In February 2024, OCR announced a $480,000 settlement with a New England dermatology practice that failed to conduct an enterprise-wide risk analysis — a core requirement most organizations assume they've satisfied. It's the kind of enforcement action that forces a blunt question: does your organization actually understand what is the HIPAA compliance framework, or are you relying on assumptions that could cost you six figures or more?

After years of working with covered entities and business associates on their compliance programs, I can tell you the gap between thinking you're compliant and actually being compliant is wider than most healthcare leaders realize.

What Is the HIPAA Compliance Framework — and Why It's More Than a Checklist

HIPAA compliance is the ongoing process of meeting the administrative, physical, and technical requirements established under the Health Insurance Portability and Accountability Act of 1996 and its subsequent rules. It is not a one-time project. It is not a binder on a shelf. It's a living operational commitment that touches every department, every system, and every person who handles protected health information (PHI).

The framework is built on four interconnected regulatory pillars:

  • The Privacy Rule (45 CFR Part 164, Subpart E): Governs how covered entities and business associates use and disclose PHI. It establishes patient rights, the minimum necessary standard, and requires a Notice of Privacy Practices.
  • The Security Rule (45 CFR Part 164, Subpart C): Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI) — including access controls, audit controls, encryption, and integrity mechanisms.
  • The Breach Notification Rule (45 CFR §§ 164.400-414): Mandates specific notification timelines to affected individuals, HHS, and in some cases the media when unsecured PHI is breached.
  • The Omnibus Rule (2013): Extended direct liability to business associates and strengthened enforcement, penalty tiers, and patient rights.

Understanding what is the HIPAA compliance obligation means understanding that all four of these rules work together. Failing on one undermines the rest.

The Risk Analysis Requirement Most Organizations Get Wrong

If there's one compliance failure OCR penalizes more than any other, it's an inadequate or missing risk analysis. Under 45 CFR § 164.308(a)(1)(ii)(A), every covered entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

This isn't a vulnerability scan. It's not an IT checklist. A compliant risk analysis identifies every system that creates, receives, maintains, or transmits ePHI, evaluates threats, assesses current safeguards, and documents the likelihood and impact of each risk.

OCR's enforcement data over the past five years makes this painfully clear: the majority of settlements — including a record $4.75 million penalty against a New York medical center — cite risk analysis failures. Your organization cannot claim HIPAA compliance without one.

How Often Should You Conduct a Risk Analysis?

HIPAA doesn't specify an annual requirement, but OCR has made clear that risk analysis must be an ongoing process. Any time you adopt new technology, change workflows, experience a security incident, or onboard a new business associate, your risk analysis needs updating.

Workforce Training: The Requirement That Carries Real Consequences

Under 45 CFR § 164.530(b), covered entities must train all workforce members on policies and procedures related to PHI. Under 45 CFR § 164.308(a)(5), the Security Rule requires security awareness training. These aren't suggestions — they're enforceable mandates.

Healthcare organizations consistently struggle with this requirement, not because they skip training entirely, but because their training is generic, outdated, or fails to address role-specific risks. A billing clerk faces different PHI exposure than a nurse, and your training program must reflect that.

If your workforce hasn't completed structured, documented training, consider enrolling them in HIPAA training and certification that covers the Privacy Rule, Security Rule, and breach response protocols in practical, role-relevant terms.

Business Associate Obligations After the Omnibus Rule

Before 2013, business associates operated in a regulatory gray zone. The Omnibus Rule ended that. Today, any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity is directly liable for HIPAA violations.

This means your EHR vendor, your cloud hosting provider, your billing company, and your shredding service all carry independent compliance obligations. You must have a signed Business Associate Agreement (BAA) with each one — and a BAA alone isn't enough. Your organization needs to verify that these partners maintain their own safeguards.

OCR has pursued enforcement actions against business associates directly, including a $2.3 million settlement with a medical management company in 2020. If your vendor management process doesn't include compliance verification, you have an open liability.

Patient Rights Your Privacy Officer Must Enforce

The Privacy Rule grants patients specific, enforceable rights that your workforce must understand and honor:

  • Right to access: Patients can request copies of their PHI, and you must respond within 30 days.
  • Right to amend: Patients can request corrections to their records.
  • Right to an accounting of disclosures: Patients can ask who has received their PHI and why.
  • Right to request restrictions: Patients can ask you to limit certain uses or disclosures.
  • Notice of Privacy Practices: You must provide a clear, written notice explaining how you use and disclose PHI.

OCR's Right of Access Initiative, launched in 2019, has produced over 45 enforcement actions specifically targeting organizations that failed to provide timely access to records. Penalties have ranged from $3,500 to $240,000. These are avoidable violations — if your team knows the rules.

Building a Compliance Program That Survives an OCR Investigation

When OCR investigates a complaint or breach, they look for documented evidence. Policies alone won't protect you. They want to see:

  • A current, enterprise-wide risk analysis with a corresponding risk management plan
  • Signed BAAs with every business associate
  • Workforce training records with dates, content covered, and attendee verification
  • Documented sanction policies for employees who violate HIPAA
  • Incident response and breach notification procedures that have been tested

If your compliance program can't produce this documentation within days of an OCR request, you have a structural problem — not just a paperwork gap.

Start With What You Can Control Today

Understanding what is the HIPAA compliance framework is the first step. Acting on it is what separates organizations that avoid penalties from those that end up on OCR's wall of shame. The most immediate, high-impact action you can take is ensuring every member of your workforce is trained and your training is documented.

Explore HIPAA Certify's workforce compliance platform to build a training program that meets the Privacy Rule and Security Rule requirements — with the documentation trail OCR expects to see.

HIPAA compliance isn't a destination. It's an operational discipline. And in an enforcement environment where OCR resolved over 800 cases in 2023 alone, the cost of misunderstanding that distinction has never been higher.