Library

What is HIPAA (Security & Breach Notification Rule)?

Health data protection is core to trust in healthcare. The HIPAA Security and Breach Notification Rules set the federal standards for safeguarding electronic protected health information (ePHI) in the U.S. These rules don’t just apply to hospitals or insurance companies—they also bind any organization that transmits or stores ePHI, including digital health startups, SaaS providers, and vendors supporting the healthcare industry.

Why it matters: Noncompliance with HIPAA isn’t just a regulatory risk. It’s a reputational and operational risk. A security incident involving health data can trigger costly breach notifications, investigations, and in some cases large financial penalties. Understanding HIPAA requirements—especially the Security and Breach Notification Rules—is foundational to strengthening your compliance posture.

Understanding HIPAA: the Security and Breach Notification Rules

The HIPAA Security Rule, codified at 45 CFR Part 164 Subparts A and C, defines the administrative, physical, and technical safeguards required to protect the confidentiality, integrity, and availability of ePHI. These safeguards must be documented, implemented, and periodically reviewed.

The Breach Notification Rule, 45 CFR §§164.400–414, mandates how organizations respond when ePHI is compromised. If there’s a breach of unsecured PHI—meaning not properly encrypted or destroyed—covered entities and business associates must notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media.

How HIPAA compliance has historically been approached

When the Security Rule first took effect in 2005, many healthcare organizations took a checklist-based approach. Compliance programs were built around policy binders, standalone training modules, and manual audits. Risk analyses were often performed once and left on the shelf. Technical safeguards like access controls and encryption existed but weren’t consistently enforced or tested.

As enforcement increased, organizations began to mature their programs. The HHS Office for Civil Rights (OCR) launched audit programs and clarified expectations. Most notably, the emphasis shifted from documentation for its own sake to demonstrable implementation. Whether evaluating risk management plans or breach response protocols, OCR began asking not just “Do you have it?” but “Can you prove you’ve used it?”

OCR also reinforced that compliance isn't static. A single “HIPAA certification” or one-time audit doesn’t guarantee an organization is secure today. HIPAA requires ongoing evaluation, monitoring, and documentation-backed accountability.

Core expectations of the Security Rule

Executing a risk assessment under the Security Rule encompasses multiple steps:

Conduct a risk analysis. This foundational requirement demands an accurate and thorough assessment of risks to ePHI across systems, processes, and vendors. It must be documented and reviewed regularly.

Enforce safeguards. Safeguards fall into three categories:

  1. Administrative: policies, training, and workforce procedures
  2. Physical: facility access controls, workstation use guidelines
  3. Technical: encryption, authentication, audit controls

Organizations must implement addressable safeguards unless they document why another approach is reasonable and appropriate.

Document everything. Policies, training logs, access reviews, and risk assessments must be retained for six years from the last date in effect.

A closer look at breach notification

When PHI is compromised, time matters. Breaches must be reported without unreasonable delay, and no later than 60 days after discovery.

Notifications must be complete. They must include a description of the breach, types of information involved, recommended actions individuals can take, and contact information for questions.

Thresholds trigger reporting duties. If the breach affects more than 500 individuals in a state or jurisdiction, media notification is required. All breaches must be reported to HHS, either immediately (for large breaches) or annually (for smaller ones).

Encryption and proper disposal create a safe harbor. If PHI is secured using methods endorsed by HHS (e.g., NIST-compliant encryption), the Breach Notification Rule doesn’t apply.

Common HIPAA compliance challenges

Despite decades of guidance, organizations continue to struggle with core elements of the Security and Breach Notification Rules.

Inadequate or outdated risk analyses. OCR enforcement actions frequently cite risk assessments that lack scope, detail, or currency. It’s not enough to run a scan or check a box annually—risk identification must be continuous and encompass all systems handling ePHI.

Misconstruing “addressable” as “optional.” Some safeguards are labeled “addressable” under HIPAA. That means you can use an alternative if it’s reasonable—but you must document that decision and implement a comparable measure.

Weak business associate governance. Many breaches originate from third-party vendors. Missing or incomplete Business Associate Agreements (BAAs) expose covered entities to shared liability.

Breach notifications done too late—or not at all. Failure to timely notify patients and HHS can lead to fines and reputational damage. Incomplete notifications are also a common compliance gap.

