
Under HIPAA Compliance, there are two primary entities defined that HIPAA applies to, and they are subject to several rules. These include both Covered Entities (CEs) and Business Associates (BAs). Covered Entities include businesses (both for-profit and non-profit) that are directly involved in creation, maintenance or transmission of Protected Health Information (PHI). Example of Covered Entities (CEs) include providers, doctors, nurses, hospitals, pharmacies, health plans, healthcare clearing houses, and more. Business Associates on the other hand are service providers and professionals who perform healthcare related functions/activities on behalf of (or for) Covered Entities (CEs). They may come into contact with PHI on behalf of the Covered Entity to perform their responsibilities. For example, this can include outsourced firms that handle legal, accounting, IT or even security which may come in contact with data regularly.
Privacy Rule
The Privacy Rule establishes guidelines for the proper use and disclosure of Protected Health Information (PHI). For Covered Entities (CEs), this means obtaining patient consent before sharing PHI and limiting access to only those who need it. Business Associates (BAs), such as billing companies or IT providers, are bound by the same standards when handling PHI on behalf of a CEs. Whether you’re a hospital or a cloud provider, safeguarding patient privacy is a shared responsibility. For CEs, the Privacy Rule goes beyond safeguarding PHI – it empowers patients by granting them control over their health information. Patients have the right to access and amend their medical records and can request an accounting of disclosures to see who has accessed or shared their information. To uphold this transparency, CEs must inform patients of their privacy rights and explain how their data may be used. This is accomplished through a Notice of Privacy Practices (NPP), a document that must be provided to every patient. The NPP outlines patients’ rights, the CE’s responsibilities, and details about permissible uses of PHI, such as for treatment, payment, or healthcare operations. Healthcare providers must also ensure their internal policies and procedures align with the Privacy Rule. For example, they must implement protocols for responding to patient requests for information, restricting disclosures, and handling complaints.
Security Rule
The Security Rule is central to HIPAA Compliance, designed specifically to protect electronic Protected Health Information (ePHI) that is created, received, used, or maintained by Covered Entities (CEs) and Business Associates (BAs). Its primary goal is to ensure the confidentiality, integrity, and availability (CIA Triad) of ePHI through three categories of safeguards: administrative, physical, and technical.
Omnibus Rule
The 2013 Omnibus Rule expanded HIPAA’s reach by making Business Associates (BAs) – such as IT vendors, billing companies, and subcontractors – directly liable for compliance, alongside Covered Entities (CEs). This update strengthened the protection of PHI throughout the supply chain, introduced stricter breach notification requirements to enhance transparency, and increased penalties for non-compliance. It also tightened rules for obtaining patient consent for marketing and sales, ensuring greater control over how PHI is used. Additionally, the rule integrated the Genetic Information Non-Discrimination Act (GINA), prohibiting the use of genetic data for discriminatory purposes in healthcare or insurance.
Breach Notification Rule
The Breach Notification Rule mandates that both Covered Entities (CEs) and Business Associates (BAs) respond promptly to breaches involving PHI, notifying affected individuals, the Department of Health and Human Services (HHS), and sometimes the media. Notifications must be sent within 60 days of discovery (barring reasonable delays) and include details about the breach, the information affected, protective steps individuals can take, ongoing investigation efforts, measures to prevent future breaches, and contact information. For large-scale breaches affecting 500 or more individuals, immediate notification to HHS is required, enabling a federal response and ensuring public transparency.
Enforcement Rule
The Enforcement Rule establishes the framework for investigating HIPAA violations and holding Covered Entities (CEs) and Business Associates (BAs) accountable. It outlines procedures for compliance investigations, resolution of complaints, and hearings in the event of breaches. A tiered penalty system is used to impose fines, ranging from $100 to $50,000 per violation based on factors like the level of negligence and whether corrective actions were taken.
Get Compliance, Trust + Security in One Affordable Platform.
Monitor everything – not just what’s “in scope” – with coverage across cloud, SaaS, devices, and people, and an all-inclusive library of frameworks: GDPR, ISO 27001, HIPAA, SOC 2, and 15+ more. Get Started For Free View Pricing
Patient Rights Under HIPAA Compliance (For Covered Entities)
Under HIPAA, patients have fundamental rights to access and control their health information, ensuring privacy and security. Covered Entities (CEs), such as healthcare providers and clinics, must allow patients to request and obtain copies of their medical records within a specified timeframe and provide the option to request amendments if errors or omissions are found (though providers are not obligated to make changes but must explain denials). Patients can also request a record of when their information was shared for purposes unrelated to care, such as research or public health activities. Additionally, they have the right to request privacy restrictions or ask for confidential communications—such as sending mail to a different address or contacting them at a private number.
1. Understand Core HIPAA Requirements
Begin by confirming whether you are a Covered Entity (CE) or a Business Associate (BA) under HIPAA. Covered Entities include healthcare providers, health plans, and clearinghouses, while Business Associates handle PHI on behalf of CEs through services like billing, data analytics, or IT support. Once your status is clear, identify the types of Protected Health Information (PHI) you work with and document all inventory items (along with their data classification level) in a centralized system. A WatchDog Security subscription provides access to our Inventory Management feature, which helps automate this requirement.
