Health Insurance Portability & Accountability Act

Understanding HIPAA
Compliance

An interactive guide to the privacy and security regulations that protect patient health information across the United States.

Core Pillars of HIPAA

HIPAA establishes a uniform, national standard for protecting sensitive patient health information. It applies to covered entities and their business associates, affecting how healthcare data is stored, transmitted, and disclosed.

🔒

Privacy Rule

Regulates who can access Protected Health Information (PHI) and under what circumstances it can be used or disclosed without patient authorization.

🛡️

Security Rule

Sets standards for administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).

📋

Breach Notification

Requires covered entities to notify affected individuals, HHS, and sometimes the media when a breach of unsecured PHI occurs.

🤝

Business Associates

Any entity receiving PHI to perform services on behalf of a covered entity must sign a Business Associate Agreement (BAA) and comply with the same protections.

📡

Electronic Transactions

Standardizes the format and code sets used for electronic healthcare transactions like claims, enrollment, and payment — promoting administrative simplification.

⚖️

Enforcement

The Office for Civil Rights (OCR) within HHS investigates complaints, conducts audits, and can impose civil monetary penalties for non-compliance.

Compliance Readiness Checker

Evaluate your organization's readiness. Check each item you've addressed to see your compliance posture. This is for educational purposes only — not legal advice.

✓

Designated Privacy OfficerAppointed a Privacy Official responsible for developing and implementing privacy policies.
✓

Written Privacy PoliciesDocumented policies and procedures that comply with the HIPAA Privacy Rule.
✓

Employee TrainingAll workforce members have completed HIPAA training on law requirements and office procedures.
✓

Risk AssessmentConducted a thorough risk analysis identifying threats and vulnerabilities to ePHI.
✓

Business Associate AgreementsBAAs are in place with all vendors and third parties who handle PHI on your behalf.
✓

Access ControlsTechnical safeguards limit ePHI access to authorized personnel only, with unique user IDs.
✓

EncryptionData encryption is applied to ePHI both at rest and in transit.
✓

Notice of Privacy PracticesPatients are provided with a clear notice explaining how their health information may be used.
✓

Breach Response PlanAn incident response plan is in place for detecting, reporting, and mitigating breaches of PHI.
✓

Physical SafeguardsFacility access controls, workstation security, and device/media disposal procedures are implemented.

Compliance Score 0%

Check the items above to assess your readiness.

Key HIPAA Terms

Tap any term to expand its definition. Use the search bar to filter.

Violation Penalty Tiers

HIPAA enforcement has four tiers of civil monetary penalties based on the level of culpability. Criminal penalties can also apply for knowing misuse of health information.

Tier	Description	Penalty per Violation
Tier 1	Lack of knowledge — the entity did not know and could not have reasonably known of the violation.	$100 – $50,000
Tier 2	Reasonable cause — the violation was not due to willful neglect.	$1,000 – $50,000
Tier 3	Willful neglect, corrected within 30 days of discovery.	$10,000 – $50,000
Tier 4	Willful neglect, not corrected within 30 days.	$50,000+

Criminal Penalties

Individuals who knowingly obtain or disclose PHI can face fines up to $250,000 and up to 10 years in prison, depending on the severity and intent of the offense.

State Law Preemption

Where existing state law is stricter than HIPAA, those local statutes take precedence. HIPAA provides a baseline — not a ceiling — for privacy protection.

Test Your Knowledge

A quick 8-question quiz to check your understanding of HIPAA fundamentals.

Understanding HIPAACompliance