HIPAA compliance is the ongoing practice of meeting the requirements of the Health Insurance Portability and Accountability Act of 1996, the federal law that sets national standards for protecting patients’ health information.Â
In practice, it means safeguarding protected health information, including electronic protected health information, across how an organization stores, uses, shares, and secures it.
It is often treated as a one-time project or as a matter of having the right policies on file. However, regulators see it differently, and that gap is where most organizations get into trouble.
Who has to comply with HIPAA?
HIPAA does not apply to everyone who touches health data in the same way. It draws a line between two groups.
Covered entities are health plans, healthcare clearinghouses, and most healthcare providers that transmit health information electronically.Â
Business associates are the vendors and partners that handle protected health information on a covered entity’s behalf, such as billing companies, IT providers, and software platforms.Â
Subcontractors that handle that data fall under the same obligations.
The two are connected by a business associate agreement, a contract that binds the vendor to HIPAA’s protections. Together, covered entities and business associates are referred to as regulated entities, and both can be held directly accountable.
The rules that make up HIPAA
HIPAA compliance is not a single requirement. It is a set of rules that governs a different part of how health information is handled.
HIPAA Privacy Rule
The HIPAA Privacy Rule governs how protected health information can be used and disclosed, and it gives patients rights over their own records, including the right to access them, generally within 30 days, and to request corrections.Â
HIPAA Security Rule
The HIPAA Security Rule sets the safeguards, administrative, physical, and technical, that protect electronic protected health information, with a documented risk analysis at its center.
HIPAA Breach Notification Rule
The Breach Notification Rule requires organizations to notify affected individuals, the Department of Health and Human Services, and in some cases the media, when unsecured protected health information is breached.Â
HIPAA Enforcement Rule
The Enforcement Rule defines how violations are investigated and penalized. Taken together, these rules are what compliance is measured against.
HIPAA compliance is not a single requirement. It is a set of rules that governs a different part of how health information is handled.
What HIPAA compliance actually requires
This is where the binder-of-policies assumption falls apart. A written policy that no one follows is not compliance, and regulators have been explicit that documentation alone is not proof a safeguard is in place.
In practice, a HIPAA compliance program includes a thorough and documented risk analysis, which is the single most frequently cited deficiency in federal investigations. From there, it extends to:Â
- safeguards that actually address the risks identified
- written policies and procedures
- workforce training
- business associate agreements and vendor oversight
- access controls and encryption
- a breach response plan
- designated privacy and security officers
The throughline is that it has to be continuous and provable. The question an investigator asks is not only whether risks were identified, but what was done about them and whether the organization can show it.
Who enforces HIPAA, and what are the penalties?
Enforcement sits primarily with the HHS Office for Civil Rights, with state attorneys general also able to act, and the Department of Justice handling criminal cases.
Civil monetary penalties are tiered by culpability and adjusted for inflation, currently ranging from roughly $137 to more than $2 million per violation, with the willful neglect tier carrying the steepest exposure.Â
In many cases, the corrective action plan that follows a settlement, often running two to three years with mandatory reporting, is more burdensome than the fine itself.Â
Patient right-of-access failures have been a sustained enforcement priority, including against small practices.
What is changing with HIPAA
The HIPAA Security Rule has not been substantively updated in over a decade, and that is poised to change.Â
In late 2024, OCR issued a proposed rule to strengthen it, which would make currently flexible specifications mandatory, require written documentation throughout, and add requirements such as asset inventories, network maps, multi-factor authentication, and encryption.
As of mid-2026, that proposal has not been finalized, and its timing and final form remain uncertain. What has not paused is the enforcement of the rule already in effect.Â
Organizations preparing for the proposed changes often lean on frameworks like HITRUST certification, which operationalize HIPAA’s requirements into a testable set of controls.
Where HIPAA compliance fits into a broader program
HIPAA compliance covers one pillar of a healthcare compliance program, the privacy and security of patient information.Â
It sits alongside other obligations, including workforce and vendor eligibility, which is the domain of exclusion screening, and clinical quality, which is the domain of accreditation such as hospital accreditation.
These are separate requirements, but they share a discipline. Each depends on processes that are documented, continuous, and provable rather than assembled when an auditor arrives.
How Streamline Verify fits in
HIPAA protects patient information. Exclusion screening confirms that the people and vendors an organization works with are eligible to participate in federal healthcare programs. They are distinct obligations, but they live in the same compliance program and reward the same habits.
Streamline Verify handles the eligibility side. It screens the workforce and vendors against the OIG LEIE, the SAM exclusion list, and state Medicaid lists, runs ongoing exclusion monitoring over time, and records each check in a time-stamped audit trail. That is the same documented, continuous, provable approach regulators expect for HIPAA, applied to workforce and vendor eligibility.
To be clear, using a screening platform does not make an organization HIPAA compliant. HIPAA compliance is its own program. What Streamline Verify does is keep the exclusion screening and monitoring part of the broader compliance picture current and defensible, with records ready when they are needed.
Want to see how exclusion screening fits alongside your compliance program?































