Limited Period Offer - Get Unlimited Access to 10k+ hours of content with myCPE Prime at $199Subscribe Now
What Is HIPAA Compliance? Key Definitions + 7 Step Checklist
  • Cyber Security

What Is HIPAA Compliance? Key Definitions + 7 Step Checklist

Blaise Wabo
Blaise Wabo
  • September 28, 2022 01:35 PM EST
  • | 7 mins read

HIPAA (Health Insurance Portability and Accountability Act) is a federal law requiring organizations to keep patient data confidential and secure. If you are an organization that handles protected health information (PHI), a HIPAA compliance report will demonstrate you have the required safeguards in place to protect patient information.

There are three major components to HIPAA rules and regulations – the Security Rule, Privacy Rule, and Breach Notification Rule. This article will give background information on these three components and provide a checklist you can use when seeking HIPAA compliance.

What is HIPAA Compliance?

HIPAA compliance is a process for covered entities and business associates to protect and secure PHI in a way that complies with the established Privacy, Security, and Breach Notification Rules. Let’s review what information classifies as protected healthcare information and the professions bound by HIPAA regulations.


The HIPAA Security Rule requires covered entities accessing or handling ePHI to follow appropriate technical, physical, and administrative safeguards designed to keep the healthcare data confidential and secure.

    PHI is protected healthcare information. This includes items such as paper documents, X-Rays, and prescription information. Electronically protected health information (ePHI) is PHI that includes digital medical records, electronic MRI scans, names, addresses, and dates (birthdays, hospital admission, discharge dates, etc.) stored or transmitted electronically.

    Covered entities are individuals and organizations working in healthcare who have access to PHI. These include doctors, surgeons, nurses, psychologists, dentists, chiropractors, hospitals, clinics, nursing homes, pharmacies, health plans, health insurance companies, HMOs, and company health plans. They frequently work with sensitive health information and are therefore bound by HIPAA regulations.

    Business associates are individuals and entities that perform activities involving the use or disclosure of protected health information on behalf of or provide services to, a covered entity. This could include but is not limited to, lawyers, accountants, administrators, and IT professionals.

      1: Technical Safeguards refers to the following:

      • Access Controls: Only authorized persons may have access to ePHI.
      • Audit Controls: Records of those accessing ePHI must be kept for auditing.
      • Integrity Controls: Measures must be established to confirm ePHI has not been improperly altered or destroyed.
      • Transmission Security: Security measures must be established to guard against unauthorized access to ePHI transmitted electronically.

      2: Physical Safeguards refers to the following:

      • Facility Access and Control: Physical access to facilities must be limited to authorized personnel.
      • Workstation and Device Security: Policies and procedures must be established specifying the proper use of and access to workstations and electronic media.

      3: Administrative Safeguards refers to the following:

      • Security Management Process: Potential risks to ePHI must be identified and analyzed, and security measures implemented to reduce these risks.
      • Security Personnel: The entity must appoint someone from the organization as the designated security official responsible for developing and implementing its security policies and procedures to assure compliance with the Security Rule.
      • Information Access Management: Policies and procedures must be established authorizing access to ePHI only when necessary.
      • Workforce Training and Management: Workforce members handling ePH