Your medical records contain some of the most sensitive information about you — what conditions you have been diagnosed with, what medications you take, your mental health history, and even your genetic data. If this information got into the wrong hands, it could be used to deny you insurance, embarrass you, or even steal your identity.
That is why HIPAA exists. The Health Insurance Portability and Accountability Act is the federal law that protects your health information. And the HIPAA Security Rule specifically focuses on keeping your electronic health data safe from hackers, leaks, and unauthorized access.
But here is the problem: healthcare is under massive attack. In 2024 alone, over 133 million patient records were exposed in data breaches — a record high. The Change Healthcare breach alone affected 100 million people. Hospitals, clinics, and health tech companies are prime targets because medical records sell for up to $1,000 each on the dark web — far more than credit card numbers.
This guide explains the HIPAA Security Rule in plain language, whether you work in healthcare, are studying for a career in it, or just want to understand how your health data is supposed to be protected.
What Is the HIPAA Security Rule?
The HIPAA Security Rule is a set of federal standards that requires healthcare organizations to protect electronic Protected Health Information (ePHI) — any health information stored or transmitted electronically that can identify a specific person.
The Security Rule has three main categories of safeguards:
- Administrative Safeguards — Policies, procedures, and training for staff
- Physical Safeguards — Physical access controls for buildings, servers, and devices
- Technical Safeguards — Technology-based protections like encryption, access controls, and audit logs
Each safeguard includes both required specifications (must be implemented) and addressable specifications (must be implemented OR documented with an equivalent alternative if the standard is not reasonable for your organization).
Who Must Comply with HIPAA?
HIPAA applies to two main groups:
Covered Entities
- Healthcare providers — Doctors, dentists, hospitals, clinics, pharmacies, nursing homes — anyone who transmits health information electronically
- Health plans — Insurance companies, HMOs, Medicare, Medicaid
- Healthcare clearinghouses — Companies that process health information between providers and payers
Business Associates
Any company that handles PHI on behalf of a covered entity is a business associate and must also comply with HIPAA. This includes:
- Cloud storage providers (like AWS, Google Cloud, Microsoft Azure — when storing ePHI)
- IT service providers and managed security services
- Billing and coding companies
- EHR (Electronic Health Record) vendors
- Telehealth platform providers
- Shredding and disposal companies
Every business associate must sign a Business Associate Agreement (BAA) that specifies exactly how they will protect PHI. Without a BAA in place, sharing PHI with a vendor is itself a HIPAA violation.
HIPAA Risk Assessment: The Foundation of Everything
A risk assessment is the single most important part of HIPAA compliance — and the first thing OCR (Office for Civil Rights) checks during an audit or investigation. If you have not done a risk assessment, you are almost certainly not HIPAA compliant.
How to Conduct a HIPAA Risk Assessment
- Identify all ePHI — Map where all electronic health data lives in your organization (servers, laptops, emails, cloud, mobile devices, paper that gets scanned)
- Identify threats — What could go wrong? (Hackers, ransomware, lost laptops, employee mistakes, natural disasters, insider threats)
- Assess vulnerabilities — Where are the weaknesses? (Unencrypted devices, weak passwords, no MFA, untrained staff, unpatched software)
- Evaluate current controls — What protections do you already have?
- Determine risk levels — Rate each threat/vulnerability combination as low, medium, or high risk
- Create a remediation plan — Document how and when you will address each identified risk
- Document everything — Your risk assessment must be written and retained for at least 6 years
Risk assessments should be conducted at least annually and whenever significant changes occur (new systems, new business associates, security incidents, organizational changes).
HIPAA Breach Notification Rule
When a data breach involving PHI occurs, HIPAA's Breach Notification Rule dictates exactly who must be notified and how quickly:
| Who to Notify | When | How |
|---|---|---|
| Affected individuals | Within 60 days of discovery | Written letter to last known address (email if agreed) |
| HHS Secretary | Within 60 days (500+ records); annually (under 500) | Online form at HHS breach portal |
| Media | Within 60 days (500+ in a single state/jurisdiction) | Press release to major media outlets in affected area |
Breaches affecting 500 or more individuals are posted publicly on the HHS "Wall of Shame" — a searchable online database at ocrportal.hhs.gov. This public shaming often causes more reputational damage than the fines themselves.
HIPAA Fines and Enforcement
HIPAA enforcement has gotten significantly tougher. Here is how the fine structure works:
Largest HIPAA Settlements in History
- Anthem Inc. — $16 million (2018) for breach exposing 78.8 million records. Largest HIPAA settlement ever.
