Table of Contents
- HIPAA Compliance Overview
- HIPAA Violations and Penalties
- Road to HIPAA Compliance
- Implementing and Maintaining HIPAA Compliance
- How Stratify IT Can Help
- Frequently Asked Questions
- 1. What's the difference between a HIPAA violation and a HIPAA breach, and does that distinction affect penalties?
- 2. How does OCR actually find out about a compliance problem β does someone have to report it?
- 3. If a business associate causes a breach, can the covered entity still face penalties even if they had a BAA in place?
- 4. How often should a HIPAA risk analysis actually be updated?
- 5. Are smaller medical practices held to the same HIPAA standards as large hospital systems?
- 6. What's the first thing an organization should do if they suspect a PHI breach has already occurred?
Healthcare organizations remain the most targeted sector for data breaches — and the most expensive. In 2024, 725 large breaches were reported to the HHS Office for Civil Rights (OCR), exposing the protected health information of more than 275 million individuals. IBM's 2024 Cost of a Data Breach report puts the average healthcare breach cost at $9.77 million, the highest of any industry. OCR closed 22 investigations with financial penalties that year alone, collecting over $12.8 million.
HIPAA compliance is how covered entities and their business associates reduce that exposure — not just as a regulatory obligation, but as a baseline for operating securely with patient data. Organizations that treat compliance as a one-time checkbox tend to discover their gaps during an OCR investigation, not before it. Understanding what HIPAA compliance costs to build and maintain is a practical starting point for organizations planning that investment.
HIPAA Compliance Overview
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations handling sensitive patient data to maintain administrative, physical, and technical safeguards. HIPAA applies to two categories of organizations:
- Covered Entities: Healthcare providers (physicians, hospitals, clinics, long-term care centers), health insurance companies, HMOs, and healthcare clearinghouses.
- Business Associates: Organizations that access PHI in the course of providing services to covered entities — including IT providers, billing companies, CPAs, attorneys, and consultants. Under the HIPAA Omnibus Rule, business associates and their subcontractors are directly liable for HIPAA violations, not just the covered entity they serve.
When a covered entity fails to verify that its business associates are adhering to HIPAA compliance and a PHI breach occurs, the covered entity can be held legally liable in addition to the business associate.
HIPAA compliance is built on three rules:
- Privacy Rule: Governs the use and disclosure of PHI, defining what constitutes permissible access and when patient authorization is required.
-
Security Rule: Requires covered entities and business associates to implement specific safeguards across three domains:
- Administrative: Security management processes, designated security personnel, workforce training, access management, and periodic evaluation.
- Physical: Facility access controls, workstation and device security, and media disposal procedures.
- Technical: Access controls, audit logs, data integrity controls, and transmission security (encryption).
- Breach Notification Rule: Requires organizations to notify affected individuals, HHS, and in some cases the media, within 60 days of discovering a breach involving PHI.
HIPAA Violations and Penalties
The OCR Enforcement Rule allows HHS to impose civil monetary penalties of up to $1.5 million per violation category per year. In 2024, 85% of reported healthcare breaches were attributed to hacking and IT incidents — ransomware, phishing, and unauthorized access — not lost paperwork or accidental disclosures. The most commonly cited violation in OCR enforcement actions is failure to conduct an adequate risk analysis, which is a Security Rule requirement and the foundation of every other compliance obligation.
Common HIPAA violations that trigger OCR investigations:
- Failure to conduct or document an organization-wide risk analysis (the most frequently cited violation in OCR enforcement actions)
- Unencrypted laptops, mobile devices, or portable media containing PHI
- PHI transmitted via unencrypted email, text, or messaging platforms
- PHI stored on unsecured or unencrypted systems
- Unauthorized access to PHI — including by workforce members accessing records outside their job function
- No documented business associate agreements (BAAs) with vendors who handle PHI
- Inadequate breach notification procedures — late notification or failure to notify at all
- No documented disaster recovery or business continuity plan covering PHI availability
- Insufficient or undocumented workforce training on PHI handling and security
- No policy for disposing of documents or devices containing PHI
Road to HIPAA Compliance
HIPAA compliance operates most effectively as part of a broader governance, risk, and compliance program rather than as a standalone technical project. A qualified IT firm approaching a HIPAA compliance engagement will start by mapping the current environment against the Security Rule's requirements. The discovery process typically covers:
- Where PHI is stored, transmitted, and accessed — including cloud services, email platforms, EHR systems, and endpoint devices
- What access controls are in place and whether access is scoped to minimum necessary
- Whether MFA is enforced on systems that access PHI
- What audit logging is configured and whether logs are reviewed
- Whether data is encrypted at rest and in transit, and what encryption standards are used
- Whether terminated employees' access is revoked promptly and completely
- What password, account lockout, and session timeout policies are configured
- Whether backup and disaster recovery procedures are documented and tested
- When the last formal risk analysis was conducted and documented
- Whether BAAs are in place with all vendors that touch PHI
- When workforce HIPAA training was last completed and what it covered
- What incident response procedures exist and whether they've been tested
The answers to these questions determine the gap between current state and Security Rule requirements — and the remediation priority list that follows.
