HIPAA Compliance: What It Is and How to Achieve It

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA), is a U.S. federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information from unauthorized disclosure. It applies to healthcare providers, health insurance plans, healthcare clearinghouses, and any vendor that handles health information on their behalf.

HIPAA's scope expanded significantly with the HITECH Act in 2009 and the Omnibus Rule in 2013, both of which strengthened enforcement, increased civil penalties, and extended requirements to third-party vendors, known as business associates. Today, HIPAA compliance is not optional for covered entities and their partners: penalties for violations range from $100 to more than $50,000 per violation, with annual caps exceeding $1.9 million per violation category.

The law's enduring relevance is due to one straightforward reality: Healthcare data is among the most sensitive and consistently targeted categories of information an organization can hold. A single patient record can contain financial data, personal identifiers, and details about physical and mental health conditions, making it valuable for fraud, identity theft, and social engineering.

How HIPAA Works

HIPAA compliance is not a single checklist. It operates through three primary rules, each of which governs a distinct aspect of how protected health information (PHI) is handled.

The Privacy Rule

The Privacy Rule, effective in 2003, sets the conditions under which covered entities may use and disclose PHI. It grants patients rights over their health information, including the right to access their records, request corrections, and receive an accounting of disclosures. Organizations must have documented policies for every scenario in which PHI may be used or shared, and those policies must limit access to the minimum necessary information.

The Security Rule

The Security Rule applies specifically to electronic PHI (ePHI) and requires covered entities to implement safeguards in three categories:

The Security Rule is intentionally flexible: it does not mandate specific technologies but requires covered entities to implement "reasonable and appropriate" safeguards given their size, complexity, and capabilities.

The Breach Notification Rule

When a breach of unsecured PHI occurs, covered entities must notify affected individuals within 60 days of discovery. Breaches affecting 500 or more individuals in a state also require notification to the Department of Health and Human Services (HHS) and prominent media outlets. Business associates must notify covered entities within 60 days of discovering a breach.

What Forms of PHI Are Covered Under HIPAA?

HIPAA defines PHI as any individually identifiable health information that relates to the past, present, or future physical or mental health of an individual, the provision of healthcare, or payment for healthcare services. The law identifies 18 specific categories of identifiers that, when linked to health information, constitute PHI.

PHI exists in any medium, including electronic records, paper files, and spoken conversations all fall under HIPAA's scope. Electronic PHI (ePHI) receives additional protections under the Security Rule because it is more easily stored, transmitted, and exfiltrated at scale.

Why HIPAA Compliance Matters for Data Security

The regulatory stakes are real

HIPAA enforcement has grown significantly over the past decade. The HHS Office for Civil Rights (OCR) conducts investigations triggered by breach reports and complaints, and settlements can reach tens of millions of dollars. In parallel, state attorneys general can bring their own HIPAA enforcement actions, creating layered legal exposure.

Healthcare data attracts persistent threat actors

Healthcare organizations are among the most heavily targeted sectors for data breaches. Patient records contain a dense combination of PHI, financial data, and personal identifiers, making them valuable for insurance fraud, identity theft, and credential attacks. Unlike payment card data, which can be cancelled after exposure, medical records cannot be changed, which extends the harm to affected individuals and the liability to the organization.

The insider risk dimension is underappreciated

A significant portion of HIPAA breaches are not the result of external attacks, but are the result of insider threats. Employee snooping, unauthorized access to records out of curiosity or malice, and accidental disclosure through misdirected emails or misconfigured file shares are recurring causes of reportable incidents. HIPAA's minimum necessary standard directly addresses this: organizations must actively limit who can access PHI, not just prevent outsiders from reaching it.

Cloud and hybrid environments create visibility gaps

As healthcare organizations adopt cloud storage, SaaS tools, and remote access systems, PHI increasingly exists in environments where manual oversight is not practical. Data can be copied, synced, or shared across systems without security teams being aware. Without systematic discovery and classification, organizations cannot demonstrate that their safeguards apply to all ePHI, a foundational requirement of the Security Rule's risk analysis mandate.

Common HIPAA Compliance Challenges

Most HIPAA compliance failures trace back to a small number of recurring problems:

• Incomplete risk analysis. The Security Rule requires a thorough, documented risk analysis, but many organizations perform it once and treat it as static. As systems, vendors, and data flows change, the risk analysis must be updated. Outdated assessments are a frequent finding in OCR investigations.
• Business associate management. Every vendor, contractor, or service provider that handles ePHI on behalf of a covered entity is a business associate and must sign a business associate agreement (BAA). Organizations often underestimate how many third parties touch PHI, especially as cloud and SaaS adoption grows.
• Workforce training gaps. Administrative safeguards require regular training, but training alone does not prevent violations if employees can access PHI they have no reason to view. Access controls must match actual job functions.
• Misconfigured cloud storage. Misconfigured cloud buckets and file-sharing settings are a consistent source of reportable breaches. PHI stored in cloud environments requires the same protections as on-premises data.
• Lack of data visibility. Organizations that cannot answer "where does our PHI live?" cannot demonstrate that their safeguards cover all of it. This is increasingly a technical problem as data proliferates across endpoints, SaaS platforms, and cloud storage.

