Shieldra
HIPAA Framework Guide
HIPAA is a U.S. healthcare privacy and security law. Covered entities and business associates need documented safeguards, policies, training, vendor agreements, risk analysis, and breach response evidence.
Core HIPAA rules
- Privacy Rule
- Security Rule
- Breach Notification Rule
- Enforcement Rule
- HITECH and Omnibus updates
Security Rule safeguard groups
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Organizational requirements
- Policies and documentation
Audit evidence
- Risk analysis
- Policies and procedures
- Workforce training records
- Access reviews and audit logs
- Business Associate Agreements
- Incident and breach documentation
Frequently asked questions
What is HIPAA?
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a U.S. federal law that sets national standards for protecting the privacy and security of protected health information (PHI). It applies to covered entities — healthcare providers, health plans, and clearinghouses — and to their business associates.
What are the main HIPAA rules?
The core rules are the Privacy Rule (how PHI may be used and disclosed), the Security Rule (administrative, physical, and technical safeguards for electronic PHI), the Breach Notification Rule (reporting breaches of unsecured PHI), and the Enforcement Rule, with updates from HITECH and the Omnibus and 2026 Security Rule changes.
Who must comply with HIPAA?
Covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates that handle PHI on their behalf must comply with HIPAA.