Originally published November, 2023 by Daniela Villalobos · Updated June 2026 by J.R. Hurd, Cybersecurity Consultant at Echelon.
It's no surprise that over time, an increasing number of industries are embracing technology to automate their processes. The healthcare sector is no exception to this trend. From complex tasks such as using robots to assist in surgeries to more routine activities like managing patient paperwork, technology is making its mark.
In healthcare, data takes on a profound meaning. Each record represents a piece of the critical journey between life and death for a patient, a testament to the dedication of every doctor that puts his or her mind to solve a piece of the mystery that comes with every patient that enters their practice.
Now, let’s consider the recent breaches involving major companies: compromised passwords, leaked emails, exposed addresses… Imagine adding sensitive health records to this mix. Sounds like the secret ingredient to chaos, right? This is where the Health Insurance Portability and Accountability Act (HIPAA) steps in as the guardian of the most valuable asset from healthcare patients: information.
As you embark on your journey to obtain and maintain HIPAA compliance, consider that HIPAA compliance is not just another box to check off. Whether you are an IT expert, healthcare executive, or an insurance associate, recognizing the urgency of HIPAA compliance isn’t merely a choice – it’s a responsibility.
In this article: Explore a comprehensive guide to HIPAA, its application in the healthcare sector, and essential steps to initiate a successful compliance journey. Discover the crucial role of Drata, a powerful automation tool that streamlines HIPAA compliance efforts, simplifies documentation, facilitates collaboration, and ensures data security.
So, what exactly is HIPAA?
HIPAA is a comprehensive legal framework that extends beyond the focus on securing and protecting protected health information (PHI). While this article primarily addresses the safeguarding of PHI, it's important to note that HIPAA includes various elements beyond security and protection.
Specifically, we refer to sections of Title I of HIPAA, which is one of the five titles that make up this regulatory framework. This article does not aim to provide a detailed exploration of all aspects of HIPAA. However, it is crucial to acknowledge that the law encompasses multiple rules, such as the Security Rule, Privacy Rule, Enforcement Rule, and Breach Notification Rule.
HIPAA’s goal is straight-forward: to protect patient data that relates to past, present, or future physical/mental health or healthcare expenses. Non-compliance risks more than just damaging the trust you’ve worked to build over the years with your clients, fines can range from $100 USD to $50,000 USD per violation, depending on your security posture prior to a breach.
The most common pitfalls that could lead to HIPAA violations include unauthorized disclosure of PHI to a third party without a signed Business Associate Agreement, failure to terminate PHI access when it’s no longer necessary, theft of patient records, mishandling of PHI, and neglecting to conduct an appropriate risk assessment. These scenarios are far from being impossible, and can happen to any organization, at any time.
Hospitals and healthcare providers are the only ones that should be held accountable, right?
The answer is no. HIPAA is applicable to two main groups:
Covered entities are defined as health plans, healthcare, clearinghouses, and healthcare providers. Some examples include hospitals, doctors, clinics, and health insurance companies.
Business associates might come as a surprise category. This refers to a person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or providing services to, a covered entity. Some examples are accountants, billing companies, cloud storage providers, web hosts, and even lawyers.
Now that I know that I should be compliant with HIPAA, how do I start?
This is the six-step HIPAA compliance journey starter that I recommend:
Form a compliance team or function. Create a dedicated team that includes stakeholders from across your organization. Each department dealing with PHI should have a role to play.
Conduct a HIPAA risk assessment. You have three approaches to choose from: asset-based, vulnerability-based, and threat-based approach. Choose the one that suits you best.
Develop a compliance plan. Align the prioritized risks identified in the assessment with the administrative (policies, training, etc.), physical (access controls, workstation use, hardware inventory, etc.) and technical safeguards (data in transit, access control, activity logs and audit controls, etc.) mandated by the HIPAA security rule.
Implement your plans internally. At this point, HIPAA’s internal effort should be complete, or at least in a state that can help you to understand how to implement it with the external factors that might affect your organization.
Determine which vendors must sign a Business Associate Agreement. This step is crucial to ensure that your business associates adhere to all of HIPAA’s rules.
Develop an incident response plan that incorporates HIPAA requirements. In the event of a data breach, the response plan should be activated promptly. Notify affected parties through written or emailed notices within 60 days of discovering the breach. If direct contact is not possible, consider posting the information on your website and social media profiles. It must include five crucial pieces of information:
- Explanation of what has happened
- Summary of the exposed or stolen information
- A brief explanation of your organization’s response to the breach
- A summary of the actions you’re taking to prevent future breaches
- Instructions for breach victims on how to limit harm
While there are only six steps to getting started, it seems quite tricky to stay compliant, right? All the different controls, documents needed, and people to include in the effort might feel overwhelming, and that is where Drata, a compliance automation platform, can make a big difference.
