What are the three rules of HIPAA compliance?

HIPAA consists of the Security Rule (governing electronic PHI through administrative, physical, and technical safeguards), the Privacy Rule (governing permissible uses and disclosures of all PHI), and the Breach Notification Rule (requiring notification to individuals, HHS, and media within defined timelines following a breach of unsecured PHI).

What is the difference between Required and Addressable HIPAA controls?

Required controls under the HIPAA Security Rule must be implemented without exception. Addressable controls must be evaluated for applicability — if an organization determines a control is not reasonable and appropriate for its environment, it must document that determination in writing. OCR's stated position is that 'addressable does not mean optional.' Undocumented decisions to skip addressable controls constitute violations.

How often must a HIPAA risk analysis be performed?

OCR expects organizations to conduct and document a HIPAA risk analysis at least annually and following significant operational changes such as new system deployments, mergers, or material changes to the ePHI environment. The risk analysis must cover all systems that create, receive, maintain, or transmit electronic protected health information.

What must a HIPAA Business Associate Agreement include?

A BAA must specify permitted uses and disclosures of ePHI, require the business associate to implement appropriate HIPAA safeguards, establish a breach notification obligation (within 60 days of discovery), require the BA to obtain BAAs from its own subcontractors that handle ePHI, and address the return or secure destruction of ePHI at the end of the relationship.

What are the HIPAA breach notification timelines?

Following discovery of a breach of unsecured PHI, covered entities must notify affected individuals within 60 days. Breaches affecting 500 or more individuals in a state or jurisdiction also require simultaneous media notification and immediate reporting to HHS. Breaches affecting fewer than 500 individuals must be reported to HHS in an annual aggregate log.

Compliance

HIPAA Compliance for Healthcare Organizations

The HIPAA Security Rule, Privacy Rule, and Breach Notification Rule establish a comprehensive obligation to protect electronic protected health information across every system, vendor, and workflow that touches patient data. Most healthcare organizations have policies on paper. Fewer have the operational controls, continuous monitoring, and documented evidence that OCR auditors and breach investigators actually require. Armorstack bridges that gap through VERITY advisory, SENTRY security operations, and CORE infrastructure management.

Start the 90-Day Proof
Talk to an Expert

The Three Rules of HIPAA: What Each Requires

HIPAA compliance is not a single standard — it is three interlocking rules, each with distinct operational obligations. Understanding the scope of each is the starting point for any credible compliance program.

The Security Rule (45 CFR Part 164, Subparts A and C)

The Security Rule governs electronic protected health information (ePHI) — any patient health information that is created, received, transmitted, or maintained electronically. It organizes requirements into three safeguard categories.

Administrative safeguards (§164.308) — security management process including mandatory annual risk analysis, assigned security responsibility, workforce security controls, security awareness training, contingency planning, and business associate agreement management.
Physical safeguards (§164.310) — facility access controls, workstation use policies, device and media controls including documented disposal procedures for hardware containing ePHI.
Technical safeguards (§164.312) — access control with unique user identifiers, audit controls and log retention, integrity mechanisms, authentication requirements, and transmission security including encryption over public networks.

A critical and frequently misunderstood distinction: the Security Rule classifies controls as either Required or Addressable. Required controls must be implemented without exception. Addressable controls must be evaluated for applicability — if an organization determines a control is not reasonable and appropriate, that determination must be documented with a justification. OCR’s stated position is explicit: “addressable does not mean optional.” Skipping an addressable control without written documentation constitutes a violation.

The Privacy Rule (45 CFR Part 164, Subparts A and E)

The Privacy Rule covers both electronic and paper PHI. It governs permissible uses and disclosures of patient health information, patient rights including access and amendment, and minimum necessary standards for information use. While the Privacy Rule is not primarily a technical controls framework, its requirements for workforce training, notice of privacy practices, and minimum necessary access policies intersect directly with the technical and administrative safeguards of the Security Rule.

The Breach Notification Rule (45 CFR Part 164, Subparts A and D)

The Breach Notification Rule, established by the HITECH Act, requires covered entities to notify affected individuals, HHS, and in some cases media outlets following a breach of unsecured PHI. Notification to individuals is required within 60 days of discovery. Breaches affecting 500 or more individuals in a state or jurisdiction require simultaneous media notification. Breaches affecting fewer than 500 individuals must be reported to HHS annually. The rule also requires a four-factor risk assessment to determine whether an incident constitutes a reportable breach. Learn more about the specific notification timelines and requirements at HIPAA Breach Notification Rule.

The Five Most Common OCR Audit Findings

OCR’s audit and enforcement history is consistent. The same gaps appear repeatedly across healthcare organizations of every size. Understanding where programs most commonly fail provides the clearest roadmap for prioritizing remediation.

