HIPAA Compliance Made Clear
Plain-language explanations of Privacy Rule and Security Rule basics for small healthcare practices and their vendors. General information only — this is not legal or compliance advice, and this site does not certify, audit, or assess anyone's HIPAA compliance.
HIPAA Privacy & Security Rules Explained
HIPAA's Privacy Rule governs how protected health information (PHI) is used and disclosed; the Security Rule covers electronic PHI safeguards. Practices typically need written policies, workforce training, patient rights notices, access controls, and a process for breach notification when unsecured PHI is compromised.
Business Associates & Documentation Basics
Vendors that create, receive, maintain, or transmit PHI on your behalf generally need a Business Associate Agreement (BAA). Keep current records of BAAs, access controls, and security measures. A risk analysis should reflect how your organisation actually handles ePHI — not a one-size form that never changes.
Frequently asked questions
- Who must comply with HIPAA?
- Covered entities — healthcare providers, health plans, clearinghouses — and their business associates handling PHI must comply.
- What is a HIPAA Business Associate Agreement?
- A BAA is a contract requiring vendors who handle PHI on your behalf to protect it per HIPAA standards.
- How often should we conduct a HIPAA risk assessment?
- The HIPAA Security Rule does not mandate a fixed interval. The risk analysis requirement is at 45 CFR § 164.308(a)(1)(ii)(A); guidance from the HHS Office for Civil Rights, published at hhs.gov/hipaa, notes that covered entities may perform risk analysis annually or as needed (for example every few years), and again whenever significant operational or technical changes affect how ePHI is stored or transmitted. Read the regulation and the OCR guidance directly rather than relying on this summary.
Get in touch
Questions about the information on this page? Contact us and we will respond within one business day. We can point you to the underlying HHS source for anything explained here, but we cannot advise on your organisation's HIPAA obligations — that is a question for your own legal or compliance counsel.