Using a GRC platform for automation
Human error is a common concern when beginning a compliance program, along with the significant time investment required to design and maintain a comprehensive approach.
Automation platforms can help streamline this process by centralizing requirements, supporting risk assessments, and monitoring security controls. These tools enable organizations to reduce manual effort, improve consistency, and scale their compliance programs more effectively while aligning with their specific operational needs.
Our organization partners with Drata as one example of a platform that can support these capabilities.
So, what exactly does a GRC platform assist with?
Simplifying Documentation: Automates the documentation process, creation of policies, security controls, and procedures. It ensures that all the components required for compliance are in place and remain up to date. Bye-bye to screenshots and spreadsheets!
Built-in Training: Guarantees that all team members complete essential training without ever leaving the platform, centralizing the resources needed for a seamless implementation.
Monitoring: Offering real-time monitoring of security controls by identifying anomalies or deviations requiring immediate attention. This proves particularly helpful when prioritizing one control over another, effectively saving implementation time.
Efficient Auditing: Automation lifts the weight of audit preparation from your team’s shoulders. Its system grants swift access to compliance documentation, streamlining the entire audit process.
Collaboration: Acts as a facilitator of collaboration among diverse teams involved in the compliance effort. It ensures that everyone is on the same page, mitigating the risk of inconsistencies in information and preventing misunderstandings.
Customization: Acknowledging that every organization is unique, and so are their needs. GRC platforms empower you to designate control owners, create custom controls, assign policies to specific groups, and much more.
These tools aid in maintaining compliance by identifying issues before they escalate into breaches. Notably, if you've already implemented the necessary processes for SOC 2, HIPAA overlaps by 81%, while ISO 27001 aligns by 75%.
The Bottom Line on HIPAA Compliance
In a world where information stands as the most precious token, healthcare custodians bear the heavy responsibility of preserving not just PHI – but trust itself. HIPAA represents the vow to not only protect patient privacy, but their life story as well. This mission is critical for healthcare providers, and even to the unknown heroes who store patient’s data, where the promise of security is the common ground.
Drata emerges as a powerful ally, for both time-saving and trust-building for your team. It guides you through the mystery of how to start, serving as a beacon of light on what might initially seem like an overwhelming journey towards compliance.
Embrace HIPAA as something greater than another security item in your checklist, regardless of whether you’re an IT professional or an insurance executive. Embrace it as a pledge to protect every patient’s basic human right to privacy and security.
What’s changed since 2024?
HIPAA itself has not been fully rewritten, but the operational expectations around HIPAA compliance have shifted significantly since 2024 due to increased cyber threats, regulatory pressure, and evolving guidance from federal agencies.
Key developments:
Proposed overhaul of the HIPAA Security Rule
In late 2024, the U.S. Department of Health and Human Services proposed the first major update to the Security Rule since 2013. The rule is intended to strengthen cybersecurity protections for electronic protected health information (ePHI).
More prescriptive cybersecurity controls
The proposal and related guidance emphasize specific safeguards such as:
- Mandatory multi-factor authentication
- Encryption of ePHI
- Network segmentation
- Regular vulnerability testing and security audits
Healthcare cyberattacks have surged
Reports of large healthcare data breaches increased dramatically between 2018 and 2023, affecting more than 167 million individuals in 2023 alone, largely driven by ransomware and hacking incidents.
New Examples
Regional Clinic
A regional clinic completes an annual risk analysis and discovers that its imaging archive is accessible through a legacy VPN with weak authentication. The organization implements MFA and network segmentation to isolate that system from the primary EHR environment.
Healthcare SaaS Platform
A health analytics provider signs BAAs with customers but later realizes one cloud logging service is storing patient identifiers in debugging logs. The company updates logging configurations and implements automated PHI scanning.
Large Hospital Network
After a ransomware incident in the sector, a hospital system performs tabletop incident response exercises and implements immutable backups to ensure systems can be restored quickly without paying ransom.
Key Takeaways
- A comprehensive cybersecurity program is now a requirement for HIPAA compliance. Modern enforcement focuses heavily on technical safeguards like MFA, encryption, and monitoring.
- Vendor risk is a growing exposure point. Signing BAAs is not enough; organizations must validate vendor security practices.
- Healthcare cyberattacks are driving regulatory changes. Major breaches affecting millions of patients are accelerating HIPAA rule updates.
- Documentation alone won’t pass an audit. Regulators increasingly expect operational evidence of controls, testing, and risk remediation.