HIPAA for the Clinician, Part 1: What You’re Actually Responsible For

Introduction

---

Here’s a scenario that plays out more often than anyone in healthcare administration wants to admit: A physician receives notice from the HHS Office for Civil Rights that their practice is under investigation. Not a hospital. Not a large health system with a compliance department and a team of attorneys on retainer. A three-provider family practice that has been serving the same community for twenty years. The physician’s first response is almost always the same: “But we have an EHR. We thought we were covered.”

They were not covered. And the distinction between believing you’re compliant and actually being compliant is precisely where most enforcement actions are born.

HIPAA has been the law of the land since 1996, and yet a stunning number of healthcare practitioners (physicians, pharmacists, dentists, therapists, and allied health professionals across every specialty) carry fundamental misconceptions about what the law requires of them personally. This series exists to correct that.

Let’s start at the beginning.

---

You Are Probably a Covered Entity

HIPAA applies to what the law calls “covered entities” (CEs): health plans, healthcare clearinghouses, and healthcare providers that transmit any health information electronically in connection with a covered transaction. That last phrase, “in connection with a covered transaction,” is where many clinicians tune out, assuming it applies to someone else.

It almost certainly applies to you. If your practice submits electronic claims to a payer, checks patient eligibility electronically, or sends referral authorizations through any electronic means, you are transmitting health information in connection with a covered transaction. You are a covered entity. The compliance obligations that follow from that designation are yours to own, not your EHR vendor’s, not your billing company’s, and not your IT provider’s.

This matters because the single most prevalent misconception in small and mid-sized practices is that HIPAA compliance happens in the background, and that purchasing the right software or signing an agreement with the right vendor transfers the obligation elsewhere. It does not. Your vendors may share certain responsibilities with you, but the core obligation remains with the covered entity. That’s you.

Three Rules, One Framework

HIPAA’s compliance requirements for covered entities are organized into three primary rules, each with distinct obligations.

The Privacy Rule governs the use and disclosure of protected health information (PHI), which includes any individually identifiable health information your practice creates, receives, maintains, or transmits. It establishes patient rights around their own information, including the right to access their records, request amendments, and receive an accounting of disclosures. It also sets boundaries around how and when you can share PHI without patient authorization.

The Security Rule applies specifically to electronic PHI (ePHI) and requires covered entities to implement administrative, physical, and technical safeguards to protect its confidentiality, integrity, and availability. This is where encryption, access controls, audit logs, risk assessments, and workforce training requirements live. The Security Rule is also where most enforcement actions originate, because it requires documented, ongoing compliance activities, not just a one-time setup.

The Breach Notification Rule requires covered entities to notify affected individuals, the HHS Secretary, and, in some cases, the media when unsecured PHI has been accessed, used, disclosed, or otherwise compromised in an impermissible manner. The notification clock for breaches affecting 500 or more individuals is 60 days from the date of discovery. Not 60 days from the date of resolution. Not 60 days from when you finish the investigation. Sixty days from when you knew or should have known something happened.

Understanding that these three rules exist as an integrated framework, not as separate optional modules, is foundational. A practice can have a beautifully written privacy notice and still face six-figure penalties because its Security Rule compliance program was nonexistent.

What “Compliance” Actually Requires

The word compliance tends to evoke the image of a binder on a shelf. Policies, procedures, maybe an annual training sign-off sheet. That image is not wrong, but it is dangerously incomplete.

The HIPAA Security Rule requires covered entities to perform a comprehensive, accurate, and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This is the Security Risk Analysis (SRA), and it is the single most frequently cited deficiency in OCR investigations and compliance reviews. The SRA is not a checklist. It is not a one-page questionnaire that your EHR vendor emails you during implementation. It is a documented evaluation of your organization’s specific threat landscape, the assets that hold or transmit ePHI, the vulnerabilities those assets carry, and the controls you have in place to mitigate identified risks.

Beyond the SRA, the Security Rule requires covered entities to implement policies and procedures that address a long list of specific safeguard categories, including workforce training and access management, facility access controls, workstation use and security, audit controls, and integrity controls for ePHI. Many of these requirements have what the rule calls “implementation specifications” that are either required or addressable. Required specifications must be implemented. Addressable specifications must be either implemented or documented with a clear rationale for why an equivalent alternative measure was chosen instead.

That last sentence is important. “Addressable” does not mean optional. OCR has been unambiguous on this point, and practices that interpret addressable specifications as a permission slip to skip inconvenient requirements tend to find that out the hard way.

Your Business Associates Share the Obligation, But Not Your Risk

If you share PHI with any external organization in order to carry out your healthcare operations (your billing company, your EHR vendor, your cloud storage provider, your answering service), those organizations are your business associates (BAs), and they are required by law to protect the PHI you share with them. That obligation is formalized through a Business Associate Agreement (BAA), a contract that specifies how the BA may use or disclose PHI and what happens in the event of a breach.

This is where many practices unnecessarily expose themselves. They assume that having a signed BAA transfers the compliance risk to the vendor. It does not. A BAA is a contractual instrument that allocates certain legal obligations. It is not a liability shield. If your business associate experiences a breach because of your failure to conduct adequate vendor due diligence, or because you shared PHI with a vendor who never should have been classified as a BA in the first place, the consequences land on your practice.

The Change Healthcare ransomware attack of February 2024 illustrated this principle on a catastrophic scale. Thousands of covered entities found themselves in breach notification obligations, and in some cases, OCR’s crosshairs, not because of anything that happened on their own networks, but because a business associate was compromised. The lesson was not subtle: your vendor’s breach is your breach.

The Consequences Are Real

Civil monetary penalties under HIPAA are tiered by culpability, ranging from $100 per violation for cases where the covered entity was unaware of the violation, up to $50,000 per violation for cases involving willful neglect that was not corrected. The annual cap per violation category is $1.9 million. These are not theoretical numbers. In the years since OCR began actively enforcing the Security Rule, penalties have reached into the tens of millions of dollars for large-scale violations, and practices of every size have faced six-figure settlements for entirely preventable failures.

Reputational damage compounds the financial exposure. When a breach affects 500 or more individuals in a given state, the practice is required to notify prominent media outlets in addition to the affected individuals and HHS. Local news coverage of a data breach does things to patient retention and community trust that no fine schedule can fully capture.