2. Conduct a Risk Assessment
Once you’ve mapped out where PHI is stored, received, and transmitted—whether in EHRs, billing systems, consulting workflows, or physical records—the next step is identifying both internal and external risks. These risks may arise across your infrastructure, employees, or other areas of your organization. After identifying them, you can prioritize based on potential impact and use your findings to guide remediation efforts such as policy updates or enhanced training. With a free WatchDog Security subscription, you’ll have access to our Risk Manager tool, including HIPAA Self-Risk Assessments, all centralized and collaboratively managed in one location. For organizations that need deeper support, our fractional experts can conduct a tailored risk assessment and build out a customized risk register specific to your environment. Performing a free risk assessment using WatchDog Security’s Risk Register
3. Implement the Privacy Rule
If you’re a Covered Entity under HIPAA Compliance, appoint a Privacy Officer to oversee how PHI is used, shared, and disclosed, ensuring you address patient rights like access and amendment requests. Also create a formalized privacy policy, patient consent form, and procedures to review and verify requests for PHI symmetrically and respond to patient PHI access requests. Business Associates should maintain written privacy procedures that align with the services they provide to CEs. Physical, administrative, and technical safeguards must be documented and communicated to staff at all levels. A free WatchDog Security subscription offers access to an interactive policy editor and manager, which can be used to create, disseminate, and track policy acceptance across your organization. Why a Policy Manager is Essential for Business
4. Address the Security Rule
Meeting HIPAA’s Security Rule goes beyond checklists – it requires strengthening the technical foundation of your environment. Start with baseline hardening for servers, workstations, and network devices to minimize exploitable weaknesses. Apply configuration baselines consistently across both cloud and on-prem environments, and establish posture management processes to monitor for drift from secure standards. Daily encrypted backups to secure, offsite locations help ensure ePHI can be restored quickly when needed, while regular log and system audits provide early detection of unauthorized activity. In addition to compliance control mapping, organizations should take a “secure by default” approach – building guardrails that enforce best practices across their infrastructure. WatchDog Security helps streamline this by combining compliance mapping with posture monitoring tools, so you can manage technical safeguards, policy alignment, and configuration oversight from a single platform.
5. Develop a Breach Notification Plan
Create a clear process for notifying affected individuals within 60 days of discovering a breach, and understand when you must also notify HHS and the media. Document the nature of the breach, what data was involved, and how you plan to prevent future incidents. Business Associates should report breaches to their Covered Entity partners promptly, enabling the CE to meet its own notification obligations. WatchDog’s policy manager includes a built-in template to help you quickly publish and distribute these procedures. Creating an Incident Response Plan
6. Train & Educate Your Workforce
Ensure that all staff – from executives to frontline employees – understand HIPAA Compliance basics, privacy best practices, and breach protocols. Include HIPAA training during onboarding, and conduct refresher sessions covering new threats or updated policies. If you’re a Business Associate, tailor training to your specific services while reinforcing the importance of following both your own policies and the CE’s requirements. A well-informed workforce is your first line of defense against violations. Top 5 Free Cybersecurity Awareness Training Resources
7. Document BAAs & Manage Vendors
Covered Entities must ensure that any third party handling PHI signs a Business Associate Agreement (BAA), detailing obligations around data privacy and breach reporting. Business Associates should keep thorough records of all BAAs they sign with CEs and, if applicable, establish sub-BAAs with subcontractors who also handle PHI. You can use WatchDog Security’s Vendor Management to store agreements, track vendors, and receive notifications for renewals or policy revisions. The Ultimate Guide to Vendor Security Management
8. Maintain Ongoing Audits & Reviews
Perform regular assessments of physical, technical, and administrative safeguards. Keep comprehensive records of all findings, corrective actions, and policy updates. Update processes to align with emerging technologies, changing regulations, or new business practices, and reassess risks whenever significant changes occur.
FAQ
- What counts as Protected Health Information (PHI)?
PHI is any individually identifiable health information that relates to a patient’s physical or mental health, the provision of healthcare, or payment for healthcare. This can include names, addresses, dates of birth, medical record numbers, and more. Basically anything that can identify an individual when tied to health-related data counts as PHI.
- What is the difference between Protected Health Information (PHI) and Electronic Protected Health Information (ePHI)?
While PHI can exist in any form (paper, spoken conversation, images), ePHI specifically refers to PHI that is created, stored, or transmitted in an electronic format, such as emails, electronic health records, or digital billing systems. HIPAA’s Security Rule primarily governs the protection of ePHI, whereas the Privacy Rule covers PHI in all forms.
- What is a Business Associate Agreement (BAA)?
A BAA is a legal contract between a Covered Entity and a Business Associate (or between a BA and its subcontractors). It outlines each party’s responsibilities to safeguard PHI, defines breach notification procedures, and establishes liability in case of violations.
- Do state privacy laws affect my HIPAA compliance?
HIPAA sets a federal baseline. If your state has stricter privacy laws, you must adhere to whichever regulation provides the greatest protection for patient information. Always stay current on both federal and state requirements.
Stay Audit-Ready and Simplify Compliance
Compliance doesn’t have to be complex. Kickstart your program on our unified trust, compliance, and security platform, free-for-life, and access:
- Policy management – publish, distribute, and track policies with ease
- Risk and vendor tracking – stay ahead of gaps and third-party exposures
- Framework coverage – SOC 2, ISO 27001, HIPAA, GDPR, and 15+ more
- Audit readiness tools – organize evidence and streamline certifications
Get started free today – no credit card required.

