Howdy Expert

By Howdy.com

Hire the Top 1% of Developers in Latin America.

Howdy specializes in nearshore talent sourcing, helping U.S.-based companies direct hire from Latin America. We provide multi-national logistics, support, and compliance assistance. Our vetting process delivers the highest quality talent in software development, operations, finance, HR, marketing, sales, and customer support for a 98% retention rate.

Content

    The Health Insurance Portability and Accountability Act — better known as "HIPAA" — establishes guardrails for the personal health information (PHI) exchanged and used between health care providers. The consequences for violating HIPAA rules can be steep, ranging from $100 for an "unknowing" violation to $1.5 million for "willful neglect."

    In December 2024, the Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule. The changes focus on strengthening cybersecurity protections for electronic protected health information (ePHI) in response to the surge of cyberattacks and data breaches in the healthcare sector.

    Amid rising cyber threats and evolving regulations, understanding and following HIPAA regulations is more critical than ever. If your company accesses, uses, or transmits PHI, you may be subject to HIPAA rules. Our HIPAA IT compliance guide and downloadable checklist contain everything you need to satisfy federal regulations and protect user privacy.

  1. Key takeaways
    • Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to protect private health information.
    • HIPAA applies to covered entities and business associates who provide services related to protected health information (PHI).
    • All software handling or storing PHI on behalf of a covered entity or business associate must be HIPAA compliant.
    • Following HIPAA guidelines is essential to protecting patient privacy and avoiding penalties.
  2. What is HIPAA compliance?

    3. Established by a federal law in 1996, HIPAA protects the security of personal health information (PHI). HIPAA compliance helps prevent unauthorized access, breaches, and misuse of sensitive health data.

    Types of data under HIPAA compliance

    HIPAA covers all forms of personal health information, including:

    • Identifiable health information: Names, addresses, birth dates, Social Security numbers, and other unique identifiers.
    • Medical records: Diagnoses, treatment information, test results, and prescriptions.
    • Billing information: Insurance details, billing records, and payment histories.
  3. Covered entity vs. business associate

    4. HIPAA compliance is required for two categories of individuals and organizations: Covered entities and business associates.

    • Covered entities. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit ePHI. This category includes most telehealth platforms, online pharmacies and other medtech companies that handle ePHI.
    • Business associates. Business associates include business that provides services involving PHI. — either to covered entities or to other business associates. Examples include contract billing companies, claims processing firms, data processing or analysis companies, and medical transcription services.
  4. The 5 rules of HIPAA

    5. HIPAA is divided into five fundamental rules. If your organization is a covered entity or business associate, identifying which HIPAA rules apply to you is an important first step in achieving compliance.

    1. Privacy Rule. The HIPAA Privacy Rule establishes national standards to protect patient medical records and other PHI. The privacy rule ensures covered entities and business associates treat customer data with discretion while giving patients the right to decide how, why, and if their data is used. This rule also gives every patient the right to get a copy of their records and request corrections to their file.
    2. Security rule. The HIPAA Security Rule focuses on electronic protected health information (ePHI). It requires covered entities and business associates to introduce administrative, physical, and technical safeguards for ePHI. This includes conducting risk assessments, implementing security measures like encryption and multifactor authentication, and conducting workforce compliance training.
    3. Transactions Rule. The HIPAA Transactions Rule deals with the electronic exchange of PHI. It establishes a set of standard codes to represent administrative and financial healthcare transactions, including diagnoses, procedures, and medications.
    4. Unique Identifiers Rule. This rule establishes unique codes for identifying healthcare organizations, employees, and patients. These identifiers include National Provider Identifiers (NPI), Employer Identification Numbers (EIN), and Health Plan Identifiers (HPID).
    5. Enforcement rule. The HIPAA Enforcement rule outlines procedures for HIPAA violation investigations and establishes civil money penalties for non-compliance. Penalties vary by negligence level, with a maximum annual penalty of $1.5 million for repeated violations.
  5. HIPAA compliance checklist

    6. HIPAA compliance has become increasingly complex due to rapidly advancing tech and the rising threat of cyberattacks. This checklist will walk you through the many steps needed to achieve HIPAA compliance.

    Step 1: Designate a HIPAA compliance officer.

