If you work in healthcare, you've probably heard the word HIPAA thousands of times. But most people only have a vague understanding of what it actually requires, and a much vaguer understanding of whether their organization is meeting those requirements today.
In this guide we will understand what HIPAA is, what HIPAA compliance requirements look like in practice, and the most common places that healthcare organizations fall short.
What Is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. It's a federal law passed in 1996 that sets national standards for protecting sensitive patient health information.
The law applies to any organization that handles protected health information, known as PHI. That includes hospitals, medical practices, dental offices, pharmacies, nursing homes, home care providers, and the vendors and contractors those organizations work with.
At its core, HIPAA exists to ensure that patient health information is kept private, handled securely, and only accessible to the people who need it to provide care.
The Three Main HIPAA Compliance Requirements
HIPAA is built around three primary rules. Understanding each one matters if you're responsible for compliance at your organization.
The Privacy Rule
The Privacy Rule governs who can access PHI and under what circumstances. Patients have rights over their health information: the right to see it, request corrections, and control who it's shared with.
For your organization, the Privacy Rule means having documented policies around who can access patient data, how it's used internally, and when it can be shared with outside parties. It's about having the right guardrails in place.
The Security Rule
The Security Rule covers electronic PHI, known as ePHI. Every electronic system your organization uses to store, transmit, or communicate patient information must meet specific security standards.
Your EHR is covered. Your billing system is covered. Your team communication platform is covered. If your staff are sending patient updates over iMessage or WhatsApp, that falls under the Security Rule too, and personal messaging apps meet none of its requirements.
The Breach Notification Rule
If a breach of unsecured PHI occurs, your organization has to notify affected patients, the Department of Health and Human Services, and in some cases, the media.
The timeline is strict. You have 60 days from discovering the breach to notify patients, and in reality OCR expects you to move much faster than that. Miss the window, and you face separate penalties on top of the breach itself.
What is OCR?
The Office for Civil Rights, known as OCR, is the federal body that enforces HIPAA. They investigate complaints, run audits, and issue fines when organizations fall short.
Fines go from $100 all the way up to $50,000 per violation, depending on how negligent the organization was. The average healthcare data breach costs around $10 million once you factor in investigation, notification, remediation, and the damage to your reputation.
OCR investigations usually start with a single complaint or a reported breach, and then expand into a broader review of your entire compliance posture.
When investigators arrive, they go through your documented policies, your audit logs, your staff training records, and the tools your team uses to communicate. Every gap is a potential violation - and they're good at finding gaps.
How to Be HIPAA Compliant: What It Actually Requires
HIPAA compliance covers a lot of areas, but here are the areas that matter most day to day.
Business Associate Agreements
Any vendor, contractor, or service provider with access to PHI needs to sign a Business Associate Agreement, known as a BAA. Your EHR vendor almost certainly has one in place. The gap most organizations have is everywhere else: the communication platform your team uses, the staffing agency that places contract nurses, the IT provider with access to your systems.
A BAA inventory is a documented list of every vendor with PHI access and confirmation that each one has a signed, current agreement. Most organizations have significant gaps in this list and genuinely don't know it.
A Security Risk Analysis
The Security Risk Analysis, or SRA, is a specific written requirement under the HIPAA Security Rule. It's not optional. An incomplete or outdated SRA is cited in the majority of OCR investigations as a primary violation.
Your SRA needs to be done annually and updated whenever your systems, processes, or org structure changes. Most organizations do it once, treat it as done, and never revisit it. That's a compliance gap waiting to be found.
Secure Team Communication
Secure team communication is the area most organizations overlook, and the one with the most active, ongoing risk.
Your staff communicate about patients every single day. Shift handovers, care coordination, urgent updates, test results. If there's no compliant tool that's fast and easy enough to use, they'll just grab their phone and use whatever's already there.
Every message, photo, and file sent through a personal messaging app saves permanently to every recipient's personal device. Your organization has no admin access, no audit trail, and no way to get it back. When someone leaves, that data goes with them.
PHI on personal devices with no documented controls is one of the top five OCR investigation triggers. Getting your team communicating on a HIPAA-compliant platform your organization owns and controls is one of the most urgent steps you can take.
Staff Training
HIPAA requires documented, ongoing training for all staff, including contractors, agency nurses, and locum physicians. Annual training with nothing on file to prove it happened is a compliance gap. Training needs to be role-specific, documented at the individual level, and updated when policies or systems change.
Incident Response
Your organization needs a documented breach response plan before a breach happens. That means knowing who's responsible for notification decisions, understanding the timelines, and having actually practiced your response. Organizations that build the plan after the incident are already past the notification window by the time they figure out who to call.
The Most Common HIPAA Compliance Gaps
After reviewing what HIPAA compliance actually requires, the gaps that consistently appear across healthcare organizations are the same five:
- No completed or current Security Risk Analysis
- Missing or incomplete Business Associate Agreements
- Staff training with no documentation
- No breach notification protocol
- PHI on personal devices with no documented controls
Any one of these is enough to open an OCR investigation. Most organizations have all five.
