HIPAA Compliance Made Simple: A Self-Assessment Guide

In healthcare, protecting patient data isn’t just best practice — it’s the law. The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for how healthcare and digital health companies must secure, manage, and share Protected Health Information (PHI).

But compliance can feel overwhelming: privacy rules, security mandates, breach protocols, vendor contracts... Where do you even start? This guide cuts through the confusion with a clear, structured self-assessment.

Before you dive into the HIPAA Compliance Checklist, here's what you need to know:

HIPAA: What It Is and Why It Matters

HIPAA is a U.S. federal law that governs the use, disclosure, and protection of Protected Health Information (PHI) (HHS Overview). If your product stores, analyzes, transmits, or integrates with systems handling identifiable patient data, HIPAA likely applies — even if you're not a hospital or insurer. HIPAA compliance mainly affects two groups:

HIPAA applies to two main groups:

• Covered Entities (CE): Organizations directly involved in providing healthcare, health insurance, or processing health-related data.

  
  

• Business Associates (BA): Vendors, service providers, and partners who work with Covered Entities in a non-healthcare role but still have access to Protected Health Information (PHI).

Both Covered Entities and Business Associates must comply with HIPAA rules, though Business Associates' responsibilities primarily relate to the PHI they access, store, or process, often outlined in a Business Associate Agreement (BAA).

The Four Legal Pillars of HIPAA Compliance

HIPAA compliance rests on four critical legal rules:

• Privacy Rule — How PHI is accessed, shared, and protected (HHS Privacy Rule).

• Security Rule — Safeguarding electronic PHI (ePHI) against cyber threats (HHS Security Rule).

• Breach Notification Rule — Requirements for breach disclosures (HHS Breach Notification Rule).

• Enforcement Rule — Defines penalties for violations (HHS Enforcement Rule).

  
  

What Counts as PHI?

Protected Health Information (PHI) includes any individually identifiable health information about a patient’s condition, treatment, or payment history.

Examples of PHI:

• Personal identifiers: Name, address, phone number, social security number, photos

• Medical information: Diagnoses, test results, prescriptions, treatment notes

• Insurance details: Policy numbers, coverage, and billing records

• Biometric identifiers: Fingerprints, retinal scans, DNA samples

• Financial data tied to health services: Credit card payments, invoices

If your system or app handles, stores, or transmits this type of data, and it can be linked to a person, it’s PHI — and must be protected under HIPAA.

What Does NOT Count as PHI?

Not all health-related data falls under HIPAA. Here are common examples that do not qualify:

Does HIPAA Scope Depend on CE vs. BA?

Yes — while HIPAA’s Security and Privacy Rules apply broadly to both groups, Covered Entities and

Business Associates differ slightly:

• CEs are directly responsible for full HIPAA compliance across their operations.

• BAs must comply with HIPAA Security and Breach Notification Rules for the PHI they handle and sign enforceable BAAs.

  
  

Regardless of role, technical safeguards are mandatory for any organization handling ePHI.

Preparing for HIPAA: What Companies Should Do First

Before you attempt to “tick boxes,” it’s important to structure your organization for success. Think of HIPAA as a framework that touches the legal, technical, and organizational layers of your business.

These first moves lay the foundation:

1. Clarify your HIPAA Applicability

   • Covered Entity (CE) or Business Associate (BA)? Determine if your organization falls under one of these categories. This will define your specific obligations. For example, healthcare providers, insurers, and pharmacies are Covered Entities, while software vendors, IT contractors, and cloud service providers can be Business Associates.

   • PHI or ePHI Handling: Identify if your business creates, receives, stores, or transmits Protected Health Information (PHI or electronic PHI - ePHI). If you handle any PHI, HIPAA applies to you in some form.

     
     

2. Appoint Key Roles

   • Privacy Officer: This individual is responsible for overseeing how PHI is collected, used, shared, and protected within the organization. They ensure privacy policies are in place and adhered to, manage patient rights, and ensure compliance with HIPAA privacy requirements.

