What HIPAA Requires: Obligations Every Covered Entity Must Meet

In March 2024, OCR settled with a healthcare provider for $950,000 after an investigation revealed the organization had failed to conduct a risk analysis — one of the most fundamental things HIPAA requires. The provider assumed its IT vendor had "handled security." OCR disagreed. This scenario plays out repeatedly, and it underscores a persistent problem: many healthcare organizations only partially understand what HIPAA actually demands of them.

What HIPAA Requires Under the Privacy Rule

The HIPAA Privacy Rule (45 CFR §164.500–534) establishes national standards for how covered entities and their business associates use and disclose protected health information. At its core, HIPAA requires that PHI only be used or disclosed for treatment, payment, or healthcare operations — unless the patient authorizes another use or a specific regulatory exception applies.

Your organization must provide every patient a Notice of Privacy Practices at their first encounter. This document must clearly explain how you use PHI, the patient's rights regarding their information, and your legal duties. OCR routinely cites organizations that either lack a compliant notice or fail to distribute it.

The minimum necessary standard is another obligation that trips organizations up. HIPAA requires that when your workforce accesses, uses, or discloses PHI, it must be limited to the minimum amount necessary to accomplish the task. A billing clerk doesn't need access to psychotherapy notes. A front-desk employee doesn't need to see lab results. Role-based access policies aren't optional — they're regulatory mandates.

Security Rule Obligations That HIPAA Requires You to Implement

The HIPAA Security Rule (45 CFR §164.302–318) applies specifically to electronic protected health information (ePHI). HIPAA requires every covered entity and business associate to implement three categories of safeguards: administrative, physical, and technical.

Administrative safeguards include designating a security officer, conducting a thorough risk analysis, and developing policies that govern how ePHI is managed across your organization. The risk analysis requirement under §164.308(a)(1) is the single most-cited deficiency in OCR enforcement actions. If your organization hasn't completed one — or completed one years ago and never updated it — you have an active compliance gap.

Physical safeguards cover facility access controls, workstation security, and device disposal. HIPAA requires policies that restrict physical access to systems containing ePHI and ensure that hardware and electronic media are properly sanitized before disposal or reuse.

Technical safeguards demand access controls (unique user IDs, emergency access procedures), audit controls that track who accessed ePHI and when, integrity controls, and transmission security. Encryption is addressable rather than required — but "addressable" under the Security Rule doesn't mean optional. It means you must implement it or document why an equivalent alternative is reasonable.

The Breach Notification Rule: What HIPAA Requires When Things Go Wrong

Under the Breach Notification Rule (45 CFR §§164.400–414), HIPAA requires that covered entities notify affected individuals, the Secretary of HHS, and in some cases the media following an unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy.

For breaches affecting 500 or more individuals, notification to HHS and prominent media outlets must occur within 60 days. Breaches affecting fewer than 500 individuals must be logged and reported to HHS annually, no later than 60 days after the end of the calendar year. In my work with covered entities, I've seen organizations delay breach reporting because they weren't sure the incident "counted." OCR has made clear that the burden of proof rests on your organization to demonstrate that a disclosure did not constitute a breach — not the other way around.

Business Associate Agreements: A Requirement, Not a Courtesy

Since the Omnibus Rule took effect in 2013, HIPAA requires that every covered entity execute a written business associate agreement (BAA) with any vendor, contractor, or partner that creates, receives, maintains, or transmits PHI on its behalf. Without a BAA, the relationship itself is a HIPAA violation — regardless of whether a breach has occurred.

Business associates are also directly liable for compliance with the Security Rule and parts of the Privacy Rule. If your EHR vendor, billing service, or cloud hosting provider doesn't have a signed BAA on file, your organization is exposed right now.

The Workforce Training Requirement Most Organizations Underestimate

HIPAA requires that all workforce members — not just clinical staff — receive training on your organization's HIPAA policies and procedures. Under §164.530(b), training must occur within a reasonable period after a person joins your workforce and whenever material changes are made to policies. "Workforce" under HIPAA includes employees, volunteers, trainees, and anyone under your direct control, whether or not they're paid.

Healthcare organizations consistently struggle with documenting this training. OCR doesn't just ask whether training happened — they ask for proof. Completion records, training content, dates, and attendee lists all matter during an investigation. A structured HIPAA training and certification program gives your organization both the education and the documentation trail you need to satisfy this requirement.

Patient Rights HIPAA Requires You to Honor

HIPAA grants patients specific rights that your organization must operationalize:

• Right of access: Patients can request copies of their PHI, and you must respond within 30 days (with one 30-day extension if needed). OCR launched its Right of Access Initiative in 2019, and it has resulted in over 45 enforcement actions and settlements.
• Right to amend: Patients can request corrections to their records.
• Right to an accounting of disclosures: Patients can ask for a log of certain PHI disclosures made by your organization.
• Right to request restrictions: Patients can ask that you limit how their PHI is used or shared, and HIPAA requires you to honor requests related to disclosures paid for entirely out-of-pocket.

Failure to honor these rights — especially the right of access — has become one of OCR's top enforcement priorities. Penalties have ranged from $3,500 to $240,000 per case.

Build a Compliance Foundation That Satisfies What HIPAA Requires

Regulatory obligations under HIPAA aren't aspirational — they're enforceable. OCR has collected over $142 million in settlements and civil monetary penalties since the enforcement program began. Every dollar was tied to a specific requirement that an organization failed to meet: a missing risk analysis, an unsigned BAA, a denied access request, or an untrained workforce.

Start by auditing where your organization stands against each obligation outlined above. Then close the gaps with documented policies, executed agreements, and verified training. If your workforce hasn't completed formal HIPAA education recently, HIPAA Certify's workforce compliance platform provides training aligned with current regulatory standards — and generates the documentation that holds up under OCR scrutiny.

What HIPAA requires isn't ambiguous. The regulations are detailed, publicly available, and actively enforced. The only question is whether your organization has done the work to meet them.