HIPAA compliance is not a document.
It is an active program.
The Health Insurance Portability and Accountability Act requires every covered entity and business associate to maintain an active, evidence-generating security program — not just policies on file. Here is what that actually means.
HIPAA requires ongoing compliance, not a one-time checklist.
HIPAA's Security Rule (45 CFR Part 164) establishes national standards for protecting electronic protected health information (ePHI). Unlike a certification framework, HIPAA has no pass/fail audit — compliance is demonstrated through an active program that generates evidence of operating controls.
The Office for Civil Rights (OCR) enforces HIPAA and conducts investigations triggered by breach reports, complaints, and random audits. When OCR investigates, they don't just look at the breach — they audit your entire program.
Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates — any vendor who handles ePHI on your behalf — are directly liable under the HITECH Act.
Who must comply
Any healthcare provider that transmits health information electronically — including every practice that uses an EHR, billing system, or patient portal. Also any vendor (business associate) with access to patient data.
Enforcement agency
Office for Civil Rights (OCR), US Department of Health and Human Services. Investigations are triggered by breach reports, patient complaints, and random compliance audits.
Penalty range
$141 to $2,134,831 per violation category per year. Willful neglect that is not corrected carries the highest penalties. No risk assessment on file is treated as willful neglect.
Breach notification
Affected patients must be notified within 60 days of discovery. Breaches affecting 500+ individuals require simultaneous notification to HHS and prominent local media.
The six HIPAA Security Rule safeguard categories.
HIPAA's Security Rule is organized into administrative, physical, and technical safeguards — each with required and addressable implementation specifications.
Security Risk Assessment
Required annually under §164.308(a)(1). Must identify all ePHI, assess threats and vulnerabilities, evaluate current controls, and document risk levels. The most commonly missing control in OCR investigations.
Written Security Policies
Required under §164.316. All 12 required policies must be written, implemented, and reviewed periodically. Policies must be customized to your organization — generic templates do not satisfy the requirement.
Workforce Training
Required under §164.308(a)(5). Annual security awareness training for all workforce members who handle ePHI. Completion records must be maintained per staff member.
Business Associate Agreements
Required under §164.308(b). A signed BAA is required with every vendor that creates, receives, maintains, or transmits ePHI on your behalf — EHR vendors, billing companies, IT providers, cloud storage.
Access Controls & Audit Logs
Required under §164.312. Unique user IDs, automatic logoff, encryption, and audit log review. Logs must be reviewed regularly — monthly audit log review is the standard OCR expects.
Incident Response Plan
Required under §164.308(a)(6). A written plan for responding to security incidents including breach identification, containment, notification procedures, and post-incident review.
The consequences of a HIPAA gap are not theoretical.
OCR opens a formal investigation. They audit your entire compliance program — not just the breach event. Practices without documented controls face significantly higher penalties.
Every affected patient must be notified within 60 days. Breaches affecting 500+ require media notification and immediate HHS reporting. The reputational damage in a community practice is lasting.
Penalties range from $141 to $2,134,831 per violation category per year. Recent small practice settlements: $480,000 (34,000 patients, phishing attack, no training records), $125,000 (ransomware, no risk assessment).
BoTech builds and manages your complete HIPAA program.
Comply and Fortress include every HIPAA requirement — risk assessment, all 12 policies, BAA register, workforce training, monthly evidence tracking, and ongoing program management at a flat monthly rate.
We build the program from the ground up, maintain it monthly, and generate the evidence trail that answers an OCR investigation — so you can run your practice without managing a compliance calendar.
Audit-ready in 90 to 120 days.
A structured four-phase process that builds your HIPAA compliance program from the ground up — no prior compliance work required.
Assess
Every current control assessed against HIPAA requirements. Every gap documented with specific regulatory citations before a single policy is written.
Build
All required policies written and customized. Risk assessment completed. Evidence tracking configured. HIPAA-specific documentation in place.
Activate
Documentation signed and dated. Workforce training initiated. Access controls reviewed. Evidence tracking live. Your program is operating.
Audit-Ready
First evidence cycle complete. All agreements executed. You can now respond to a regulator, auditor, or insurer with confidence.
Timeline assumes client completion of information requests within 5 business days of receipt. Delays in client response, vendor agreement execution, or workforce training completion will extend the timeline proportionally.
Find out where your HIPAA program actually stands.
The free Security Scorecard reviews your current HIPAA posture across all seven control domains in 30 minutes — specific gaps identified, risk level assessed, written report within 24 hours. No pitch. No obligation.
No cost · No obligation · Written report within 24 hours