    Appoint an internal officer to oversee HIPAA compliance. This person's job is to develop and enforce your company's compliance policies and procedures. Your HIPAA compliance officer will be in charge of the following task:

    • Identifying and addressing risks
    • Providing training
    • Developing and implementing your company security policies and procedures
    • Creating a disaster recovery plan
    • Responding to breaches

    If you are a larger company handling lots of PHI, these responsibilities may be divided between two officers: a HIPAA privacy officer and a HIPAA security officer.

    Step 2: Develop and document policies

    In the event of a HIPAA complaint investigation, you will need to demonstrate you've been proactive about preventing violations. Carefully document your organization's security and privacy policies addressing the privacy and security of PHI. These policies must be communicated to staff and updated regularly.

    Step 3: Conduct HIPAA risk assessments

    Under the HIPAA Security Rule, covered entities and business associates must conduct regular risk assessments. Your process for completing a HIPAA risk assessment should include the following steps:

    1. Define the scope. Identify systems, applications, and processes that handle ePHI.
    2. Identify potential threats. Examine internal and external threats to PHI. Examples of internal threats include outdated software and unauthorized employee access. External threats may include cyberattacks or natural disasters.
    3. Assess current security. Evaluate existing security protocols, including technical measures like encryption and administrative measures like employee training.
    4. Determine risk. After identifying threats, analyze the likelihood and potential impact of each one.
    5. Develop and implement mitigation strategies. Based on your analysis, develop strategies to mitigate risks. This could involve updating security policies, tech, or employee training programs.
    6. Document findings. Be sure to document your findings carefully to demonstrate compliance in the event of an audit.

    Step 4: Create Business Associate Agreements (BAAs)

    If you are a covered entity, you may only work with business associates and service providers who also comply with HIPAA requirements for protecting PHI. Identify all external entities or individuals who can access PHI, and establish business associate agreements (BAAs) with each of them.

    A BAA defines the responsibilities of each party for protecting and handling PHI. When establishing a BAA, clearly outline rules for data security, privacy practices, breach reporting obligations, and data use restrictions. You'll need to collect these BAAs and routinely review and update them as your relationships, services, and company evolve.

    Step 5: Establish HIPAA safeguards

    Under the HIPAA Security rule, you and your business associates must establish three safeguards to secure PHI:

    Administrative safeguards. These are policies and procedures that demonstrate how your company complies with HIPAA. Key components include conducting risk assessments, providing employee training, and routinely reviewing privacy policies.

    Physical safeguards. These safeguards control physical access to your office and computer systems. Examples include facility access controls — such as security cameras, locks, and alarms — and workstation security measures, such as screen barriers and locking cables.

    Technical safeguards. Finally, technical safeguards protect ePHI from unauthorized access and modification. Examples include antivirus software and data encryption.

    Step 6: Create a security and incident response plan

    A data breach doesn't guarantee you a penalty. Neglecting to report a breach, however, is a clear violation of the HIPAA Breach Notification Rule. This rule requires companies to report a data breach to the Office for Civil Rights (OCR) and alert any users who may have been impacted within 60 days.

    To be compliant, you’ll need to have a documented breach notification process that defines how your company will address PHI breaches. The plan should outline procedures for detecting, responding to, and recovering from an emergency data breach.

    Step 7: Use or build secure software

    Perhaps the most important step in satisfying HIPAA is setting up software that helps you monitor, alert, and automate, and prove ongoing compliance. You'll need high-quality, highly reliable software that uses data encryption and security measures to protect ePHI. You'll also want software that can grow with your company, accommodating increasing data and users without compromising performance or security.

    If you plan on designing custom software through a vendor, be sure your partner has a proven track record of experience in the healthcare industry. Your provider will need to deliver support and regular software updates to maintain compliance with HIPAA's ever-evolving regulations.

    As a longtime healthcare software development partner, Howdy.com is well-versed in HIPAA compliance. Our expert medtech dev team consistently delivers compliant solutions that safeguard patient information and exceed industry standards. Book a demo to see how we can simplify your HIPAA IT compliance.

    Step 8: Continually monitor and update compliance policies

    HIPAA compliance is an ongoing journey. As your organization grows, monitor and update your compliance policies accordingly. This includes conducting internal and third-party audits and regularly updating policies, procedures, and software to adapt to evolving regulations and emerging threats.

