HIPAA Compliance: A Practical Guide to the Privacy, Security, and Breach Notification Rules
HIPAA is the U.S. law requiring covered entities and their business associates to safeguard protected health information (PHI). There is no official "HIPAA certification" — the HHS Office for Civil Rights (OCR) enforces it, and compliance is self-attested. Policy templates and a Security Risk Assessment workbook build the required documentation fast, but you still operate the safeguards and run your own risk analysis.
What is HIPAA?
HIPAA (the Health Insurance Portability and Accountability Act) is a federal law whose privacy and security regulations live in 45 CFR Part 160 and Part 164, organized into three core rules. The Privacy Rule (Subpart E, 45 CFR 164.500 and following) governs how PHI in any form — paper, electronic, or spoken — may be used and disclosed. The Security Rule (Subpart C) sets administrative, physical, and technical safeguards for electronic PHI (ePHI) and is anchored by a mandatory risk analysis at 45 CFR 164.308(a)(1)(ii)(A). The Breach Notification Rule (Subpart D, 45 CFR 164.400 and following) dictates who must be notified, and when, after an unauthorized disclosure of unsecured PHI.
Who needs it?
HIPAA applies to two groups. Covered entities are health plans, healthcare clearinghouses, and healthcare providers (doctors, dentists, therapists, clinics, pharmacies) that transmit health information electronically in connection with standard transactions. Business associates are vendors that create, receive, maintain, or transmit PHI on a covered entity's behalf — billing companies, IT and cloud providers, EHR vendors, transcription services, and many SaaS tools — and they have been directly liable for Security Rule and many Privacy Rule obligations since the 2013 Omnibus Rule. Software brings you under HIPAA only when it handles PHI on behalf of a covered entity or business associate, which makes you a business associate yourself; a direct-to-consumer health app that does not act on a covered entity's behalf is generally outside HIPAA and instead falls under the FTC Act and the FTC Health Breach Notification Rule. Wherever an entity does handle PHI for a covered entity, a signed Business Associate Agreement is required between the parties.
What does HIPAA readiness cost?
| Option | Typical cost | Time to ready |
|---|---|---|
| DIY with the free HHS/ONC SRA Tool + self-written policies | $0 (your staff time) | Many weeks to months; you write every policy from scratch |
| ComplianceDocs HIPAA toolkit (practice-specific, 18 policies + Security Risk Assessment workbook + audit evidence checklist) | $79 one-time | Hours to days to tailor; then operate the safeguards |
| HIPAA consultant or law firm | $1,250-$2,750+ (more for full gap assessments) | Several weeks, dependent on consultant availability |
| Compliance automation platform (subscription) | ~$7,000-$30,000/year | Weeks to onboard; ongoing platform cost |
Typical timeline
- 1. Confirm your status and scope — Determine whether you are a covered entity, a business associate, or both, and inventory every system, vendor, and location where PHI or ePHI is created, stored, or transmitted.
- 2. Designate accountability — Appoint a Security Official and a Privacy Official (the same person can hold both in a small practice) responsible for the program, per 45 CFR 164.308(a)(2) and 164.530.
- 3. Conduct the Security Rule risk analysis — Complete an accurate, thorough risk analysis of threats and vulnerabilities to ePHI under 45 CFR 164.308(a)(1)(ii)(A), using a structured workbook or the free HHS/ONC SRA Tool.
- 4. Adopt and tailor policies and safeguards — Put administrative, physical, and technical safeguards in writing and into practice — access controls, encryption, audit logging, training, workstation security, device and media controls.
- 5. Execute Business Associate Agreements — Sign a compliant BAA with every vendor that touches PHI on your behalf before sharing data, and track them.
- 6. Train workforce, then review annually — Train all staff, run a breach-response procedure, and re-perform the risk analysis and policy review at least annually or after any material change.
How editable templates speed this up
ComplianceDocs HIPAA toolkits give you the documentation HHS OCR expects to see, written for how your specific practice handles PHI. Each $79 practice-specific edition includes 18 editable Word policies — covering the Security Management, access control, encryption, audit controls, contingency planning, incident response, breach notification, business associate management, and Privacy Rule requirements — plus an Excel Security Risk Assessment workbook and an audit evidence checklist. The templates do not, by themselves, make you HIPAA compliant: you still have to complete your own risk analysis, sign your BAAs, train your staff, and actually operate the safeguards. What they remove is the slowest and most error-prone part — drafting comprehensive, correctly-scoped documentation from a blank page.
Recommended HIPAA toolkits
HIPAA Compliance Toolkit — Medical Practices
18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.
HIPAA Compliance Toolkit — Dental Practices
18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written specifically for dental offices.
HIPAA Compliance Toolkit — Mental Health Practices
18 editable HIPAA policies written for therapists and behavioral-health practices — teletherapy security, psychotherapy-notes handling — plus the Security Risk Assessment workbook and audit evidence checklist.
Compare HIPAA with other frameworks
Frequently asked questions
- Is there an official HIPAA certification?
- No. Unlike ISO 27001, HIPAA has no accredited certification and no government-issued certificate. Compliance is self-attested and enforced by HHS OCR, which investigates complaints and breaches. Any vendor selling a 'HIPAA certified' seal that supposedly proves compliance is a red flag — OCR does not certify organizations, products, or templates.
- Will buying HIPAA templates make my practice compliant?
- No. Templates provide the required policies and risk-assessment methodology, but compliance comes from operating the safeguards and completing your own risk analysis for your practice under 45 CFR 164.308(a)(1)(ii)(A). The documentation supports compliance and is what auditors and investigators ask for first; running the program achieves it.
- How fast do I have to report a HIPAA breach?
- Under the Breach Notification Rule (45 CFR 164.400 and following), you must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI. Notification to the HHS Secretary follows two tracks: a breach affecting 500 or more individuals must be reported to HHS within that same 60-day window, while breaches affecting fewer than 500 individuals are logged and reported to HHS annually (within 60 days after the end of the calendar year). Separately, a breach affecting more than 500 residents of a single state or jurisdiction also requires notice to prominent media serving that area, no later than 60 days. The toolkit includes a breach notification procedure to operationalize this.
- Does HIPAA require encryption?
- Under the current Security Rule, encryption of ePHI is an 'addressable' implementation specification: you must encrypt or document a reasonable, equivalent alternative. Encryption also creates a safe harbor from breach notification. Note that the HIPAA Security Rule NPRM published January 6, 2025 (comment period closed March 7, 2025) proposes to make encryption mandatory with limited exceptions; as of mid-2026 no final rule has been issued, so the current rule remains in effect — treat strong encryption as a practical baseline now.