "healthcare company." Subcontractors of business associates are themselves business associates and are bound by the same obligations. Signing a business associate agreement with every upstream and downstream partner that touches PHI is non-negotiable.

Who is not covered by HIPAA?

Not every organization that handles health information is subject to the law. Consumer wellness apps, fitness trackers, direct-to-consumer genetic testing services, employers (in their role as employers), life insurers, and schools generally fall outside its reach unless they act on behalf of a covered entity. That said, many of these organizations still face FTC oversight, state privacy laws, and customer expectations that mirror HIPAA protections.

The HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for the protection of PHI in all forms — electronic, paper, and oral. It establishes when PHI may be used and disclosed, defines patient rights over their own health data, and imposes the minimum necessary standard on most disclosures. The Privacy Rule applies to covered entities directly and to business associates through their BAAs.

Key Privacy Rule concepts include the Notice of Privacy Practices, patient access rights (including the right to an electronic copy of an electronic health record within 30 days), the right to request amendments and accounting of disclosures, the minimum necessary standard, permitted uses for treatment, payment, and operations, and the authorization requirements for marketing and sale of PHI.

For a comprehensive walkthrough of the HIPAA Privacy Rule, permitted disclosures, and patient rights, read the dedicated HIPAA Privacy Rule guide. For more on the narrowly tailored access principle that governs day-to-day PHI handling, see the minimum necessary rule page.

The HIPAA Security Rule

The HIPAA Security Rule establishes the national floor for protecting electronic PHI (ePHI). While the Privacy Rule covers every form of PHI, the Security Rule is scoped to electronic data — which, in 2026, is effectively every record of clinical or financial relevance inside a modern healthcare organization.

The Security Rule organizes its requirements into three categories of safeguards. Every covered entity and business associate must implement each category based on a documented HIPAA risk analysis.

Administrative safeguards

Administrative safeguards are the policies, procedures, and organizational measures that govern your HIPAA program. They include security management processes, a designated security official, workforce training, a sanctions policy for workforce violations, access management, contingency planning, periodic evaluations, and BAAs with every downstream partner. These typically consume the most effort because they touch every corner of the business.

Physical safeguards

Physical safeguards protect the facilities, workstations, devices, and media that house ePHI. This category covers facility access controls, workstation and device controls, and media disposal. For cloud-first SaaS companies, physical safeguards increasingly translate into inherited controls from hyperscale cloud providers, but every regulated organization still needs defensible answers for the laptops, offices, and portable media its workforce uses.

Technical safeguards

Technical safeguards are the technology controls that protect ePHI and govern access to it. They include unique user identification, automatic logoff, encryption and decryption of ePHI at rest and in transit, audit controls that log system activity, integrity controls that prevent improper alteration, and person or entity authentication.

For a deep dive into the complete Security Rule standards, required versus addressable implementation specifications, and how to pass an OCR audit of your ePHI safeguards, read the HIPAA Security Rule guide.

The HIPAA Breach Notification Rule

The Breach Notification Rule, added by HITECH and finalized in the Omnibus Rule, requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. A breach is presumed whenever PHI is used or disclosed in a way that is not permitted under the Privacy Rule, unless the organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI has been compromised.

Notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery. Business associates must notify their covered entity clients, who in turn notify affected individuals. Breaches involving 500 or more individuals must be reported to HHS within 60 days and listed on the public OCR "Wall of Shame," while smaller breaches may be reported in an annual log.

For full details on timelines, content requirements, and documentation expectations, see the HIPAA Breach Notification Rule guide.

Business associate agreements

No PHI should ever leave a covered entity — or a business associate — without a properly executed BAA in place. A business associate agreement is a legally binding contract that defines permitted uses and disclosures of PHI, requires implementation of appropriate safeguards, obligates breach notification, mandates BAA flow-down to subcontractors, and establishes termination rights when a business associate violates the agreement.

In practice, BAA management is one of the most common HIPAA failure modes for growing SaaS companies. Deals close, engineering ships, and PHI starts flowing before legal has countersigned the BAA — creating exposure for both sides. A disciplined BAA intake process, a BAA repository with renewal reminders, and clear ownership of vendor risk are table stakes for any serious compliance program.

HIPAA compliance checklist

Translating the regulatory language into day-to-day operations is where most programs struggle. The HIPAA compliance checklist walks through every major obligation — from assigning a security official through finalizing your Notice of Privacy Practices — as a sequenced program of work.

At a high level, a complete HIPAA program includes:

  • A current risk analysis and documented risk management plan.
  • Written policies and procedures covering Privacy, Security, and Breach Notification obligations.
  • A signed BAA with every vendor, subcontractor, and customer that exchanges PHI.
  • Workforce training at hire and at least annually thereafter, with documented completion.
  • Access control, audit logging, encryption, and contingency planning for every system that touches ePHI.
  • An incident response runbook aligned to the Breach Notification Rule.
  • Documentation retained for at least six years from creation or last effective date, whichever is later.

