What's required for the Security Rule risk analysis?

The Security Rule mandates a comprehensive risk analysis identifying threats and vulnerabilities to ePHI confidentiality, integrity, and availability. This must include assessment of where ePHI is stored, potential threats, current security measures, likelihood and impact of threats, and risk remediation priorities.

Health Insurance Portability and Accountability Act

HIPAA compliance guide

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting Protected Health Information. Whether you're a covered entity, business associate, or subcontractor, we help you implement Privacy Rule, Security Rule, and Breach Notification requirements with clear processes and audit-ready documentation.

Start HIPAA assessment Book compliance consultation

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that established national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

Enforced by: U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses), business associates, and their subcontractors.

Privacy Rule

Controls PHI use and disclosure

Security Rule

Protects electronic PHI (ePHI)

Complements SOC 2 certification and ISO 27001 for healthcare information security.

Who needs to comply?

Covered entities

Healthcare providers, health plans, healthcare clearinghouses that transmit health information electronically

Business associates

Third parties that create, receive, maintain, or transmit PHI on behalf of covered entities

Subcontractors

Entities that create, receive, maintain, or transmit PHI on behalf of business associates

Healthcare providers

Hospitals, clinics, physicians, dentists, pharmacies, nursing homes, home health agencies

Health plans

Health insurance companies, HMOs, employer health plans, government health programs

Healthcare technology vendors

EHR vendors, cloud storage, data analytics, billing services, IT support, consultants

How VerifyWise supports HIPAA compliance

Concrete capabilities that address Privacy Rule, Security Rule, and Breach Notification requirements

PHI inventory and data mapping

Identify and document all systems that create, receive, maintain, or transmit Protected Health Information. The platform maintains a complete PHI data flow map required for Privacy Rule compliance and breach response planning.

Addresses: Privacy Rule: PHI identification, minimum necessary, data flow documentation

Security safeguards implementation

Track implementation of administrative, physical, and technical safeguards required by the Security Rule. The platform documents security controls, access controls, encryption measures, and audit logging across your PHI infrastructure.

Addresses: Security Rule: Access controls, encryption, audit controls, integrity controls

Risk assessment and analysis

Conduct HIPAA-aligned risk assessments identifying threats and vulnerabilities to PHI confidentiality, integrity, and availability. The platform generates risk documentation and tracks remediation required by the Security Rule.

Addresses: Security Rule: Risk analysis, risk management, security management process

Policy and procedure management

Maintain required HIPAA policies, procedures, and documentation with version control and approval workflows. The platform ensures policies address all Privacy and Security Rule requirements with proper review cycles.

Addresses: Privacy & Security Rules: Policies, procedures, documentation, workforce training

Breach notification and incident response

Manage HIPAA breach investigations with structured workflows meeting the Breach Notification Rule's 60-day timeline. The platform tracks breach discovery, harm assessment, notification obligations, and OCR reporting.

Addresses: Breach Notification Rule: Discovery, assessment, notification, documentation

Business associate management

Track all business associates and subcontractors with BAA status, risk assessments, and ongoing monitoring. The platform maintains the third-party oversight required by the Privacy and Security Rules.

Addresses: Privacy & Security Rules: BAA tracking, vendor risk, subcontractor management

All PHI-related activities are tracked with timestamps, assigned owners, and approval workflows. This audit trail demonstrates systematic compliance and supports OCR investigations or audits.

Complete HIPAA requirements coverage

VerifyWise provides dedicated tooling for all HIPAA rule requirements

HIPAA requirements

Requirements with dedicated tooling

100%

Coverage across all rules

Privacy Rule8/8

PHI use, disclosure, rights, minimum necessary

Security Rule18/18

Administrative, physical, technical safeguards

Breach Notification4/4

Discovery, notification, documentation, mitigation

Enforcement4/4

Investigations, penalties, compliance, audits

Built for healthcare compliance from the ground up

OCR audit readiness

Evidence packages for OCR investigations and compliance reviews

60-day breach tracking

Automated breach notification workflows meeting OCR timelines

BAA management

Track business associates and subcontractors with BAA status

AI in healthcare

Combine HIPAA with AI governance frameworks for clinical AI systems

Key HIPAA rules

Understanding the major components of HIPAA compliance

Privacy Rule

Controls the use and disclosure of Protected Health Information and establishes individual rights.

Minimum necessary standard for PHI use
Individual rights (access, amendment, accounting)
Notice of privacy practices
Designated privacy officer
Workforce training and sanctions

Security Rule

Establishes national standards to protect electronic Protected Health Information (ePHI).

Administrative safeguards (9 standards)
Physical safeguards (4 standards)
Technical safeguards (5 standards)
Organizational requirements
Policies and procedures documentation

Breach Notification Rule

Requires notification to individuals, HHS, and in some cases the media when PHI is breached.

