What is HIPAA Compliance?

The Health Insurance Portability and Accountability Act (HIPAA), enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), mandates cybersecurity standards for businesses in the healthcare industry and healthcare insurance industry that handle information related to protected health information (PHI).

The HIPAA act Title II establishes policies and procedures for maintaining the privacy and security of identifiable health information, outlines potential offenses relating to health care, and details civil and criminal penalties for violations. It has five rules regarding HIPAA designed to increase the efficiency of the health care system by creating standards for the use and dissemination of healthcare information.

HIPAA requires “covered entities” to implement security and data privacy controls to protect patient’s health information from unauthorized access. HIPAA rules are equally applicable to every type of covered entity including health plans, health care clearinghouses, and health care providers responsible for the transmission of healthcare data in a manner regulated by HIPAA. Business Associates that create, access, process, or store PHI are also required to be HIPAA compliant.

HIPAA dictates that all covered entities must implement security and data privacy controls to protect patient’s health information from unauthorized access. Covered entities include health plan providers, healthcare providers, healthcare clearinghouses, and many more businesses.

While HIPAA was first signed into law in 1996, several amendments to the regulation have been included to keep in line with the ever-increasing cybersecurity enhancements to combat digital data breaches within the healthcare industry.

Driving Greater Information
Security in Digital Healthcare

Why is HIPAA Compliance Important?

Healthcare providers should understand the importance of being HIPAA-compliant.

With the enormous volumes of personal data that are collected, handled and transmitted every day, a single data breach caused by non-compliance could have devastating repercussions to both patients and their providers.

For example, civil penalties range from $100 to $50,000 per violation. Criminal violations carry a penalty range from $50,000 to $250,000 in addition to imprisonment from 1 year up to 10 years.

HIPAA violations such as data breaches can result in hefty financial penalties, loss of patient trust and reputational suffering. So ensuring HIPAA compliance within a healthcare organization and with its business associates is vital to long-term sustainability.

HIPAA Requirements at a Glance

While the current HIPAA standard hasn’t been updated since 2013, there is talk that new regulations will emerge in 2021 regarding several post-COVID-19 topics such as:

  • bringing telehealth into compliance with expanding HIPAA regulations
  • adjusting to changing clinical trials
  • encouraging digital relationships while assuring that patient privacy stays protected

For the HIPAA compliance process as it stands today, five main rules guide HIPAA requirements. They are:


The HIPAA Privacy


The HIPAA Security


The Omnibus


The Breach
Notification Rule


The Enforcement

HIPAA Compliance Checklist

With more than 115 pages of HIPAA requirements to consider, assuring that you’re compliant with each applicable rule can be a challenge.

To help you get started we’ve compiled a checklist from this HIPAA compliance guide:


Indicate in your privacy policy why you’re collecting a patient’s sensitive data and what you plan to do with it.


Be sure that your patients have given you permission to process, store and use their information and have signed your privacy policy notices.


Assign a compliance officer to oversee HIPAA Privacy Rule implementation.


Review your third-party business associate agreements (BAAs) to make sure they require HIPAA-compliant handling of PHI.


Test your processes for honoring patient requests. If patients ask who has seen their health records and when, can you show them?


Check your procedures to assure that you can honor patients’ requests to hide their medical records from view or remove them from your database.


Provide HIPAA compliance training, to educate employees in the proper handling of PHI, including electronic health records.


Set and document your risk management and data security compliance program. Keep detailed records of PHI breaches, noting whom you notified and when, post-breach assessments and remediation efforts.


Undertake regular risk assessments of your organization regarding the privacy and security of PHI and ePHI. A HIPAA security risk assessment checklist can help assure that this assessment meets HIPAA protocols. Where necessary, mitigate the risks you find or adjust your policies.


Set texting, smartphone and email policies to restrict internal and provider-patient text messaging and emails to HIPAA-approved applications only.


Strengthen your controls around the PHI that you store. This might include mobile device and email encryption, firewalls, multi-factor authentication and workforce security training and testing.


Establish technical safeguards around e-PHI, including administrative safeguards like access control and authentication, encryption and decryption, continuous monitoring and auto log-off protocols.

A certified public accountant (CPA) can verify compliance with an audit and compliance report issued under the attestation standards “AT-C Section 315: Compliance Attestation.

Find out what HIPAA auditors are specifically looking into by registering for the step by step guide


RiskOptics Has Your HIPAA Compliance Solution

HIPAA’s security and privacy regulations are clear and its policies are specific. Enforcement is strict, however: One slip-up can cost $500,000; repeated violations can net fines of up to $1.5 million for the most serious violations.

Our solutions present HIPAA regulations in a format you can grasp at first glance. Its dashboard shows where you already comply, as well as where you don’t, along with contextual insight so you can fill in the gaps..

Then, when you’re ready, ZenGRC makes self-auditing a breeze so you can prove compliance. With so much of the HIPAA heavy lifting done for you, your panic mind becomes a Zen mind. Clarity achieved. Compliance complete.

ZenGRC HIPAA Capabilities

  • User-friendly dashboard with real-time metrics on prioritized risks
  • Pre-built evidence request templates can help you with your compliance audits
  • A central repository for HIPAA compliance documentation
  • Universal Control Mapping to fulfill multiple requirements with a single control
  • Complete Risk Management functionality for assessments, scoring, and treatment throughout the risk lifecycle
  • Interconnectivity between threats, vulnerabilities, risks, and controls for greater insight and monitoring
Ready to see ZenGRC in action?

Frequently Asked Questions

Yes. HIPAA is a law that says all covered entities are required to implement security and data privacy controls to protect patient health information from unauthorized access. Covered entities include health plan providers, healthcare providers and healthcare clearinghouses.

Any organization that is required to be HIPAA compliant can benefit from compliance software that enables it to survey its sensitive data and security controls to see where the business is already compliant, as well as where it isn’t, and how to fill the gaps.

While the HIPAA Privacy Rule empowers patients to obtain and control their own PHI, the HITECH Act increases those rights by allowing patients to obtain copies of health records in electronic form if the covered entity maintains the records in that format.

HITECH also prohibits organizations from selling PHI except under limited, specific circumstances. This effectively stopped providers from profiting off of treatment recommendations.

The HIPAA Security Rule sets out security standards for protecting the confidentiality, integrity and availability of ePHI. It requires covered entities to implement technical safeguards to prevent unauthorized access and related security incidents.

While a firewall is an important part of a comprehensive cybersecurity program, HIPAA compliance software has a somewhat different purpose.

The purpose of a compliance management software solution like the RiskOptics ROAR Platform is to help organizations assure that they’ve met all cybersecurity and data privacy controls and documentation required by HIPAA rules.

A firewall is only a single requirement, of many, that an organization might be required to implement to meet its compliance obligations.

No programming languages are inherently secure. Instead, the software is made compliant by the developer who adopts the HIPAA compliance best practices while creating the software.

That said, a variety of programming languages can be used in various medical settings, so long as the language is used in a compliance-ready environment.

And on that note, Python is one of the most frequently used programming languages for HIPAA compliant software.