  6. Enforcement & penalties for non-compliance

    7. The OCR actively investigates complaints and conducts HIPAA compliance reviews. Violating HIPAA rules can result in civil or criminal penalties, depending on the severity of the violation.

    Civil penalties

    Civil penalties for HIPAA noncompliance are handled by the Office for Civil Rights (OCR). Civil penalties are determined based on a tiered structure:

    Tier 1: Unknowing violations

    The entity was unaware of the violation and would not have known about it by exercising due diligence.

    • Penalty: $141 - $71,162 per violation.

    Tier 2: Reasonable cause

    The violation was due to reasonable cause and not willful neglect.

    • Penalty: $1,424 to $71,162 per violation.

    Tier 3: Willful neglect (corrected)

    The violation was caused by willful neglect but was corrected within the required period.

    • Penalty Range: $14,232 to $71,162 per violation.

    Tier 4: Willful neglect (Not corrected)

    The violation was caused by willful neglect and was not corrected.

    • Penalty: $71,162 to $2,134,831 per violation.

    Penalties are adjusted annually adjustments for inflation. The maximum penalty caps at up to $1.5 million for all violations of an identical provision during a calendar year.

    Criminal penalties

    HIPAA violations can lead to criminal charges, especially if the offense involves deliberate misuse of PHI. Criminal violations of HIPAA are handled by the Department of Justice (DOJ). Similar to civil penalties, criminal penalties are determined on a tier structure:

    Tier 1: Knowingly obtaining or disclosing PHI

    • Penalty: Up to $50,000 in fines and up to one year incarceration

    Tier 2: Obtaining PHI under false pretenses

    • Penalty: Up to $100,000 and up to five years incarceration

    Tier 3: Intent to sell, transfer, or use PHI for personal gain or malicious intent

    • Penalty: Up to $250,000 in fines and up to ten years incarceration
  7. Conclusion

    8. Failure to comply with HIPAA can cost you. Don’t cut corners on your efforts in developing, enforcing, and maintaining your HIPAA compliance.

    The Howdy.com team has helped healthcare clients develop and update HIPAA-compliant software since 2018. Our medtech experts continually monitor HIPAA updates and emerging threats to build high-quality software that is secure, compliant, and protected from cyber threats.

    Once you’ve done all the work to become compliant, you need software in place to help you stay secure. Howdy.com can help. Book a free demo to learn more.

HIPAA Compliance Checklist

Ensure HIPAA compliance in IT with this checklist covering risk assessments, security safeguards, and best practices to protect ePHI.

Updated on: Mar 26, 2025
Published on: Mar 25, 2025

Share on LinkedInShare on TwitterShare on Facebook
HIPAA Compliance Checklist featured image

The Health Insurance Portability and Accountability Act — better known as "HIPAA" — establishes guardrails for the personal health information (PHI) exchanged and used between health care providers. The consequences for violating HIPAA rules can be steep, ranging from $100 for an "unknowing" violation to $1.5 million for "willful neglect."

In December 2024, the Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule. The changes focus on strengthening cybersecurity protections for electronic protected health information (ePHI) in response to the surge of cyberattacks and data breaches in the healthcare sector.

Amid rising cyber threats and evolving regulations, understanding and following HIPAA regulations is more critical than ever. If your company accesses, uses, or transmits PHI, you may be subject to HIPAA rules. Our HIPAA IT compliance guide and downloadable checklist contain everything you need to satisfy federal regulations and protect user privacy.

Key takeaways

  • Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to protect private health information.
  • HIPAA applies to covered entities and business associates who provide services related to protected health information (PHI).
  • All software handling or storing PHI on behalf of a covered entity or business associate must be HIPAA compliant.
  • Following HIPAA guidelines is essential to protecting patient privacy and avoiding penalties.

What is HIPAA compliance?

Established by a federal law in 1996, HIPAA protects the security of personal health information (PHI). HIPAA compliance helps prevent unauthorized access, breaches, and misuse of sensitive health data.

Types of data under HIPAA compliance

HIPAA covers all forms of personal health information, including:

  • Identifiable health information: Names, addresses, birth dates, Social Security numbers, and other unique identifiers.
  • Medical records: Diagnoses, treatment information, test results, and prescriptions.
  • Billing information: Insurance details, billing records, and payment histories.

Covered entity vs. business associate

HIPAA compliance is required for two categories of individuals and organizations: Covered entities and business associates.