Breach discovery and assessment
Individual notification (60 days)
HHS notification (annual or immediate)
Media notification (500+ individuals)
Documentation and mitigation

Enforcement Rule

Establishes procedures for investigations, hearings, and imposition of civil money penalties.

OCR compliance investigations
Civil money penalty tiers
Criminal prosecution referrals
Corrective action plans
Resolution agreements

Omnibus Rule

Strengthened HIPAA with business associate liability, breach notification expansion, and HITECH Act implementation.

Business associate direct liability
Subcontractor BAA requirements
Strengthened enforcement
Expanded individual rights
Genetic information protections

Security Rule safeguards breakdown

Administrative, physical, and technical safeguards required for ePHI protection

Administrative safeguards

Documented policies, procedures, and processes to manage PHI security

Security management process

Risk analysis, risk management, sanction policy, information system activity review

Assigned security responsibility

Designated security official responsible for HIPAA security

Workforce security

Authorization, supervision, clearance procedures, termination procedures

Information access management

Access authorization, access establishment, access modification

Security awareness and training

Security reminders, protection from malware, log-in monitoring, password management

Security incident procedures

Response and reporting of security incidents

Contingency plan

Data backup, disaster recovery, emergency mode, testing, applications and data criticality

Evaluation

Periodic technical and non-technical evaluation of security measures

Business associate contracts

Written contracts with satisfactory assurances regarding PHI safeguarding

Physical safeguards

Physical measures to protect electronic information systems and buildings

Facility access controls

Contingency operations, facility security plan, access control and validation, maintenance records

Workstation use

Policies and procedures for workstation functions and security

Workstation security

Physical safeguards to restrict workstation access to authorized users

Device and media controls

Disposal, media re-use, accountability, data backup and storage

Technical safeguards

Technology and policies to protect ePHI and control access

Access control

Unique user identification, emergency access, automatic logoff, encryption and decryption

Audit controls

Hardware, software, and procedural mechanisms to record and examine ePHI access

Integrity

Policies to ensure ePHI is not improperly altered or destroyed

Person or entity authentication

Procedures to verify person or entity seeking ePHI access

Transmission security

Integrity controls and encryption for ePHI transmission over networks

24-week implementation roadmap

A practical path to HIPAA compliance with clear milestones

Phase 1Weeks 1-4

Foundation and gap analysis

Designate privacy and security officers
Conduct initial HIPAA gap assessment
Create PHI inventory and data flow maps
Review existing policies and procedures

Phase 2Weeks 5-10

Risk assessment and planning

Complete comprehensive risk analysis
Identify threats and vulnerabilities to ePHI
Prioritize remediation activities
Develop security management plan

Phase 3Weeks 11-20

Safeguards implementation

Implement administrative safeguards
Deploy physical security controls
Configure technical safeguards
Establish business associate agreements

Phase 4Weeks 21-24

Training and validation

Conduct workforce privacy and security training
Test incident response procedures
Validate technical controls
Document compliance evidence

HIPAA penalties and enforcement

Understanding the financial and criminal consequences of non-compliance

Civil money penalty tiers

Tier 1Per violation

Did not know (and by exercising reasonable diligence would not have known)

Range

$100 - $50,000

Annual max

$25,000

Tier 2Per violation

Reasonable cause (violation due to circumstances beyond reasonable control)

Range

$1,000 - $50,000

Annual max

$100,000

Tier 3Per violation

Willful neglect (but corrected within 30 days)

Range

$10,000 - $50,000

Annual max

$250,000

Tier 4Per violation

Willful neglect (not corrected within 30 days)

Range

$50,000 - $50,000

Annual max

$1,500,000

Criminal penalties

Tier 1 Criminal

Knowingly obtaining or disclosing PHI

Up to $50,000 and up to 1 year imprisonment

Tier 2 Criminal

Obtaining PHI under false pretenses

Up to $100,000 and up to 5 years imprisonment

Tier 3 Criminal

Obtaining or disclosing PHI with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm

Up to $250,000 and up to 10 years imprisonment

Note: Penalties are assessed per violation. Multiple violations can result in penalties exceeding annual maximums. The Department of Justice handles criminal prosecutions for HIPAA violations.

