Healthcare data is one of the most targeted assets for cybercriminals. Medical records, insurance details, and patient identifiers carry significant financial and personal value. Organizations that handle this information face strict regulatory requirements under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA applies not only to hospitals and health plans but also to vendors, SaaS platforms, and service providers that handle protected health information (PHI). Understanding what compliance requires—and where organizations often fall short—is essential for building a strong security and compliance program.

In this article, I will explain what HIPAA compliance means, who it applies to, the key rules organizations need to understand, and how CPA and advisory firms can support HIPAA-related engagements more efficiently.

What Is HIPAA Compliance?

HIPAA compliance requires organizations to implement policies, procedures, and safeguards to protect protected health information (PHI). Compliance means the company must develop and use rules and systems for PHI and how it is created, stored, accessed, shared, and released.

PHI includes:

• Medical records and diagnoses.

• Health insurance information.

• Patient identifiers (name, address, Social Security number, date of birth).

• Billing and payment information.

HIPAA establishes standards to protect patient health information, support secure electronic healthcare transactions, and reduce fraud and abuse. Violations of HIPAA may lead to regulatory investigations, civil penalties, reputational damage, and potential legal consequences.

Who Is Required to Be HIPAA Compliant?

There are two distinct types of organizations regulated by HIPAA.

Covered Entities

They handle or have access to patients' health information (PHI). Examples are

• Clinics and physician practices

• Health Insurers and HMOs

• Hospitals

• Healthcare clearinghouses

Business Associates

Business associates are third-party vendors or service providers that create, receive, maintain, or transmit PHI on behalf of a covered entity. Such as:

• Providers of cloud computing and software as a service (SaaS).

• Providers of Medical Billing Services.

• Providers of IT Services.

Business associates are typically required to sign a BAA with covered entities. This means that they are obligated under the law to safeguard PHI and adhere to relevant portions of the HIPAA Privacy Rules. Business associates are liable for violation of the HIPAA rules. Since the HIPAA Omnibus Rule, business associates can be held directly liable for certain HIPAA violations.

The Main HIPAA Rules Explained

HIPAA Privacy Rule

The Privacy Rule creates national standards for what and when PHI can be used or disclosed. Patients have specific rights over their health information, which includes the rights to access, amend, and receive disclosure information.

One of the most important aspects of the Privacy Rule is the minimum necessary standard. This means that covered entities must attempt to use, disclose, or request only the minimum amount of PHI necessary for a given purpose.

HIPAA Security Rule

The HIPAA Security Rule applies only to ePHI and requires covered entities to implement reasonable and appropriate safeguards in the following three areas:

1. Administrative safeguards: Risk analysis, security management processes, training of the workforce, incident response, etc.

2. Physical safeguards: Control of access to the facility, protection of workstations, and device and media management.

3. Technical safeguards: Control of access, encryption, audit logging, and transmission security.

According to HHS, the Security Rule is a technologically neutral and scalable rule that allows flexibility for companies to implement the required protections according to their size and the risks associated with that size.

HIPAA Breach Notification Rule

When a breach of unsecured PHI occurs, the following people must be notified by the covered entities.

• Affected individuals: Must be notified without unreasonable delay, and in no case later than 60 calendar days from the date of the breach discovery.

• HHS Office for Civil Rights: Must be notified within 60 days of a breach of over 500 individuals or annually for lesser breaches.

• The media: Must be notified when a breach affects more than 500 residents of a state or jurisdiction.

Covered entities must also be notified by their business associates within 60 days of breach discovery.

HIPAA Omnibus Rule

The Omnibus Rule was finalized in January 2013 and became effective in March 2013. The Omnibus Rule expanded the enforcement of HIPAA to include business associates now being liable directly for breaches of the Security Rule. Subcontractors are now considered business associates, and patients have stronger privacy rights, including the prohibition of the sale of PHI.

HIPAA Compliance Requirements

HIPAA compliance is not a simple checklist exercise. It requires companies to develop a continuous program.

Risk Assessment and Risk Management

Companies are expected to conduct ongoing risk analysis to identify areas of vulnerability related to electronic protected health information (ePHI). Rather than being a one-time or periodic activity, this process should be continuously updated as systems, operations, and the threat landscape evolve.

Security Controls

Generally, HIPAA-covered companies offer the following security protections:

• Access control mechanisms.

• Encryption of sensitive health data.

• System activity logging and monitoring.

• Authentication mechanisms for system access.

Policies and Documentation

For all HIPAA-covered companies, the date the document was created, the dates the records were created, and when the policy was last updated must be retained for six years. During this same period, organizations must also retain security and privacy policies, compliance records, and response strategies to security breaches.

Workforce Training

Every company must ensure that the staff receives adequate training in the relevant areas of the roles. Lack of training is one of the common reasons given for involvement in breach cases and security investigations.

