HIPAA Compliance

HIPAA applies to two categories of organisations. Covered entities are healthcare providers (hospitals, clinics, physicians, dentists, pharmacies, and any provider that transmits health information electronically), health plans (insurers, HMOs, employer-sponsored plans, government programmes like Medicare and Medicaid), and healthcare clearinghouses. Business associates are organisations that perform functions or services on behalf of a covered entity that involve access to PHI — IT service providers, cloud hosting companies, billing services, claims processors, EHR vendors, analytics companies, and consultants.

The business associate designation is where many technology companies encounter HIPAA unexpectedly. If your software stores, processes, or transmits PHI on behalf of a healthcare client, you are a business associate and must comply with applicable HIPAA requirements, execute a Business Associate Agreement (BAA), and be prepared for OCR investigation in the event of a breach.

The HIPAA Security Rule requires covered entities and business associates to implement safeguards across three categories.

Administrative safeguards include security management processes, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, evaluation, and business associate contracts. These are the organisational and procedural controls that form the foundation of your compliance programme.

Technical safeguards include access controls (unique user identification, emergency access, automatic logoff, encryption), audit controls (logging and monitoring of ePHI access), integrity controls (mechanisms to protect ePHI from improper alteration or destruction), person or entity authentication, and transmission security (encryption of ePHI in transit).

Physical safeguards include facility access controls, workstation use and security policies, and device and media controls governing the receipt, removal, and disposal of hardware and electronic media containing ePHI.

Each safeguard specification is designated as either “required” or “addressable.” Addressable does not mean optional — it means you must implement the specification, implement an equivalent alternative, or document why it is not reasonable and appropriate for your environment.

The single most important HIPAA requirement is the risk analysis. OCR has cited failure to conduct an adequate risk analysis in the majority of its enforcement actions. A HIPAA risk analysis must identify all ePHI your organisation creates, receives, maintains, or transmits; identify threats and vulnerabilities to that ePHI; assess the likelihood and impact of potential threats; determine the current level of risk; and document the analysis and risk management decisions. This is not a one-time exercise — it must be reviewed and updated regularly.

When a breach of unsecured PHI occurs, HIPAA requires notification to affected individuals within 60 days of discovery. Breaches affecting 500 or more individuals require concurrent notification to OCR and prominent media outlets. Breaches affecting fewer than 500 individuals must be logged and reported to OCR annually. A well-prepared breach response plan, tested before an incident occurs, is essential for meeting these timelines and limiting regulatory exposure.

We build HIPAA compliance programmes that withstand OCR scrutiny. Our approach begins with a comprehensive risk analysis that identifies actual vulnerabilities, not a templated checklist. We implement all three safeguard categories with controls appropriate to your organisation’s size, complexity, and risk profile. We review and strengthen Business Associate Agreements, develop workforce training programmes, build and test incident response and breach notification procedures, and provide ongoing advisory support as your organisation and the regulatory landscape evolve.