In February 2023, OCR settled with a dental practice in New England for $23,000 after a patient complaint revealed the organization had no written policies, no workforce training, and no risk analysis — all because the office manager assumed HIPAA was "just about not sharing patient charts." That misconception is more common than you might expect. If your organization handles protected health information and you're still asking what is the HIPAA, you need clear answers fast — because OCR doesn't grade on a curve.

What Is the HIPAA and Why Does It Exist?

HIPAA — the Health Insurance Portability and Accountability Act — was signed into law in 1996. Its original purpose was twofold: help workers maintain health insurance when changing jobs and reduce healthcare fraud. Over time, the law evolved into the primary federal framework for protecting the privacy and security of patient health information.

Today, HIPAA is enforced by the U.S. Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). Since 2003, OCR has investigated tens of thousands of complaints and resolved cases resulting in over $142 million in penalties through 2024 alone.

The law applies to covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically — as well as their business associates, meaning any vendor or contractor that creates, receives, maintains, or transmits protected health information (PHI) on their behalf.

The Four Rules Every Organization Must Understand

HIPAA is not a single rule. It's a framework built on several interconnected regulatory components codified primarily in 45 CFR Parts 160 and 164. Here are the four you need to know:

The Privacy Rule (45 CFR Part 164, Subpart E)

The Privacy Rule establishes national standards for when and how PHI can be used or disclosed. It requires your organization to provide patients with a Notice of Privacy Practices, honor patient rights to access and amend their records, and apply the minimum necessary standard — meaning you only use or disclose the least amount of PHI needed for a given purpose.

In my work with covered entities, the Privacy Rule violations I see most often involve staff sharing PHI verbally in public areas, responding to records requests without verifying identity, or failing to update their Notice of Privacy Practices after policy changes.

The Security Rule (45 CFR Part 164, Subpart C)

The Security Rule applies specifically to electronic protected health information (ePHI). It requires administrative, physical, and technical safeguards — including access controls, encryption, audit logs, and a thorough risk analysis. The risk analysis is not optional and not a one-time event. OCR has cited the failure to conduct an adequate risk analysis in the majority of its enforcement actions.

The Breach Notification Rule (45 CFR Part 164, Subpart D)

When an impermissible use or disclosure of PHI compromises its security or privacy, your organization must notify affected individuals, HHS, and in some cases, the media. Breaches affecting 500 or more individuals must be reported to HHS within 60 days and are posted publicly on OCR's Breach Portal — often called the "Wall of Shame."

The Omnibus Rule (2013)

The Omnibus Rule strengthened HIPAA significantly. It extended direct liability to business associates, increased penalty tiers, and tightened breach notification requirements by introducing a presumption that any impermissible disclosure is a breach unless demonstrated otherwise through a four-factor risk assessment.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), covered entities must train all workforce members on HIPAA policies and procedures. Under §164.308(a)(5), the Security Rule requires security awareness training. "Workforce" doesn't mean just employees — it includes volunteers, trainees, and anyone under your organization's direct control.

Healthcare organizations consistently struggle with this requirement. A laminated poster in the break room is not training. An email with a PDF attachment sent once in 2019 is not training. OCR expects documented, role-appropriate education with evidence that each workforce member completed it.

If your team hasn't completed a formal course recently, structured HIPAA training and certification is the most efficient way to close this gap and create an audit-ready paper trail.

Common HIPAA Violations That Trigger OCR Enforcement

OCR investigates complaints and conducts compliance reviews. The most frequently cited HIPAA violations include:

  • Failure to perform an organization-wide risk analysis
  • Impermissible disclosures of PHI (sharing information without authorization or a permitted purpose)
  • Lack of workforce training documentation
  • Failure to implement access controls for ePHI
  • Not having or not following business associate agreements
  • Denial of patients' right to access their own records

Penalties range from $141 per violation for unknowing infractions up to $2,134,831 per violation for willful neglect (adjusted annually for inflation). Criminal penalties under 42 U.S.C. §1320d-6 can include fines up to $250,000 and imprisonment up to 10 years.

Three Steps to Take This Week

If your organization is still getting its arms around what is the HIPAA and what it demands, these three actions will put you on solid footing immediately:

  • Conduct or update your risk analysis. Document every threat to ePHI in your environment and your mitigation plan. Use the NIST Cybersecurity Framework or HHS's own Security Risk Assessment Tool as a starting point.
  • Audit your business associate agreements. Every vendor that touches PHI must have a current, Omnibus-compliant BAA in place. No exceptions.
  • Train your entire workforce. Enroll every team member — clinical and administrative — in comprehensive HIPAA compliance training and retain completion certificates for at least six years, as required under the documentation retention standard at 45 CFR §164.530(j).

HIPAA Is a Framework, Not a Finish Line

Understanding what is the HIPAA means recognizing that compliance is continuous. Regulations evolve, OCR enforcement priorities shift, and your organization's risk profile changes every time you adopt new technology, onboard a vendor, or hire a new staff member.

The organizations that avoid six-figure penalties and breach headlines are the ones that treat HIPAA as an operational discipline — not a checkbox exercise completed once and forgotten. Start with the risk analysis, formalize your training, and build from there.