  • Covered entities. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit ePHI. This category includes most telehealth platforms, online pharmacies and other medtech companies that handle ePHI.
  • Business associates. Business associates include business that provides services involving PHI. — either to covered entities or to other business associates. Examples include contract billing companies, claims processing firms, data processing or analysis companies, and medical transcription services.

The 5 rules of HIPAA

HIPAA is divided into five fundamental rules. If your organization is a covered entity or business associate, identifying which HIPAA rules apply to you is an important first step in achieving compliance.

  1. Privacy Rule. The HIPAA Privacy Rule establishes national standards to protect patient medical records and other PHI. The privacy rule ensures covered entities and business associates treat customer data with discretion while giving patients the right to decide how, why, and if their data is used. This rule also gives every patient the right to get a copy of their records and request corrections to their file.
  2. Security rule. The HIPAA Security Rule focuses on electronic protected health information (ePHI). It requires covered entities and business associates to introduce administrative, physical, and technical safeguards for ePHI. This includes conducting risk assessments, implementing security measures like encryption and multifactor authentication, and conducting workforce compliance training.
  3. Transactions Rule. The HIPAA Transactions Rule deals with the electronic exchange of PHI. It establishes a set of standard codes to represent administrative and financial healthcare transactions, including diagnoses, procedures, and medications.
  4. Unique Identifiers Rule. This rule establishes unique codes for identifying healthcare organizations, employees, and patients. These identifiers include National Provider Identifiers (NPI), Employer Identification Numbers (EIN), and Health Plan Identifiers (HPID).
  5. Enforcement rule. The HIPAA Enforcement rule outlines procedures for HIPAA violation investigations and establishes civil money penalties for non-compliance. Penalties vary by negligence level, with a maximum annual penalty of $1.5 million for repeated violations.

HIPAA compliance checklist

HIPAA compliance has become increasingly complex due to rapidly advancing tech and the rising threat of cyberattacks. This checklist will walk you through the many steps needed to achieve HIPAA compliance.

Step 1: Designate a HIPAA compliance officer.

Appoint an internal officer to oversee HIPAA compliance. This person's job is to develop and enforce your company's compliance policies and procedures. Your HIPAA compliance officer will be in charge of the following task:

  • Identifying and addressing risks
  • Providing training
  • Developing and implementing your company security policies and procedures
  • Creating a disaster recovery plan
  • Responding to breaches

If you are a larger company handling lots of PHI, these responsibilities may be divided between two officers: a HIPAA privacy officer and a HIPAA security officer.

Step 2: Develop and document policies

In the event of a HIPAA complaint investigation, you will need to demonstrate you've been proactive about preventing violations. Carefully document your organization's security and privacy policies addressing the privacy and security of PHI. These policies must be communicated to staff and updated regularly.

Step 3: Conduct HIPAA risk assessments

Under the HIPAA Security Rule, covered entities and business associates must conduct regular risk assessments. Your process for completing a HIPAA risk assessment should include the following steps:

  1. Define the scope. Identify systems, applications, and processes that handle ePHI.
  2. Identify potential threats. Examine internal and external threats to PHI. Examples of internal threats include outdated software and unauthorized employee access. External threats may include cyberattacks or natural disasters.
  3. Assess current security. Evaluate existing security protocols, including technical measures like encryption and administrative measures like employee training.
  4. Determine risk. After identifying threats, analyze the likelihood and potential impact of each one.
  5. Develop and implement mitigation strategies. Based on your analysis, develop strategies to mitigate risks. This could involve updating security policies, tech, or employee training programs.
  6. Document findings. Be sure to document your findings carefully to demonstrate compliance in the event of an audit.

Step 4: Create Business Associate Agreements (BAAs)

If you are a covered entity, you may only work with business associates and service providers who also comply with HIPAA requirements for protecting PHI. Identify all external entities or individuals who can access PHI, and establish business associate agreements (BAAs) with each of them.

A BAA defines the responsibilities of each party for protecting and handling PHI. When establishing a BAA, clearly outline rules for data security, privacy practices, breach reporting obligations, and data use restrictions. You'll need to collect these BAAs and routinely review and update them as your relationships, services, and company evolve.