Lack of documentation readiness. During OCR audits, organizations must produce evidence within tight timeframes. Missing security policies, outdated incident response plans, or undocumented training leave major holes.

Overreliance on “HIPAA certificates.” HHS doesn’t recognize or accredit private certifications. These may help with readiness, but don’t substitute for actual compliance.

Looking ahead: what to expect in 2026

HIPAA enforcement continues to evolve, particularly in light of rising ransomware threats and cloud adoption. Looking toward 2026, organizations should prepare for:

Increased scrutiny of cybersecurity controls. OCR’s most recent audits target Security Rule provisions linked to hacking defenses—access controls, audit logs, and transmission security. Expect deeper evaluations of technical safeguards, especially if your environment includes cloud-hosted systems and remote access models.

Modernized audit protocols. OCR’s Audit Protocol was last updated in 2018. As digital health grows, future audit cycles may focus more intensively on third-party risk, cross-border PHI access, and behavioral health data protections.

Credentialing changes. Industry-recognized certifications like ISACA’s CISA and AHIMA’s CHPS will likely remain part of the trusted assessor toolkit. However, ISC2’s HCISPP certification—a longstanding healthcare info sec credential—is set to be retired as of December 2026.

Shift toward continuous compliance. Point-in-time assessments no longer meet regulatory and business needs. Stakeholders are demanding real-time assurance of security posture, not just a clean bill of health from last year’s audit.

How Thoropass improves HIPAA compliance

Thoropass is purpose-built to help you operationalize HIPAA requirements with structure, speed, and confidence.

Streamlined risk analysis and documentation. Our guided risk assessment workflow helps you conduct accurate, thorough evaluations aligned to Security Rule requirements. Document risks, assign owners, and track mitigation status—all in one platform.

Policy templates built for HIPAA. Quickly stand up compliant policies using customizable templates. From access controls to device management to breach notification plans, you’ll have the tools you need to implement and prove safeguards without starting from scratch.

Centralized evidence collection. Easily upload and organize your HIPAA policies, training records, BAAs, and incident logs. When audits come, your documentation is ready—and complete.

Breach notification coverage. Use our templates to prepare legally compliant notifications, track time-sensitive deadlines, and maintain disclosure logs that satisfy audit expectations.

Training and accountability tracking. Assign HIPAA training to your team and track completion right in the platform. Built-in dashboards give you clear visibility into your workforce compliance.

Third-party readiness reporting. Share a Thoropass HIPAA attestation with partners, vendors, and customers to demonstrate your compliance program maturity. It’s not an HHS-endorsed certification—but it shows leadership and transparency.

HIPAA compliance doesn’t have to be overwhelming. With Thoropass, you simplify the process, build audit readiness into your daily operations, and protect the trust placed in your organization. Schedule a discovery session today to see how we can help your team stay secure, prepared, and focused on delivering care.

Get Started

Products

Thoropass AuditCompliance Automation
PentestingThoropass AIAccess ReviewsSecurity QuestionnairesRisk AssessmentTrust CenterIntegrations and APIs

Solutions

Get CompliantMaintain ComplianceIT Security AuditsThoropass vs. Audit FirmsThoropass vs. Vanta

Frameworks

SOC 1SOC 2HIPAAHITRUSTCyber EssentialsGDPRISO 27001ISO 27018ISO 42001CMMC Level 1NIST CSF 2.0PCI DSSOther Frameworks

Resources

Case Studies
BlogGuidesEventsGlossaryHelp Center

Industries

HealthcareSaaSFinTechOther Industries

Company

Our DifferenceMeet the ExpertsNewsroomCareersIndependence and ExcellenceBecome a PartnerTrust CenterContact us

Legal

MSADPAReport an IssueTerms and ConditionsPrivacy Policy

Certifications:

Laika Compliance, LLC dba Thoropass Assurance is a licensed certified public accounting firm registered with the American Institute of Certified Public Accountants (AICPA). Thoropass, Inc. dba Thoropass is a leading cybersecurity and compliance professional services and technology firm.

© Copyright 2025 Thoropass, Inc.

Linkedin Logo Streamline Icon: https://streamlinehq.com
X Logo Streamline Icon: https://streamlinehq.com
Video Player 1 Streamline Icon: https://streamlinehq.com