« Back to Glossary

What Is HIPAA Compliance in Healthcare?

Published: June 24, 2026

HIPAA compliance is the ongoing practice of meeting the requirements of the Health Insurance Portability and Accountability Act of 1996, the federal law that sets national standards for protecting patients’ health information. 

In practice, it means safeguarding protected health information, including electronic protected health information, across how an organization stores, uses, shares, and secures it.

It is often treated as a one-time project or as a matter of having the right policies on file. However, regulators see it differently, and that gap is where most organizations get into trouble.

Who has to comply with HIPAA?

HIPAA does not apply to everyone who touches health data in the same way. It draws a line between two groups.

Covered entities are health plans, healthcare clearinghouses, and most healthcare providers that transmit health information electronically. 

Business associates are the vendors and partners that handle protected health information on a covered entity’s behalf, such as billing companies, IT providers, and software platforms. 

Subcontractors that handle that data fall under the same obligations.

The two are connected by a business associate agreement, a contract that binds the vendor to HIPAA’s protections. Together, covered entities and business associates are referred to as regulated entities, and both can be held directly accountable.

The rules that make up HIPAA

HIPAA compliance is not a single requirement. It is a set of rules that governs a different part of how health information is handled.

HIPAA Privacy Rule

The HIPAA Privacy Rule governs how protected health information can be used and disclosed, and it gives patients rights over their own records, including the right to access them, generally within 30 days, and to request corrections. 

HIPAA Security Rule

The HIPAA Security Rule sets the safeguards, administrative, physical, and technical, that protect electronic protected health information, with a documented risk analysis at its center.

HIPAA Breach Notification Rule

The Breach Notification Rule requires organizations to notify affected individuals, the Department of Health and Human Services, and in some cases the media, when unsecured protected health information is breached. 

HIPAA Enforcement Rule

The Enforcement Rule defines how violations are investigated and penalized. Taken together, these rules are what compliance is measured against.

HIPAA compliance is not a single requirement. It is a set of rules that governs a different part of how health information is handled.

What HIPAA compliance actually requires

This is where the binder-of-policies assumption falls apart. A written policy that no one follows is not compliance, and regulators have been explicit that documentation alone is not proof a safeguard is in place.

In practice, a HIPAA compliance program includes a thorough and documented risk analysis, which is the single most frequently cited deficiency in federal investigations. From there, it extends to: 

  • safeguards that actually address the risks identified
  • written policies and procedures
  • workforce training
  • business associate agreements and vendor oversight
  • access controls and encryption
  • a breach response plan
  • designated privacy and security officers

The throughline is that it has to be continuous and provable. The question an investigator asks is not only whether risks were identified, but what was done about them and whether the organization can show it.

Who enforces HIPAA, and what are the penalties?

Enforcement sits primarily with the HHS Office for Civil Rights, with state attorneys general also able to act, and the Department of Justice handling criminal cases.

Civil monetary penalties are tiered by culpability and adjusted for inflation, currently ranging from roughly $137 to more than $2 million per violation, with the willful neglect tier carrying the steepest exposure. 

In many cases, the corrective action plan that follows a settlement, often running two to three years with mandatory reporting, is more burdensome than the fine itself. 

Patient right-of-access failures have been a sustained enforcement priority, including against small practices.

What is changing with HIPAA

The HIPAA Security Rule has not been substantively updated in over a decade, and that is poised to change. 

In late 2024, OCR issued a proposed rule to strengthen it, which would make currently flexible specifications mandatory, require written documentation throughout, and add requirements such as asset inventories, network maps, multi-factor authentication, and encryption.

As of mid-2026, that proposal has not been finalized, and its timing and final form remain uncertain. What has not paused is the enforcement of the rule already in effect. 

Organizations preparing for the proposed changes often lean on frameworks like HITRUST certification, which operationalize HIPAA’s requirements into a testable set of controls.

Where HIPAA compliance fits into a broader program

HIPAA compliance covers one pillar of a healthcare compliance program, the privacy and security of patient information. 

It sits alongside other obligations, including workforce and vendor eligibility, which is the domain of exclusion screening, and clinical quality, which is the domain of accreditation such as hospital accreditation.

These are separate requirements, but they share a discipline. Each depends on processes that are documented, continuous, and provable rather than assembled when an auditor arrives.

How Streamline Verify fits in

HIPAA protects patient information. Exclusion screening confirms that the people and vendors an organization works with are eligible to participate in federal healthcare programs. They are distinct obligations, but they live in the same compliance program and reward the same habits.

Streamline Verify handles the eligibility side. It screens the workforce and vendors against the OIG LEIE, the SAM exclusion list, and state Medicaid lists, runs ongoing exclusion monitoring over time, and records each check in a time-stamped audit trail. That is the same documented, continuous, provable approach regulators expect for HIPAA, applied to workforce and vendor eligibility.

To be clear, using a screening platform does not make an organization HIPAA compliant. HIPAA compliance is its own program. What Streamline Verify does is keep the exclusion screening and monitoring part of the broader compliance picture current and defensible, with records ready when they are needed.

Want to see how exclusion screening fits alongside your compliance program?

CONTACT US

You may also want to read on…

Understanding OIG Exclusions

OIG Exclusions Screening Process

Exclusion FAQS

Quick OIG Exclusion Basics

Employing Excluded Individuals

Consequences to Employing an Excluded Individual

OIG Compliance Law

Laws and Publications on OIG Compliance

Our Culture Icon Small

Blog

Stay ahead of healthcare compliance - updates that matter.

Ask Me Anything

Clear answers. Cleaner compliance.

Exclusion Compliance

Understand exclusions. Reduce risk.

Security First

  • ✓ Cloud hosted
  • ✓ Encrypted data
  • ✓ Real-time backups

Trusted for Accuracy

  • ✓ Physical security
  • ✓ Restricted access
  • ✓ Single sign-on
  • ✓ Password security
  • ✓ Certified secure
  • ✓ Cross checking

HEALTHCARE ESTABLISHMENTS NATIONWIDE COUNT ON STREAMLINE VERIFY

5

60%

Average workload reduction by implementing the Streamline Verify program

5

10K

Establishments trust Streamline Verify nationwide

5

2011

Serving the healthcare industry’s unique compliance needs since 2011

5

24X

Setting standards with hourly synchronization to primary source data

AICP SOC Compliance Logo
HIPAA Compliance Logo
Our Culture Icon Small

Our Culture

We build the best, so you can perform at your best.

Trusted for Good Reason

  • ✓ Guaranteed accurate
  • ✓ Certified Secure
  • ✓ Audit Proof
  • ✓ Feature-rich reporting
  • ✓ Round the clock real-time-data
  • ✓ Processing fully automated

Security First

  • ✓ Cloud hosted
  • ✓ Encrypted data
  • ✓ Real-time backups

Trusted for Accuracy

  • ✓ Physical security
  • ✓ Restricted access
  • ✓ Single sign-on
  • ✓ Password security
  • ✓ Certified secure
  • ✓ Cross checking

HEALTHCARE ESTABLISHMENTS NATIONWIDE COUNT ON STREAMLINE VERIFY

5

60%

Average workload reduction by implementing the Streamline Verify program

5

10K

Establishments trust Streamline Verify nationwide

5

2011

Serving the healthcare industry’s unique compliance needs since 2011

5

24X

Setting standards with hourly synchronization to primary source data

AICP SOC Compliance Logo
HIPAA Compliance Logo