Am I HIPAA Compliant? Questions to Ask Yourself
A quick way to assess your current posture is to ask yourself the following questions honestly. Every "not sure" or "no" is a gap worth addressing.
- Do we have a signed BAA with every vendor that handles PHI, not just our EHR vendor?
- Are our staff communicating about patients on a platform our organization owns and controls?
- Can we immediately cut off a staff member's access to all messages and files when they leave?
- Do we know where all our communication data lives, and can we retrieve it if OCR asks?
- Can we produce a full audit log of internal communications on request?
- Do we have a documented breach response plan, and does our team know what to do in the first 72 hours?
- Is staff HIPAA training documented at the individual level, not just completed annually?
- Do we have a written mobile device policy that covers personal phones used for work?
- Does every location in our organization follow the same communication policies and use the same approved platform?
If you found gaps, start with team communication practices, access controls, and mobile device policy. Those three carry the highest OCR investigation risk and represent the most active, ongoing exposure.
For a more thorough assessment, use our HIPAA-compliance assessment checklist - 10 sections and 60+ checkpoints covering every area that OCR will investigate.
How Zenzap Helps Healthcare Organizations Stay Compliant
Of all the HIPAA compliance gaps covered in this article, secure team communication is the hardest to close with policy updates alone.
Your staff won't stop using personal messaging apps because of a new rule. They'll stop when you give them something better.
Zenzap is the HIPAA-compliant work chat built for healthcare teams. PHI is secure, under your organization's control, with a signed BAA included with every account. Staff can communicate about patients securely, and when someone leaves you can cut off their access to every chat, file, and contact in one click.
For multi-location organizations, Zenzap makes it possible to organize teams by facility, control who sees what, and give leadership visibility across every location, without the complexity of enterprise tools that nobody ends up using.
And because Zenzap is convenient and intuitive and mobile friendly, your team will actually use it without complaints.
Start Closing Your HIPAA Compliance Gaps Today
HIPAA compliance isn't a one-time project. Your risk profile changes every time you add a location, hire a contractor, change a vendor, or update a system.
The organizations that stay ahead of OCR are the ones that treat compliance as an ongoing part of how they operate, not something they address after a complaint is filed.
Start with the gaps that carry the most active risk: team communication, access controls, and mobile device policy. Address your BAA inventory and Security Risk Analysis. Document your staff training and put a breach response plan in place before you need it.
Every gap you close is one fewer trigger for an OCR investigation - and every day you wait is another day of exposure and risk.
Learn more about how Zenzap can make your organization be HIPAA compliant.
Frequently Asked Questions
What is HIPAA and who does it apply to?
HIPAA is the Health Insurance Portability and Accountability Act, a federal law that sets standards for protecting patient health information. It applies to any organization that handles PHI, including hospitals, medical practices, dental offices, pharmacies, nursing homes, home care providers, and their vendors and contractors.
What are the main HIPAA compliance requirements?
HIPAA compliance is built around three rules: the Privacy Rule, which governs who can access patient information and under what conditions; the Security Rule, which requires specific safeguards for electronic PHI; and the Breach Notification Rule, which sets timelines and obligations when a breach occurs. Beyond the three rules, organizations must maintain a current Security Risk Analysis, signed BAAs with every vendor handling PHI, documented staff training, and a breach response plan.
How do I know if I'm HIPAA compliant?
The clearest indicators are whether you can answer yes to the following: every vendor with PHI access has a signed BAA, your team communicates about patients on a platform your organization controls, you have a current Security Risk Analysis, staff training is documented at the individual level, and you have a tested breach response plan. If you're unsure about any of these, you likely have compliance gaps worth addressing.
What is the most common HIPAA violation?
PHI on personal devices is one of the most common and most overlooked HIPAA violations. When staff communicate about patients over personal messaging apps, that data saves permanently to personal devices your organization has no admin access to. Other common violations include missing or incomplete BAAs, no Security Risk Analysis, undocumented staff training, and no breach notification protocol.
What are the penalties for HIPAA violations?
HIPAA fines range from $100 to $50,000 per violation, depending on the level of negligence. The average healthcare data breach costs $10 million when you factor in investigation, notification, remediation, and reputational damage. Organizations that miss the breach notification window face additional penalties on top of the original violation.
Does my team communication platform need to be HIPAA compliant?
Yes. Any platform your staff use to communicate about patients falls under the HIPAA Security Rule and needs to be HIPAA compliant. That includes messaging apps, email, and any other tool used to transmit ePHI. The platform must have encryption, admin controls, audit logging, and a signed BAA with your organization. Personal messaging apps like iMessage and WhatsApp meet none of these requirements.
What is a BAA and do I need one?
A Business Associate Agreement is a contract that a vendor signs committing to handle PHI in compliance with HIPAA. You need one with every vendor, contractor, or service provider that has access to PHI, not just your EHR vendor. Operating without a BAA where one is required is itself a HIPAA violation.
Take Control of Your Team Communication
Chat, organize, and get work done - all in one place.