OCR Finding	Regulatory Citation	Operational Gap	Armorstack Response
Incomplete or missing risk analysis	§164.308(a)(1)(ii)(A)	No documented, annual risk assessment covering all ePHI systems	VERITY conducts structured risk analysis per NIST SP 800-66r2
Missing business associate agreements	§164.308(b)(1)	Cloud providers, IT vendors, billing services lack executed BAAs	VERITY audits vendor inventory; Armorstack signs BAA as a covered BA
No MFA on clinical systems	§164.312(d)	EHR (Epic, Cerner), remote access, and admin consoles lack MFA	CORE deploys and manages MFA across clinical and administrative systems
Insufficient audit logging and monitoring	§164.312(b)	Logs not centralized, not retained for 6 years, not reviewed for anomalies	SENTRY aggregates logs, retains per requirement, and monitors for anomalies continuously
No documented security training	§164.308(a)(5)	Annual training not completed or records not maintained	VERITY manages workforce training program with attendance documentation

HIPAA Risk Analysis: The Foundational Requirement

The risk analysis requirement at §164.308(a)(1)(ii)(A) is the most frequently cited gap in OCR enforcement actions. It is also the most misunderstood. A risk analysis is not a checklist review of security controls. It is a documented assessment of the likelihood and potential impact of threats to the confidentiality, integrity, and availability of all ePHI that the organization creates, receives, maintains, or transmits.
OCR endorses the methodology in NIST SP 800-66r2, which requires organizations to define scope across all systems touching ePHI (including medical devices, mobile devices, BYOD, and cloud applications), identify credible threat sources and vulnerabilities, assess the likelihood and impact of each threat-vulnerability pair, and document the resulting risk scores with proposed safeguards.
A properly executed risk analysis produces a risk register that drives the security program’s remediation priorities throughout the year. It must be updated annually and following significant operational changes. Armorstack’s VERITY team conducts these assessments using the NIST SP 800-66r2 methodology and delivers a report, risk register, and remediation roadmap in a format OCR expects to see. Detailed requirements are covered at HIPAA risk assessment requirements.

Business Associate Agreements: The Vendor Control Layer

Any third party that creates, receives, maintains, or transmits ePHI on behalf of a covered entity is a business associate (BA). The list is broader than most organizations initially recognize: EHR vendors, cloud storage providers, IT service organizations, billing companies, transcription services, backup and DR providers, and security monitoring services — all are business associates if they touch ePHI.
A business associate agreement (BAA) must be executed before ePHI is shared with a BA. The agreement must specify permitted uses and disclosures, require the BA to implement appropriate safeguards, establish breach notification obligations (within 60 days of discovery), require subcontractor BAAs, and address the return or destruction of ePHI at termination of the relationship. A missing BAA is a direct HIPAA violation regardless of whether a breach occurs. Details on BAA structure and requirements are at business associate agreement requirements.
Armorstack operates as a covered business associate for healthcare clients, executes BAAs as standard practice, and manages the broader vendor BAA inventory as part of the VERITY compliance program.

The 2025 HIPAA Security Rule Update

HHS published a proposed update to the HIPAA Security Rule in January 2025, representing the most significant revision since the rule’s original implementation. The proposed changes would remove the Required versus Addressable distinction for several controls, making encryption, MFA, and network segmentation explicitly mandatory rather than subject to the addressable flexibility analysis. The proposed rule also introduces more specific technical requirements for vulnerability scanning, penetration testing frequency, and asset inventory maintenance.
Organizations that have historically treated addressable controls as optional based on undocumented determinations face elevated risk under the proposed framework. Armorstack’s VERITY team is tracking the rulemaking process and incorporating the proposed changes into current compliance program design to ensure clients are positioned ahead of the effective date. Full analysis of what changes and when is available at HIPAA 2025 Security Rule update.

HIPAA Penalties: The Financial Stakes

HIPAA enforcement is structured in four penalty tiers under the HITECH Act, scaled by culpability and whether violations were corrected once identified.

Tier	Category	Per-Violation Range	Annual Cap
A	Unknowing violation	$100 – $50,000	$1.5 million
B	Reasonable cause	$1,000 – $50,000	$1.5 million
C	Willful neglect, corrected	$10,000 – $50,000	$1.5 million
D	Willful neglect, not corrected	$50,000	$1.5 million

Because OCR calculates penalties per individual violation — and a single misconfigured system can expose thousands of patient records — the practical financial exposure of a breach is significant even when capped annually. State attorneys general may also pursue separate civil money penalties under state law. A detailed breakdown of the penalty structure and notable enforcement actions is at HIPAA penalties and fines.

Armorstack’s HIPAA Compliance Program: Three Portfolios, One Evidence Layer

Armorstack structures HIPAA compliance delivery across three portfolios working from a shared evidence layer. VERITY advisory owns the governance structure: risk analysis, policy management, BAA oversight, workforce training, and audit readiness. SENTRY managed detection and response provides the operational monitoring layer: centralized log collection and retention, behavioral anomaly detection, and documented incident response — all of which serve as direct evidence for §164.312(b) audit controls and §164.308(a)(6) incident procedures. CORE managed IT services maintains the infrastructure controls: MFA deployment and enforcement, encryption at rest and in transit, endpoint management, patch currency, and backup with tested recovery.
The security checklist for the technical and administrative safeguards is available at HIPAA Security Rule checklist. To discuss your organization’s specific HIPAA compliance posture and where the highest-priority gaps are, contact the Armorstack VERITY team or start the 90-Day Proof.