HIPAA compliance is required for HIPAA Covered Entities and Business Associates that create, receive, maintain, or transmit protected health information in connection with regulated functions and services. HIPAA Covered Entities include health plans, health care clearinghouses, and health care providers that conduct certain standard health care transactions electronically. Business Associates are persons or entities that perform functions or activities for, or provide certain services to, a HIPAA Covered Entity that involve the use or disclosure of protected health information, and this includes subcontractors that handle protected health information on behalf of a Business Associate.
A healthcare provider’s status as a HIPAA Covered Entity depends on whether the provider conducts covered electronic transactions such as billing and eligibility inquiries using the standards adopted under administrative simplification. A vendor’s status as a Business Associate depends on whether its services involve protected health information and whether it performs those services on behalf of a HIPAA Covered Entity or another Business Associate. Business Associate agreement requirements apply when a HIPAA Covered Entity engages a Business Associate, and those agreements set permitted uses and disclosures, safeguard obligations, and breach reporting duties. Some organizations that support healthcare operations may not be HIPAA regulated if they do not meet the definitions of a HIPAA Covered Entity or Business Associate, even if they operate in the healthcare sector.
HIPAA compliance obligations are implemented through the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, and the applicable requirements depend on the entity type and the information involved. The HIPAA Privacy Rule governs uses and disclosures of protected health information and individual rights. The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic protected health information. The HIPAA Breach Notification Rule establishes duties for evaluating impermissible uses or disclosures and for issuing required notifications when unsecured protected health information is compromised under the rule’s standards.
HIPAA staff training supports compliance by establishing workforce understanding of HIPAA rules and regulations before internal policies and procedures are addressed. All workforce members must receive HIPAA training if they have access to PHI, including employees, trainees, volunteers, and contractors under the organization’s direct control who handle protected health information in any format. HIPAA staff training should be provided during onboarding and reinforced through refreshers, with annual HIPAA training as industry best practice. Online training can be used to provide comprehensive instruction on the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and the HIPAA Minimum Necessary Rule, including permitted uses and disclosures, safeguards for electronic and non-electronic protected health information, individual rights handling, and internal incident reporting steps. The HIPAA Journal Training is online, comprehensive, and suitable for onboarding and annual refresher training.