Vendor Management

All vendors that create, receive, maintain, or transmit PHI on behalf of a covered entity must sign a BAA. Covered entities are obligated to acquire reasonable assurances, normally via BAAs, that business associates will safeguard PHI. Vendor risk very easily translates to organizational risk.

HIPAA Compliance Checklist

You can use this checklist as the starting point for your company for this evaluation:

1. Conduct a HIPAA risk assessment.

2. Identify where PHI is stored and processed.

3. Implement role-based access controls.

4. Protect ePHI using encryption where appropriate.

5. Create an incident response plan.

6. Train workforce members on HIPAA policies.

7. Execute Business Associate Agreements.

8. Monitor system activity and review audit logs.

9. Maintain documentation for six years.

10. Assign Privacy and Security Officers.

Common HIPAA Compliance Challenges

Understanding the rules is one thing, and executing them is another. Here are the most visible gaps that are found:

1. Lack of Risk Assessments: One of the most common compliance failures is the absence of a comprehensive risk analysis. The HIPAA Security Rule states that a self-evaluation must be conducted by every company to identify the risks involved in the ePHI that is in a company's possession. Companies either skip this evaluation or perform risk assessments so infrequently that the evaluation seems ineffective.

2. Legacy Healthcare Systems: Healthcare settings tend to use older systems that do not have modern cybersecurity. Some legacy EHR systems may lack support for encryption, strong authentication, and advanced monitoring compliance compared to the old systems.

3. Vendor Risk: Since third-party vendors manage sensitive data in healthcare, they pose compliance risks. Covered entities need reasonable assurances, usually through a BAA, that they will safeguard PHI. If a vendor's security practices aren't checked on a regular basis, there may be security holes.

4. Workforce Errors: A significant number of violations are caused by people. Common mistakes include sending PHI to the wrong individual, granting unauthorized access to medical records, and revealing patient information through non-secure communications. Employee training and access controls can mitigate risk.

5. Regulatory Interpretation: HIPAA rules are broad because they want to include companies of all sizes and levels of sophistication. Because of the built-in flexibility, it creates challenges with the companies when it comes to regulating language and finding appropriate technical and operational measures.

HIPAA Violation Examples

Real-world HIPAA violations tend to cluster around a handful of recurring scenarios:

• Unencrypted devices: Lost or stolen laptops, mobile devices, or storage media that have patient record data can lead to reportable breaches if the data is unencrypted.

• Unauthorized access: Employees accessing patient records when there is no legitimate work-related reason is referred to as “snooping” and can lead to violations of privacy and disciplinary actions.

• Improper disclosures: Disclosing PHI to unauthorized persons or through unsecured means, like when one sends records to the wrong email address, is in violation of HIPAA's privacy requirements.

• Cybersecurity breaches: Cybersecurity breaches like ransomware attacks, phishing campaigns, and other cyberattacks can expose huge amounts of electronic health information if there is a lack of adequate security measures.

• Delayed breach notification: Breach notification delays can lead to additional penalties. HIPAA states that affected individuals and the Department of Health and Human Services must be notified of breaches without unreasonable delays, and in no event should it be more than 60 calendar days after the breach is discovered.

In the most serious cases, the civil penalties can range from $100 to $50,000 per violation depending on the level of negligence, with annual caps that may exceed $1.9 million for identical violations. The highest financial penalties arise when intentional neglect remains unaddressed. In certain cases involving willful misuse or malicious intent, criminal penalties may apply, including prison terms of up to 10 years.

How Roz Supports HIPAA Compliance Engagements

Roz helps CPA firms and advisory teams streamline HIPAA compliance engagements by organizing documentation, structuring workflows, and generating draft workpapers.

Here's how our tool fits into a compliance engagement workflow:

• Organizing Client Documentation: Our tool provides client-specific workspaces where firms can organize policies, evidence, risk assessments, BAAs, and other engagement materials in one structured location.

• Structuring Engagement Workflows: AI-assisted workflows help teams review documentation, perform first-pass control testing, and maintain consistent engagement processes.

• Generating Workpapers: Our tool generates draft workpapers and structured documentation from firm templates and client evidence, complete with audit trails and source traceability.

• Supporting Gap Analysis: Our tool can extract controls from client documentation and highlight potential gaps, helping advisory teams focus their review and remediation efforts.

For companies running multiple HIPAA engagements simultaneously, this structure matters. It standardizes documentation quality, improves team productivity, and helps create defensible engagement outputs without the manual overhead.

Conclusion

HIPAA compliance is not a one-time project but an ongoing process. As healthcare cyber threats evolve and regulatory expectations grow, organizations must treat compliance as a continuous security program. That means conducting regular risk assessments, maintaining up-to-date policies, training employees, and ensuring vendors properly safeguard protected health information.

For advisory firms supporting clients through these engagements, having structured workflows and clear documentation is essential. Tools like Roz help companies organize evidence, manage engagement documentation, and streamline the delivery of compliance and assurance work.

I hope this article helped you understand HIPAA compliance and the key steps organizations must take to protect patient health information.