Policy templates

HIPAA policy template library

Access ready-to-use HIPAA policy templates covering Privacy Rule, Security Rule, and Breach Notification requirements

Privacy Rule policies

• Privacy Practices Notice
• Minimum Necessary Policy
• Individual Rights Policy
• Privacy Officer Designation
• PHI Use and Disclosure
• Accounting of Disclosures
• Amendment Request Process

Security Rule policies

• Security Management Process
• Access Control Policy
• Audit Controls Policy
• Encryption and Decryption
• Incident Response Plan
• Contingency Plan
• Workforce Security Policy

Breach & Compliance

• Breach Notification Policy
• Breach Risk Assessment
• Business Associate Agreement
• Sanctions Policy
• Training and Awareness
• Compliance Monitoring
• Risk Assessment Policy

Browse all policy templates

Frequently asked questions

Common questions about HIPAA compliance

HIPAA is enforced by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS). OCR conducts compliance reviews, investigates complaints, performs audits, and imposes civil money penalties for violations. Criminal enforcement is handled by the Department of Justice (DOJ). Visit the official HHS HIPAA website for enforcement guidance.

PHI is individually identifiable health information held or transmitted by a covered entity or business associate in any form (electronic, paper, oral). It includes 18 identifiers such as names, dates, contact information, medical record numbers, health plan numbers, and biometric identifiers when linked to health information. Electronic PHI (ePHI) is subject to additional Security Rule requirements.

Covered entities are healthcare providers, health plans, and healthcare clearinghouses that directly handle PHI. Business associates are third parties that perform services involving PHI on behalf of covered entities (EHR vendors, billing companies, consultants). Since the Omnibus Rule (2013), business associates have direct HIPAA liability and must comply with the Security Rule and Breach Notification Rule.

Yes, covered entities must have a signed BAA with each business associate before sharing PHI. Business associates must have BAAs with their subcontractors. The BAA must include specific required provisions about PHI safeguarding, breach notification, return or destruction of PHI, and liability. No PHI can be shared without a compliant BAA in place.

A breach is the acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. You must conduct a risk assessment using the 4-factor test. If the breach is not excluded and the risk assessment shows more than a low probability of compromise, notification is required within 60 days to affected individuals, HHS, and potentially the media (for 500+ individuals).

Civil penalties range from $100 to $50,000 per violation depending on the culpability tier, with annual maximums from $25,000 to $1.5 million per violation type. Tier 1 (unknowing): $100-$50K per violation, $25K annual max. Tier 2 (reasonable cause): $1K-$50K, $100K max. Tier 3 (willful neglect, corrected): $10K-$50K, $250K max. Tier 4 (willful neglect, not corrected): $50K per violation, $1.5M max. Criminal penalties can reach $250,000 and 10 years imprisonment.

A typical HIPAA compliance program takes 6-9 months to implement depending on organizational size, existing infrastructure, and complexity of PHI handling. Small practices may move faster with focused scope, while large healthcare systems require more extensive implementation. The Security Rule requires annual risk assessments and ongoing monitoring.

The Security Rule mandates a comprehensive risk analysis identifying threats and vulnerabilities to ePHI confidentiality, integrity, and availability. This must be documented and include assessment of: where ePHI is stored, created, received, transmitted; potential threats (human, natural, environmental); current security measures; likelihood and impact of threats; risk levels and remediation priorities. The risk analysis must be reviewed and updated regularly.

Encryption is addressable (not required) under the Security Rule, but strongly recommended as a safe harbor. If PHI is encrypted using NIST-validated algorithms and proper key management, a breach of that data does not require notification. You must document why you chose to implement or not implement encryption, and if not encrypting, what equivalent alternative measures are in place.

Cloud service providers and SaaS vendors that store, process, or transmit ePHI are business associates and must sign a BAA. The covered entity remains responsible for ensuring the vendor has appropriate safeguards. Vendors must comply with the Security Rule's administrative, physical, and technical safeguards. Review vendor security practices, certifications (HITRUST, SOC 2), and incident response capabilities before engaging.

HIPAA requires workforce training on privacy and security policies, but doesn't specify frequency or format. Best practice is annual training for all workforce members (employees, volunteers, trainees, contractors) with additional training for those with elevated PHI access. Training must cover: Privacy and Security Rules, breach notification, sanctions, individual rights, minimum necessary, business associate requirements. Document all training with attendance records and content.

HIPAA sets a federal floor for health information protection. State laws can be more stringent. Where state law provides greater privacy protections or individual rights, the state law applies. Organizations must comply with both HIPAA and applicable state health privacy laws. Some states have additional breach notification timelines or requirements. Unlike SOC 2, which is voluntary, HIPAA compliance is mandatory for covered entities.

Yes, VerifyWise provides HIPAA-specific workflows for risk assessments, PHI inventory, safeguard implementation tracking, breach notification management, and policy documentation. Our platform maps controls to the Privacy Rule, Security Rule, and Breach Notification Rule requirements. We also provide crosswalks to SOC 2, ISO 27001, and NIST AI RMF for organizations implementing multiple frameworks.

Ready to achieve HIPAA compliance?

Start your compliance journey with our guided HIPAA assessment and implementation tools designed for healthcare organizations.

Start HIPAA assessment Schedule consultation