HIPAA risk analysis

Every HIPAA Security Rule program begins with a risk analysis. Under 45 CFR §164.308(a)(1)(ii)(A), covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. HHS has repeatedly stated that a missing or superficial risk analysis is among the most common findings in OCR enforcement actions.

A defensible risk analysis inventories every system that creates, receives, maintains, or transmits ePHI, identifies threats and vulnerabilities affecting each system, measures the likelihood and impact of each risk, and feeds directly into the Security Management Process that prioritizes mitigation. Most mature programs align their methodology to NIST Special Publication 800-30, which OCR cites favorably.

For a full breakdown of methodology, documentation requirements, and common pitfalls, read the HIPAA risk analysis guide.

Penalties and enforcement

Enforcement is administered by OCR, with parallel criminal enforcement authority held by the Department of Justice and civil enforcement authority held by state attorneys general. HIPAA penalties are tiered by culpability.

  • Tier 1 — Unknowing violation — $100 to $50,000 per violation; annual cap $25,000 for identical violations.
  • Tier 2 — Reasonable cause — $1,000 to $50,000 per violation; annual cap $100,000.
  • Tier 3 — Willful neglect, corrected — $10,000 to $50,000 per violation; annual cap $250,000.
  • Tier 4 — Willful neglect, uncorrected — $50,000 per violation; annual cap $1.5 million per violation category.

Penalty amounts are adjusted annually for inflation. Criminal penalties can reach $250,000 and 10 years of imprisonment for offenses involving intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

OCR enforcement tends to cluster around predictable themes: missing or inadequate risk analyses, lost unencrypted devices, failure to terminate workforce access, insufficient BAAs, delayed breach notifications, and refusal to provide patient access to records. Organizations that can demonstrate a mature, well-documented program — with evidence of ongoing risk analysis, training, and monitoring — consistently receive more favorable resolutions.

HIPAA vs HITECH vs HITRUST

These three acronyms sit close together in healthcare conversations and are often conflated. They are related but distinct.

  • HIPAA is the underlying federal law and its implementing regulations (Privacy, Security, Breach Notification, and Enforcement Rules). HIPAA defines the legal obligations.
  • HITECH is a 2009 federal law that strengthened HIPAA — extending it to business associates, introducing breach notification, increasing penalties, and funding EHR adoption. HITECH is part of HIPAA's regulatory stack, not a separate framework.
  • HITRUST is a private-sector certification maintained by the HITRUST Alliance. The HITRUST CSF is a control framework that maps HIPAA, NIST, ISO 27001, PCI DSS, and other standards into a single certifiable set of controls. HITRUST is a common way to demonstrate HIPAA compliance to sophisticated healthcare customers, but HITRUST certification is not itself required by HIPAA.

A healthcare SaaS company might pursue HITRUST CSF certification as a commercial asset while its underlying legal obligation remains HIPAA compliance under HITECH-amended rules.

HIPAA and SOC 2

Many SaaS companies pursue SOC 2 alongside HIPAA. The two frameworks complement each other: SOC 2 evaluates security, availability, confidentiality, processing integrity, and privacy trust services criteria, while HIPAA is a statutory requirement for handling PHI. A well-designed control environment can satisfy both with substantial overlap.

Getting HIPAA compliant

The most successful HIPAA programs treat compliance as a continuous operating rhythm rather than a once-a-year scramble. A typical rollout for a SaaS company serving healthcare customers looks like this.

  1. Confirm your status as a covered entity, business associate, or both, and inventory the PHI you handle today.
  2. Appoint a security official and a privacy official (the same person may hold both roles at small companies).
  3. Conduct a risk analysis scoped to every system that creates, receives, maintains, or transmits ePHI.
  4. Implement the administrative, physical, and technical safeguards required by the Security Rule, informed by your risk analysis.
  5. Draft and publish policies and procedures covering Privacy, Security, and Breach Notification obligations.
  6. Execute BAAs with every vendor that touches PHI, and require a signed BAA before onboarding any new customer that qualifies as a covered entity.
  7. Deliver workforce training at hire and annually thereafter, and document completion.
  8. Stand up an incident response runbook aligned to the Breach Notification Rule.
  9. Operate the program: review access quarterly, test contingency plans at least annually, refresh your risk analysis whenever material change occurs, and retain documentation for at least six years.

For companies operating in the broader healthcare industry, HIPAA is rarely the only regulation in scope. State privacy laws, the 21st Century Cures Act, FDA software-as-a-medical-device requirements, and payor-specific security reviews often run in parallel — which is why most compliance programs are built into a broader GRC operating model.

How episki helps with HIPAA compliance

episki is the HIPAA compliance platform for healthtech teams that need to ship fast without losing control of PHI. We map Privacy, Security, and Breach Notification obligations directly to your systems, automate evidence collection for every safeguard, manage BAAs across your vendor ecosystem, and keep risk analyses current as your stack evolves.

Our platform was designed by practitioners who have led HIPAA programs at healthcare organizations and audited them as consultants. The result is a workspace that makes it obvious what is done, what is due, and what is drifting — so you can spend less time reconstructing evidence the week before a customer audit and more time building product. Read the HIPAA for healthtech playbook for a closer look at how modern SaaS companies operate HIPAA at startup speed.

