Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)

What is HIPAA?

The major aim of HIPAA is to protect sensitive patient information by implementing data protection standards and guidelines. Health care facilities and other entities must abide by these regulations on privacy.

HIPAA compliance is adherence to the physical, administrative, and technical safeguards outlined in HIPAA, which covered entities and business associates are required to follow to protect Protected Health Information (PHI). Protected health information is any data that would identify a client or patient of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Aadhar numbers, medical records, and full facial photos to name a few.

Who Needs to be HIPAA Compliant?

Organizations required to comply with HIPAA fall into two categories.

Covered Entities:

The HIPAA regulations define a covered entity as any entity that uses, collects, creates, or transmits PHI. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.

Business Associates:

Organizations that work with a covered entity in a non-healthcare capacity and encounters PHI in any way over the course of work are responsible for maintaining HIPAA compliance. Lawyers, accountants, administrators, billing companies, third-party consultants, EHR platforms, physical storage providers, cloud storage providers are some common examples of business associates.

What is required for HIPAA Compliance?

HIPAA sets out a set of national standards that covered entities and business associates must adhere to.


HIPAA requires covered entities and business associates to audit their organization annually to identify Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.

Remediation Plans:

Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to restore compliance. Remediation plans must be well documented and include calendar dates by which gaps will be remedied.

Policies, Procedures, Employee Training:

Covered entities and business associates are required to develop policies and procedures that comply with HIPAA regulations. A regular update of these policies and procedures as required to reflect changes to the organization. Staff must be trained on these Policies and Procedures annually, along with attestation that they have read and understood each policy and procedure. 


HIPAA-beholden organizations are required to document ALL efforts they make to comply with HIPAA. This documentation is essential in a HIPAA investigation with HHS OCR to pass strict HIPAA audits.

Business Associate Management:

Covered entities and business associates alike must document all vendors with whom they share PHI, and execute Business Associate Agreements in order to ensure PHI is handled securely and mitigate liability. Annually, BAAs must be reviewed to account for changes to organizational relationships with vendors.

Incident Management:

If a covered entity or business associate has a data breach, they must document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule.

Get Started Today!

To receive a quote, write us at Get all your questions answered, choose the package that works best for you, and then you are ready to go!