Who Must Comply with HIPAA?

Two types of organizations are required to follow HIPAA rules

🏥

Covered Entities

  • Hospitals and health systems
  • Physician practices and clinics
  • Dentists, chiropractors, psychologists
  • Nursing homes and home health agencies
  • Pharmacies
  • Health insurance companies
  • Health maintenance organizations (HMOs)
  • Government health programs (Medicare, Medicaid)
  • Healthcare clearinghouses
🤝

Business Associates

  • Medical billing companies
  • EHR/EMR software vendors
  • Cloud service providers handling PHI
  • IT service providers with PHI access
  • Medical transcription services
  • Accountants with access to PHI
  • Attorneys handling PHI
  • Claims processing companies
  • Any vendor that creates, receives, maintains, or transmits PHI

The Healthcare Breach Epidemic

Healthcare is the most targeted industry—and the most expensive to breach

The Three HIPAA Rules

Understanding what HIPAA actually requires

🔒
Privacy Rule

Establishes national standards for protecting individuals' medical records and personal health information (PHI).

Limits use and disclosure of PHI

Gives patients rights over their health information

Requires Notice of Privacy Practices

Minimum necessary standard

🛡️
Security Rule

Requires administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of electronic PHI (ePHI).

Risk analysis and management

Workforce security training

Access controls and audit controls

Encryption and transmission security

📢
Breach Notification Rule

Requires covered entities and business associates to notify affected individuals, HHS, and media following a breach of unsecured PHI.

60-day notification deadline

Individual notification requirements

HHS notification (breach portal)

Media notification (500+ affected)

Business associate reporting obligations

Recent Healthcare Breaches

Real incidents that resulted in massive fines and patient harm

HIPAA Compliance in 90 Days

We've helped healthcare organizations and their business associates achieve HIPAA compliance with our proven 90-day methodology. Stop worrying about OCR investigations and start protecting patient data with confidence.            

  • Complete HIPAA risk analysis (OCR's #1 requirement)
  • Privacy and Security Rule policy library
  • Workforce training program
  • Business Associate Agreement templates
  • Incident response and breach notification procedures
  • Technical safeguard implementation guidance
  • Ongoing compliance monitoring with dashr.ai
HIPAA Compliance

Report Ready 90

$25K–$45K
/ 90 days
  • Comprehensive HIPAA risk analysis
  • 40+ policies (Privacy + Security Rules)
  • Workforce training materials
  • BA Agreement templates
  • Incident response procedures
  • Technical control guidance
  • dashr.ai platform (Year 1 free)
  • Mock audit before go-live
Get HIPAA Compliant →

Our 90-Day HIPAA Process

From risk analysis to compliance—systematically

1

Risk Analysis

Comprehensive assessment of your PHI environment, threats, vulnerabilities, and current safeguards. The foundation OCR requires.

2

Gap Remediation

Develop and implement policies, procedures, and technical controls to address identified gaps. We do the heavy lifting.

3

Training & Documentation

Workforce training, BA agreements, and complete documentation package. Everything you need for OCR compliance.

4

Validation & Handoff

Mock audit, final review, and handoff with ongoing monitoring through dashr.ai. You're ready for anything.

Business Associate Compliance

If your company handles PHI on behalf of healthcare organizations, you're a Business Associate—and you must comply with HIPAA. This includes IT vendors, cloud providers, billing companies, and any service that touches patient data.

Your Obligations

Business Associates must implement the same Security Rule safeguards as covered entities, report breaches within 60 days, ensure subcontractors are also compliant, and maintain documentation for 6 years. You can face direct OCR enforcement and penalties.

BA Agreements

Before any PHI is shared, you must have a signed Business Associate Agreement (BAA) that specifies permitted uses, safeguards required, breach reporting procedures, and termination conditions. Without a valid BAA, PHI cannot be legally shared.

Upcoming Changes

Proposed Security Rule updates will require covered entities to obtain written verifications that each BA has deployed required safeguards. This means BAs who can't demonstrate compliance may lose contracts with healthcare clients.

Competitive Advantage

Healthcare organizations increasingly require proof of HIPAA compliance before signing contracts. Having a documented compliance program—and potentially SOC 2 certification—differentiates you from competitors who can't demonstrate security.

HIPAA Compliance FAQ

Is there a HIPAA certification?
What triggers an OCR investigation?
What's the most common HIPAA violation?
Do we need both HIPAA and SOC 2?
How long does HIPAA compliance take?
What about telehealth and remote care?

Protect Your Patients. Protect Your Organization.

Healthcare breaches are at an all-time high. Don't wait for an OCR investigation to get compliant.

Book Free Consultation →Healthcare Industry Page
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.