Step 5: Establish HIPAA safeguards

Under the HIPAA Security rule, you and your business associates must establish three safeguards to secure PHI:

Administrative safeguards. These are policies and procedures that demonstrate how your company complies with HIPAA. Key components include conducting risk assessments, providing employee training, and routinely reviewing privacy policies.

Physical safeguards. These safeguards control physical access to your office and computer systems. Examples include facility access controls — such as security cameras, locks, and alarms — and workstation security measures, such as screen barriers and locking cables.

Technical safeguards. Finally, technical safeguards protect ePHI from unauthorized access and modification. Examples include antivirus software and data encryption.

Step 6: Create a security and incident response plan

A data breach doesn't guarantee you a penalty. Neglecting to report a breach, however, is a clear violation of the HIPAA Breach Notification Rule. This rule requires companies to report a data breach to the Office for Civil Rights (OCR) and alert any users who may have been impacted within 60 days.

To be compliant, you’ll need to have a documented breach notification process that defines how your company will address PHI breaches. The plan should outline procedures for detecting, responding to, and recovering from an emergency data breach.

Step 7: Use or build secure software

Perhaps the most important step in satisfying HIPAA is setting up software that helps you monitor, alert, and automate, and prove ongoing compliance. You'll need high-quality, highly reliable software that uses data encryption and security measures to protect ePHI. You'll also want software that can grow with your company, accommodating increasing data and users without compromising performance or security.

If you plan on designing custom software through a vendor, be sure your partner has a proven track record of experience in the healthcare industry. Your provider will need to deliver support and regular software updates to maintain compliance with HIPAA's ever-evolving regulations.

As a longtime healthcare software development partner, Howdy.com is well-versed in HIPAA compliance. Our expert medtech dev team consistently delivers compliant solutions that safeguard patient information and exceed industry standards. Book a demo to see how we can simplify your HIPAA IT compliance.

Step 8: Continually monitor and update compliance policies

HIPAA compliance is an ongoing journey. As your organization grows, monitor and update your compliance policies accordingly. This includes conducting internal and third-party audits and regularly updating policies, procedures, and software to adapt to evolving regulations and emerging threats.

Enforcement & penalties for non-compliance

The OCR actively investigates complaints and conducts HIPAA compliance reviews. Violating HIPAA rules can result in civil or criminal penalties, depending on the severity of the violation.

Civil penalties

Civil penalties for HIPAA noncompliance are handled by the Office for Civil Rights (OCR). Civil penalties are determined based on a tiered structure:

Tier 1: Unknowing violations

The entity was unaware of the violation and would not have known about it by exercising due diligence.

  • Penalty: $141 - $71,162 per violation.

Tier 2: Reasonable cause

The violation was due to reasonable cause and not willful neglect.

  • Penalty: $1,424 to $71,162 per violation.

Tier 3: Willful neglect (corrected)

The violation was caused by willful neglect but was corrected within the required period.

  • Penalty Range: $14,232 to $71,162 per violation.

Tier 4: Willful neglect (Not corrected)

The violation was caused by willful neglect and was not corrected.

  • Penalty: $71,162 to $2,134,831 per violation.

Penalties are adjusted annually adjustments for inflation. The maximum penalty caps at up to $1.5 million for all violations of an identical provision during a calendar year.

Criminal penalties

HIPAA violations can lead to criminal charges, especially if the offense involves deliberate misuse of PHI. Criminal violations of HIPAA are handled by the Department of Justice (DOJ). Similar to civil penalties, criminal penalties are determined on a tier structure:

Tier 1: Knowingly obtaining or disclosing PHI

  • Penalty: Up to $50,000 in fines and up to one year incarceration

Tier 2: Obtaining PHI under false pretenses

  • Penalty: Up to $100,000 and up to five years incarceration

Tier 3: Intent to sell, transfer, or use PHI for personal gain or malicious intent

  • Penalty: Up to $250,000 in fines and up to ten years incarceration

Conclusion

Failure to comply with HIPAA can cost you. Don’t cut corners on your efforts in developing, enforcing, and maintaining your HIPAA compliance.

The Howdy.com team has helped healthcare clients develop and update HIPAA-compliant software since 2018. Our medtech experts continually monitor HIPAA updates and emerging threats to build high-quality software that is secure, compliant, and protected from cyber threats.

Once you’ve done all the work to become compliant, you need software in place to help you stay secure. Howdy.com can help. Book a free demo to learn more.

What to read next