How to Build a HIPAA Compliance Program

A HIPAA compliance program is a structured, ongoing set of policies, controls, and processes rather than a point-in-time project. The following steps reflect the Security Rule's required and addressable implementation specifications.

1. Conduct a documented risk analysis. Identify all systems that create, receive, maintain, or transmit ePHI. Assess the likelihood and potential severity of threats to each. Document the findings and revisit the analysis annually or after any significant system change.
2. Implement access controls based on minimum necessary. Use role-based access to ensure employees can reach only the PHI their job requires. Audit access logs regularly. Remove access promptly when job functions change or employees depart.
3. Encrypt ePHI at rest and in transit. Encryption is an addressable specification under the Security Rule, but it is the most effective technical safeguard against breach exposure. Data that is encrypted and rendered unreadable is generally not subject to HIPAA's breach notification requirements.
4. Establish and enforce workforce training. Training must be role-specific and documented. General security awareness training is a baseline; staff with regular PHI access need training tailored to their specific responsibilities.
5. Audit and inventory business associate relationships. Maintain a complete list of business associates, confirm BAAs are in place and current, and include ePHI data flows with each vendor in your risk analysis.
6. Build a breach response plan. Define who is responsible for breach detection, investigation, and notification. Test the plan. Ensure the 60-day notification timeline is understood by all relevant staff.
7. Use technical controls for data discovery and monitoring. Manual processes cannot scale to the volume and distribution of PHI in modern healthcare environments. Automated discovery, classification, and monitoring tools provide the visibility required to support ongoing risk analysis and demonstrate that safeguards apply to all ePHI.

How Cyberhaven Addresses HIPAA Compliance

HIPAA's Security Rule requires covered entities to know where their ePHI is, control who can access it, and detect unauthorized disclosure. These are fundamentally data visibility and governance problems, and they are increasingly difficult to solve with manual processes or traditional controls as PHI moves across cloud storage, SaaS applications, endpoints, and third-party systems.

Cyberhaven DSPM continuously discovers and classifies sensitive data across cloud and on-premises environments, giving security and compliance teams a current, accurate picture of where PHI and ePHI reside. This supports the Security Rule's risk analysis requirement by ensuring that safeguards are applied to all covered data, not just the data the organization knew about.

Cyberhaven DLP monitors and controls data movement in real time, detecting when PHI is being copied to unauthorized destinations, shared with unverified recipients, or transferred to personal devices or consumer cloud accounts. This directly addresses two of the most common sources of HIPAA breaches: insider misuse and accidental disclosure. Because Cyberhaven's DLP is built on data lineage, it tracks the full history of how a file has moved, who has touched it, and where it has been, providing the audit trail that compliance investigators and internal teams need when a potential incident occurs.

Together, these capabilities help compliance and security teams answer the three questions at the center of HIPAA's Security Rule: What ePHI do we have? Who can reach it? And how do we know if something goes wrong?

Understand how DSPM can elevate your data security maturity while protecting valuable data and achieving compliance with our ebook, “From Visibility To Control: A Practical Guide to Modern DSPM.”

Frequently Asked Questions

What is HIPAA and what does it stand for?

HIPAA stands for the Health Insurance Portability and Accountability Act. Enacted in 1996, it is a U.S. federal law that establishes national standards for protecting sensitive patient health information. It applies to healthcare providers, health plans, healthcare clearinghouses, and the business associates that handle health information on their behalf.

What does it mean to be HIPAA compliant?

Being HIPAA compliant means an organization has implemented the administrative, physical, and technical safeguards required by the law to protect PHI, has documented policies governing how PHI is used and disclosed, trains its workforce accordingly, and has procedures in place to respond to breaches. Compliance is not a one-time certification; it requires ongoing risk analysis, policy updates, and monitoring.

What forms of PHI are covered under HIPAA?

HIPAA covers 18 categories of individually identifiable health information, including names, dates, geographic data, phone numbers, email addresses, Social Security numbers, medical record numbers, biometric identifiers, and photographs. PHI is covered in all formats: electronic records, paper files, and spoken conversations. Electronic PHI (ePHI) receives additional protections under HIPAA's Security Rule.

What is a HIPAA compliant environment?

A HIPAA compliant environment is any system, platform, or facility in which ePHI is stored, processed, or transmitted with the appropriate administrative, physical, and technical safeguards in place. For cloud environments, this requires encryption, access controls, audit logging, and a signed BAA with the cloud provider. It is the organization's responsibility to verify that every environment holding ePHI meets Security Rule requirements.

What is the key to HIPAA compliance?

The key to HIPAA compliance is an accurate, current understanding of where PHI lives and who can access it. Organizations that cannot locate all of their ePHI cannot demonstrate that their safeguards cover it. A documented risk analysis, strong access controls, and automated data discovery and monitoring tools are the foundation of any defensible compliance program.

Who is required to comply with HIPAA?

HIPAA applies to covered entities, which include healthcare providers that conduct certain electronic transactions, health plans, and healthcare clearinghouses. It also applies to business associates: vendors, contractors, and service providers that create, receive, maintain, or transmit PHI on behalf of a covered entity. Business associates must sign a BAA and are directly subject to HIPAA's Security Rule.