Skip to main content
Home
OverviewAbout ThoughtwaveThoughtwave GroupOur TeamPartnerships & CertificationsTrust & CertificationsCareers
OverviewAI & Generative AIData Analytics & EngineeringCybersecurity SolutionsIT Managed ServicesApplication ModernizationDigital Enterprise ApplicationsIT Workforce Solutions
Accelerators
Integrations
OverviewHealthcare & PharmaBanking & FinanceRetail & LogisticsGovernment
OverviewSwarmHRPathway AIKittieGenie AIBillsGenie AIPropertyGenie AI
OverviewAnswersInsightsComparisonsCase StudiesWhite PapersCorporate UpdatesFrom the C-SuiteAuthors
Get Started

What is HIPAA compliance?

TL;DR

HIPAA compliance means meeting the requirements of the U.S. Health Insurance Portability and Accountability Act for handling protected health information (PHI). For healthcare providers, health plans, clearinghouses, and their business associates, HIPAA imposes administrative, physical, and technical safeguards under the Security Rule and privacy and disclosure rules under the Privacy Rule. Compliance is not a certification; it is an ongoing posture backed by a written program, documented controls, workforce training, and breach-response readiness.

The short version

  • HIPAA compliance governs how covered entities and business associates handle protected health information.
  • The core federal regulations are the Security Rule, the Privacy Rule, and the Breach Notification Rule.
  • Compliance is a continuous posture, not a certification; it is demonstrated through a written program, controls, and evidence.

The longer explanation

The structure of HIPAA

HIPAA is a statute (1996, with HITECH amendments in 2009 and the Omnibus Rule in 2013). The operational rules are:

  • Privacy Rule. Governs when and how PHI can be used and disclosed. Defines individual rights — access, amendment, accounting of disclosures.
  • Security Rule. Administrative, physical, and technical safeguards for electronic PHI (ePHI).
  • Breach Notification Rule. Notification obligations when unsecured PHI is impermissibly used or disclosed.
  • Enforcement Rule. Penalty structure and enforcement procedures administered by HHS Office for Civil Rights.

What the Security Rule actually asks for

The Security Rule is risk-based and flexible — it does not prescribe specific technologies. The required controls fall into three categories:

Administrative safeguards (roughly half the rule). A written risk analysis, security management process, workforce access authorization, training, contingency planning (backups, disaster recovery, emergency mode), evaluation of the security program over time.

Physical safeguards. Facility access controls, workstation use and security, device and media controls including disposal and re-use procedures.

Technical safeguards. Access controls, audit controls, integrity controls, person or entity authentication, transmission security.

Most controls in the rule are "required" (must implement) or "addressable" (must either implement or document why a reasonable alternative meets the standard).

Business associate relationships

If a vendor touches PHI on behalf of a covered entity, the relationship requires a business associate agreement (BAA). The BAA flows HIPAA obligations to the vendor. Subcontractors the vendor uses must in turn sign BAAs with the vendor. SaaS and cloud vendors serving healthcare clients build their compliance posture around this BAA chain.

What clients actually need in place

The artifacts our HIPAA engagements produce:

  1. HIPAA risk analysis. The foundational document, updated annually at minimum.
  2. Written policies and procedures covering each required safeguard.
  3. Workforce training records and acknowledgments.
  4. Access control evidence — who has access to what, reviewed periodically.
  5. Audit log evidence and monitoring for anomalous access.
  6. Encryption at rest and in transit for ePHI.
  7. BAAs with every covered business associate.
  8. Incident response plan with defined breach-evaluation and notification procedures.
  9. Business continuity and disaster recovery plans with tested RTOs.

How Thoughtwave approaches this

Our cybersecurity practice runs HIPAA readiness and ongoing-monitoring engagements for covered entities and business associates. We focus on the controls that auditors and examiners actually test — not every clause in the rule — and we build the audit and evidence layer so the client's next review cycle is dramatically faster than the current one.

For deeper context, see our Cybersecurity Solutions service and our work with Healthcare & Pharma clients.

HIPAA readiness engagements typically take 8-16 weeks depending on the client's starting posture. The first half of the engagement produces the artifacts (risk analysis, written policies, training records, access-control evidence); the second half remediates the gaps identified during the review. For clients where AI is part of the handling stack, a separate review covers how protected health information moves through retrieval, prompting, and audit layers — a review our agentic AI governance work is specifically designed for.

Frequently asked questions

Who has to comply with HIPAA?
Covered entities (healthcare providers who transmit PHI electronically, health plans, and healthcare clearinghouses) plus their business associates — any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. A SaaS vendor serving a hospital is a business associate. A cloud hosting provider storing PHI is a business associate. HIPAA obligations flow through the business-associate agreement (BAA).
Is there a HIPAA certification?
No. There is no federal HIPAA certification body. Some vendors advertise 'HIPAA certification' from third parties; these attestations can be useful for vendor diligence but are not a regulatory stamp. The standard artifact is a written compliance program plus evidence of the required safeguards and a HIPAA risk analysis.
What does the HIPAA Security Rule require?
Administrative safeguards (policies, workforce training, access management, contingency planning), physical safeguards (facility access, workstation security, device and media controls), and technical safeguards (access control, audit controls, integrity controls, transmission security). Most controls are 'required' or 'addressable' — addressable means the entity must implement a reasonable alternative if not the standard control, not that the control is optional.
What counts as a HIPAA breach?
An impermissible use or disclosure of unsecured PHI — where the PHI is not encrypted according to HHS guidance. Breaches affecting 500+ individuals require notification to HHS, affected individuals, and media within 60 days. Smaller breaches are logged and reported to HHS annually. Encryption at rest and in transit is the primary control that takes most incidents out of breach-notification territory.

Related resources

Related Services

Industries

Case Study

AI case resolution copilot for retail safety

Next Step

Book a consultation
RT
Ramesh Thumu

Founder & President, Thoughtwave Software

Reviewed by Thoughtwave Editorial

Last updated April 22, 2026