   • Security Officer: A Security Officer ensures the technical safeguards are implemented to protect ePHI, including setting up access controls, encryption, and managing cybersecurity risks. This officer also oversees the Risk Assessment process and works with IT to identify potential vulnerabilities.

     
     

3. Map Your Data Flows

   • Conduct a detailed assessment of where PHI enters and exits your organization. Track how it is stored, transmitted, and accessed within your systems. Understanding your data flow is key to identifying potential security weaknesses and will guide your risk assessment and mitigation efforts.

     
     

4. Conduct a Preliminary Risk Assessment

   • Before implementing security controls, conduct an initial Risk Assessment to identify where PHI may be at risk. This helps you understand potential threats (e.g., unauthorized access and data breaches) and focus your security efforts on the most vulnerable areas.

     
     

5. Identify Vendors & Subcontractors

   • Make a list of all third parties (vendors, subcontractors, cloud providers, etc.) that access, process, or store PHI. Assess their security posture and ensure that they sign a Business Associate Agreement (BAA) if applicable. A BAA ensures that they are aware of their responsibilities to protect PHI and comply with HIPAA.

     
     

6. Prepare Internal and External Communication Plans

   • Establish clear communication channels within your organization and with external stakeholders (vendors, partners) for HIPAA-related matters, setting expectations for internal teams and informing external parties about upcoming compliance efforts and necessary agreements.

By taking these preparatory steps, you lay a solid foundation for your organization’s HIPAA compliance journey. These efforts will ensure that you have the right structures in place before diving into the technical and legal requirements of HIPAA.

Required Technical Security Measures

Under the HIPAA Security Rule, organizations must implement:

• Access Controls: Unique user IDs, emergency access procedures, automatic log-off.

• Audit Controls: Hardware, software, and procedural mechanisms to record and examine access.

• Integrity Controls: Policies to protect data from improper alteration or destruction.

• Authentication Measures: Verifying that a person seeking access is who they claim to be.

• Transmission Security: Encrypting ePHI during transmission across networks.

Optional but highly recommended:

• Encryption at Rest: Encrypting stored PHI.

• Endpoint Protection: Antivirus, antimalware, and mobile device management (MDM).

• Regular Penetration Testing: To proactively identify vulnerabilities

  
  

What Happens If There’s a Breach?

If PHI is compromised, organizations must follow the HIPAA Breach Notification Rule:

• Notify Affected Individuals: Without unreasonable delay and no later than 60 days after discovery.

• Notify the HHS Secretary: Through the HHS Breach Reporting Portal.

• Notify Media: If the breach affects more than 500 residents in a state or jurisdiction.

Business Associates must report breaches to their Covered Entity partners first, who then follow notification protocols. Failure to comply can result in substantial civil penalties based on Enforcement Rule guidelines.

HIPAA Compliance Is a Journey — Not a One-Time Event

Becoming HIPAA compliant isn’t about perfection - it’s about demonstrating diligence, preparedness, and a structured approach to risk. At Sekurno, we guide you through every step of the HIPAA journey — from determining your role under regulation to implementing the right security measures that ensure your people and systems meet all legal and ethical obligations. Not sure where you stand on your compliance journey?

Next Step: HIPAA Compliance Checklist Self-Assessment

Take our HIPAA Compliance Self-Assessment Questionnaire to guide your self-assessment.

About Sekurno & The Author

Kristina Romanenko is an Information Security Account Manager at Sekurno and a certified ISO/IEC 27001 Implementer (PECB). With over 6 years of experience in IT and cybersecurity, Kristina helps organizations confidently navigate regulatory frameworks such as GDPR, CCPA, HIPAA, and ISO 27001. She supports clients in meeting compliance requirements, reducing risk exposure, and building long-term trust with customers and partners.

Sekurno is a globally recognised cybersecurity firm specializing in Penetration Testing, Application Security and Compliance. At Sekurno, we dedicate all our efforts to reducing risks to the highest extent, ensuring high-risk industries like HealthTech and FinTech stand resilient against any threat.

Have questions about securing your product or preparing for an audit? You can contact us by writing to team@sekurno.com or booking a call here.