- Change Healthcare (UnitedHealth) — Estimated $22+ billion total cost from the 2024 breach affecting 100 million patients (fines still being assessed)
- Premera Blue Cross — $6.85 million (2020) for breach affecting 10.4 million
- Banner Health — $1.25 million (2023) for failing to conduct enterprise-wide risk analysis
- L.A. County Dept. of Health Services — $1.3 million (2024) for unauthorized PHI disclosures
Telehealth and HIPAA in 2026
Telehealth exploded during COVID-19, and the HHS temporarily waived enforcement of certain HIPAA rules to allow healthcare providers to use consumer video apps. Those waivers have now fully expired.
In 2026, telehealth must be fully HIPAA-compliant:
- ✅ Use HIPAA-compliant video platforms (Zoom for Healthcare, Doxy.me, Microsoft Teams for Healthcare) — regular Zoom, FaceTime, and Skype are NOT compliant
- ✅ All platforms must have a signed Business Associate Agreement (BAA)
- ✅ Video calls must use end-to-end encryption
- ✅ Patient consent for telehealth must be documented
- ✅ Recordings (if any) must be stored in HIPAA-compliant systems
- ❌ Do NOT discuss patient information over regular SMS or unencrypted email
HIPAA-Compliant Cloud Storage
Most healthcare organizations now use cloud storage for ePHI. The major cloud providers offer HIPAA-eligible services, but you must configure them correctly:
| Provider | HIPAA-Eligible? | BAA Available? | Key Features |
|---|---|---|---|
| AWS | Yes | Yes (must request) | 75+ HIPAA-eligible services, encryption, audit logs |
| Microsoft Azure | Yes | Yes (auto-included in enterprise) | Azure Health Data Services, HIPAA/HITRUST certified |
| Google Cloud | Yes | Yes (must accept amendment) | Cloud Healthcare API, HIPAA compliance guide |
| Dropbox Business | Yes (Business plan only) | Yes | Encryption at rest and in transit, admin controls |
Important: Simply using a HIPAA-eligible cloud service does NOT make you HIPAA-compliant. You must properly configure access controls, encryption, logging, and sign a BAA with the provider.
Employee Training Requirements
HIPAA requires that all workforce members who handle PHI receive security awareness training. This is not optional — it is a required administrative safeguard. Training must cover:
- What PHI is and how to identify it
- Proper handling, storage, and transmission of ePHI
- Password policies and multi-factor authentication
- How to recognize phishing emails and social engineering attacks
- Reporting procedures for suspected breaches or security incidents
- Physical security (locking screens, securing devices, visitor policies)
- Mobile device and remote work security
Training must be provided when staff are hired and refreshed at least annually. Many OCR investigations have resulted in penalties specifically because organizations could not prove their staff had been trained.
Preparing for a HIPAA Audit
The OCR conducts both complaint-driven investigations and random compliance audits. Here is how to prepare for an audit:
- ✅ Completed risk assessment — This is always the first thing auditors ask for
- ✅ Written policies and procedures — Covering all required and addressable safeguards
- ✅ Training records — Proof that all staff have completed HIPAA training with dates
- ✅ Business Associate inventory — List of all BAs with signed BAAs on file
- ✅ Incident response plan — Documented breach notification procedures
- ✅ Access logs — Audit trails showing who accessed what ePHI and when
- ✅ Encryption documentation — Proof of encryption at rest and in transit
- ✅ Contingency plan — Backup, disaster recovery, and emergency mode procedures
- ✅ Sanctions policy — How you discipline employees who violate HIPAA
- ✅ Documentation retention — All HIPAA documentation must be retained for a minimum of 6 years
HIPAA Updates and Changes for 2026
HIPAA continues to evolve. Key changes and proposals for 2026 include:
- Proposed Security Rule update — HHS has proposed the most significant update to the Security Rule since 2013, including mandatory encryption, multi-factor authentication requirements, and stricter risk assessment standards
- Increased breach reporting — Proposals to shorten the breach notification window from 60 days to 30 days
- Reproductive health privacy — New rules specifically protecting reproductive health information from being used in law enforcement investigations
- AI and health data — Growing concerns about AI systems trained on patient data and how HIPAA applies to algorithmic decision-making
- Cybersecurity performance goals — HHS has published voluntary cybersecurity performance goals for healthcare, with discussions about making some mandatory
Build Your HIPAA Compliance Program
HIPAA compliance is not a one-time project — it is an ongoing program that requires continuous attention. But it all starts with the fundamentals: do a thorough risk assessment, implement the required safeguards, train your workforce, and document everything.
The healthcare industry faces unprecedented cybersecurity threats in 2026. The organizations that invest in strong HIPAA compliance programs are not just avoiding fines — they are protecting their patients' most sensitive information and maintaining the trust that is essential to healthcare.
Remember: every patient whose data your organization handles is trusting you with some of the most personal details of their life. That trust is worth protecting.