HIPAA compliance requirements evolve as technology changes and new threat patterns emerge. The HITECH Act, now integrated into the HIPAA rule set, expanded breach notification obligations and increased penalty exposure for willful neglect. HHS published a proposed update to the HIPAA Security Rule in January 2025 that would mandate MFA, encryption for data at rest and in transit, network segmentation, and regular vulnerability testing for all covered entities — codifying controls that leading organizations are already implementing.
Implementing and Maintaining HIPAA Compliance
1. Risk Analysis
The risk analysis is the starting point and the most commonly cited gap in OCR enforcement actions. It involves identifying all systems and locations where PHI is stored or transmitted, assessing the likelihood and potential impact of threats to that data, and documenting the results. The risk analysis is not a one-time exercise — it must be reviewed and updated when systems change, new services are added, or incidents occur. Tools like Microsoft Purview and purpose-built HIPAA compliance platforms help automate documentation and control tracking.
2. Technical Controls
The Security Rule's technical safeguards have direct IT implementation requirements. MFA on all systems that access PHI — enforced through Microsoft Entra ID or equivalent — closes the single largest attack vector: compromised credentials. The Change Healthcare breach in 2024, which exposed the PHI of an estimated 190 million individuals, originated from a Citrix portal that lacked MFA. Encryption for data at rest (BitLocker on endpoints, encryption at the storage layer for servers and cloud) and in transit (TLS) is required. Audit logging through a SIEM platform documents access events and provides the evidence OCR requests during investigations.
3. Policies, Procedures, and Training
Documented policies covering PHI use and disclosure, incident response, workforce access management, and media disposal are required under the Privacy and Security Rules. Policies that exist but aren't followed — or exist only on paper and were never distributed — don't satisfy the requirement. Workforce training must be ongoing and cover actual threat scenarios, not just a one-time onboarding module. Platforms like KnowBe4 provide HIPAA-specific training content that can be tracked and documented for audit purposes.
4. Business Associate Management
Over 80% of hacked PHI records in recent years were stolen from business associates and third-party vendors, not directly from hospital systems, according to AHA analysis. Every vendor that accesses, stores, or transmits PHI on your behalf requires a signed BAA — and the BAA must accurately reflect what the vendor actually does with the data. Covered entities are responsible for verifying that business associates maintain adequate security controls, not just for obtaining a signed agreement.
How Stratify IT Can Help
Stratify IT provides HIPAA compliance services for healthcare organizations and business associates — from initial risk analysis and gap assessment through technical control implementation, policy development, workforce training, and ongoing compliance monitoring. We work with covered entities that need to build a defensible compliance program from scratch, and with organizations that have existing programs and need them validated against current OCR enforcement priorities.
If your organization hasn't conducted a documented risk analysis recently — or isn't certain whether your current IT environment meets Security Rule requirements — contact us to start with an assessment. We'll give you a clear picture of where you stand before OCR does.
Learn more about our HIPAA compliance services to see the full range of what we offer.
Stratify IT — HIPAA compliance built around your organization, not a template.
For more on healthcare cybersecurity and compliance, explore our HIPAA compliance services.
Frequently Asked Questions
A breach is unauthorized access or disclosure of PHI. A violation is any failure to comply with HIPAA rules β which may or may not involve a breach. OCR can penalize organizations for violations even when no breach occurred, such as failing to conduct a required risk analysis or not having signed Business Associate Agreements in place. Penalty tiers range from $141 to $71,162 per violation category, with annual caps up to $2.1 million for identical violations.
Not always. OCR initiates investigations through three channels: breach notifications that covered entities are required to self-report, complaints filed by patients or employees, and compliance reviews OCR launches on its own initiative. A breach affecting 500 or more individuals triggers mandatory notification to OCR within 60 days. Smaller breaches get logged annually. Complaints from disgruntled former employees have triggered some of the largest enforcement actions, so internal culture matters more than most organizations realize.
Yes. A signed Business Associate Agreement is necessary but not sufficient. OCR expects covered entities to actively verify that their business associates are following through on their HIPAA obligations β not just collect signatures. If you hired an IT vendor, signed a BAA, and never checked whether they actually implemented required safeguards, OCR can still hold you partially liable. The BAA shifts some legal exposure but doesn't eliminate your responsibility for due diligence.
OCR's guidance says it should be reviewed regularly and updated in response to environmental or operational changes β which in practice means at minimum annually, and whenever something significant shifts: a new EHR system, a cloud migration, a merger, a new vendor with PHI access, or a workforce reduction. Organizations that conduct a thorough risk analysis once and shelve it for three years are treating a living document like a finished deliverable, which is exactly the pattern OCR flags during audits.
The same rules apply, but OCR does consider the size, complexity, and resources of an organization when calculating penalties. A solo physician practice won't face the same fine as a 10-hospital health system for an identical violation. That said, small practices are frequently underprepared and represent a significant share of OCR investigations. Limited IT staff and budget don't create exemptions β they just mean smaller organizations need to prioritize the highest-risk gaps rather than trying to build compliance infrastructure overnight.
Stop the bleeding first β contain the incident by isolating affected systems before worrying about paperwork. Then begin a factual investigation to determine what data was accessed, by whom, and for how long. HIPAA's Breach Notification Rule requires a four-factor risk assessment to determine whether notification is legally required. If there's meaningful uncertainty about scope, bring in a forensic firm early. Delaying the investigation or self-reporting without accurate information are both common mistakes that complicate OCR's view of an organization's good faith.