Ready to tighten your HIPAA program? Start a free trial or book a demo from the top of this page.

HIPAA topics

Deep-dive into specific HIPAA compliance topics.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities and business associates to notify individuals, HHS, and sometimes the media after a breach of unsecured PHI.
Business Associate Agreements (BAA)
A Business Associate Agreement is a legally required contract ensuring that vendors and subcontractors handling PHI comply with HIPAA requirements.
HIPAA Compliance Checklist
A comprehensive HIPAA compliance checklist covering the Privacy Rule, Security Rule, Business Associate Agreements, workforce training, and breach response procedures.
HIPAA Contingency Planning
HIPAA §164.308(a)(7) requires covered entities and business associates to maintain data backup, disaster recovery, and emergency mode operation plans. Here is how to build them.
HIPAA Facility Access Controls
HIPAA §164.310(a) requires physical safeguards over the facilities that house ePHI. Here is how to implement access controls, visitor management, and contingency operations.
HITECH Act and the HIPAA Omnibus Rule
The 2009 HITECH Act and the 2013 HIPAA Omnibus Rule reshaped HIPAA - extending it to business associates, creating breach notification, and raising penalties. Here is what changed.
HIPAA Minimum Necessary Rule
The HIPAA minimum necessary standard at §164.502(b) limits PHI use and disclosure to what is reasonably necessary. Here is how to implement it in role-based access.
HIPAA Privacy Rule
The HIPAA Privacy Rule governs the use and disclosure of protected health information, establishes patient rights, and sets the minimum necessary standard.
HIPAA Risk Analysis
HIPAA §164.308(a)(1)(ii)(A) requires an accurate and thorough risk analysis for every system that handles ePHI. Here is how to run one using NIST SP 800-30.
HIPAA Sanctions Policy
HIPAA §164.308(a)(1)(ii)(C) requires a sanctions policy for workforce members who violate HIPAA. Here is how to design one that is fair, consistent, and defensible.
HIPAA Security Rule
The HIPAA Security Rule establishes national standards for protecting electronic protected health information (ePHI) through administrative, physical, and technical safeguards.
HIPAA Workforce Training Requirements
HIPAA §164.308(a)(5) requires a security awareness and training program for every workforce member. Here is how to design, deliver, and document it.
HIPAA Workstation and Device Controls
HIPAA §164.310(b), (c), and (d) govern workstation use, workstation security, and device and media controls. Here is how to implement them for a modern workforce.

HIPAA outcomes with episki

Quantify the impact security and compliance brings to your business.
30-day rollout
Average time to production monitoring across safeguards.
PHI-safe sharing
Role-based portals keep sensitive documents organized and protected.
24/7 alerts
Continuous monitoring for access, logging, and vendor risks.

Why teams choose episki for HIPAA

Framework-specific automation, collaboration, and reporting in one workspace.
Safeguards mapped to your stack
Every HIPAA standard comes with plain-language owners, SLAs, and tests.
  • Assign compliance, engineering, and ops leads to each safeguard
  • Playbooks explain what “good” looks like for each requirement
  • Timeline view keeps renewals and reviews on schedule
PHI-aware evidence locker
Secure uploads, access controls, and audit trails keep regulators satisfied.
  • Granular permissions for internal and external reviewers
  • Automated retention and deletion policies
  • Download tracking and access audit trails
Vendor & incident workflows
Track BAAs, vendor attestations, and incidents from discovery to closure.
  • BAA repository tied to vendor risk levels
  • Incident response runbooks with reminders
  • Post-incident reports aligned to HIPAA timelines

HIPAA launch kit

Guided steps keep privacy, security, and ops in sync from day one.

Plug episki into your stack and work directly from this checklist during the free trial.

  • Safeguard library with ownership matrix
  • Evidence tracking for access logs and configs
  • BAA tracker with renewal reminders
  • Incident and breach response templates
  • Stakeholder portal with PHI redaction controls
HIPAA enablement

HIPAA enablement

Keep leadership, customers, and partners aligned.
Board-ready posture report
Shows maturity score, risk trends, and upcoming audits.
Customer FAQ pack
Answers the most common HIPAA diligence questions.
Ops automation guide
Explains how to plug security tasks into existing tools.

HIPAA compliance frequently asked questions

Related terms

What is Access Control?What is an Audit Trail?What is a Business Associate Agreement (BAA)?What is Breach Notification?What is a Business Associate?What is a Covered Entity?What is Encryption?What is Evidence Collection?What is a Framework?What is GRC?What is HIPAA?What is the HITECH Act?What is Incident Response?What is Key Management?What is Least Privilege?What is Log Management?What is the Minimum Necessary Rule?What is Multi-Factor Authentication?What is Offboarding?What is Protected Health Information (PHI)?What is Security Awareness Training?What is Workforce Security?

Other compliance frameworks

CMMCISO 27001NIST CSFPCI DSSSOC 2 Type I/II

Launch HIPAA monitoring in minutes

Kick off the free trial and invite stakeholders before your next diligence call.
Start free trialBook a walkthrough