HIPAA Compliance Essentials for 2026
Use this as a practical roadmap for building a complete compliance program.
Work directly with a Certified HIPAA Professional who knows what OCR auditors look for. We close the gaps that lead to fines and make HIPAA compliance approachable for small teams.
Solo providers • small practices • vendors/MSPs • growing teams
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, establishes national standards for protecting individually identifiable health information, known as Protected Health Information (PHI). The HIPAA Privacy Rule and Security Rule, codified at 45 CFR Parts 160 and 164, require covered entities and their business associates to implement administrative, physical, and technical safeguards to protect PHI from unauthorized access, use, or disclosure. HIPAA compliance means meeting these federal requirements on an ongoing basis through documented policies, workforce training, risk assessments, and vendor management.
Healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. These organizations are directly regulated under HIPAA as defined in 45 CFR Section 160.103.
Any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include billing companies, IT managed service providers, cloud hosting vendors, and EHR platforms. Business associates must sign a Business Associate Agreement (BAA) as required under 45 CFR Section 164.502(e).
Under the 2013 HIPAA Omnibus Rule, subcontractors that handle PHI on behalf of a business associate are also subject to HIPAA requirements and must have their own BAA in place.
Every engagement follows a four-step process. It starts with a Security Risk Assessment (SRA), required annually under 45 CFR Section 164.308(a)(1)(ii)(A), to establish your compliance baseline.
Select a Compliance Officer. Complete your Security Risk Assessment. Then receive and review both the automated Gap Analysis and automated Remediation Plans.
Review, tailor, and publish your HIPAA policies. Have staff attest to their reading and understanding. Complete HIPAA 101 training and cybersecurity awareness training.
Manage Vendors (Third-Parties), sign Business Associate Agreements (BAAs), review vendor risk, and finish your site, device and IT audits.
Every account includes a way that staff can report unauthorized disclosures of PHI (protected health information). Issues can be submitted anonymously and your Privacy Officer gets clear next steps.
From there, gaps are identified, fixes are prioritized, and policies are written. Staff training and administrative controls are then addressed in accordance with HIPAA's Security Rule, Privacy Rule, and Breach Notification Rule.
Founder & CEO | Certified HIPAA Professional (CHP)
Since 2015, Chuck has helped organizations build practical HIPAA programs that hold up in the real world. He is based in New York and works with clients around the country. In ten years of consulting on HIPAA no client of his has ever been fined, or failed an audit.
This is because he makes complex rules easier to follow and leads with empathy, clarity, and steady guidance.
Schedule a Call with ChuckGet the HIPAA help you need in one place. Click any square below to learn more about how our product(s) work.
A yearly review of risk to ePHI, required annually under 45 CFR Section 164.308(a)(1)(ii)(A). It is the starting point for a strong HIPAA program.
Explore HIPAA Security Risk Assessment services →A gap analysis measures your current safeguards against the requirements of 45 CFR Part 164, Subparts C and E, and identifies where your organization falls short.
Review HIPAA Gap Analysis Resources →Remediation Plans document how you will fix identified gaps, consistent with the risk management requirement at 45 CFR Section 164.308(a)(1)(ii)(B). They also demonstrate to auditors that your organization has a structured corrective action process.
See HIPAA remediation planning services →Ready-made templates addressing the policies and procedures standard at 45 CFR Section 164.316. You approve, then your staff reviews. No starting from scratch.
Access HIPAA Policy Template Services →Meet the workforce training requirement under 45 CFR Section 164.308(a)(5)(i) with HIPAA 101 and cybersecurity awareness training.
HIPAA Training for Staff →A yearly on-site review of your physical safeguards under 45 CFR Section 164.310, covering facility access controls, workstation use, and workstation security.
Review Physical Safeguard Requirements →A yearly check of your devices and IT setup against the technical safeguard requirements at 45 CFR Section 164.312, covering encryption, access controls, and audit logging.
Complete Device and IT Audits →Give staff a clear way to report incidents as required under the Breach Notification Rule (45 CFR Sections 164.400 through 164.414). Reports can be anonymous, and your compliance officer gets clear response steps.
Get Help with HIPAA Incident Response →Plans starting at $60/month. No long-term commitment required.
View Pricing Plans"One Guy Consulting is super easy to work with. I actually look forward to my implementation meetings for HIPAA."Samantha M.
"We've been working with One Guy Consulting for years and always been very pleased with the results."Katie M. — Local Guide
"One Guy Consulting is great at what they do! I was intimidated to start work on this project, but nothing was further from the truth! Chuck was so professional and welcoming. He was always happy to clarify questions I had. They really knew how to put me at ease. Thanks so much, One Guy Consulting! Special shout-out to Chuck for getting me across the finish line."Jennifer M.
Recommendations from professionals who have worked alongside Chuck.
"Charles is a master of automation, allowing him to operate with the output of a much larger team while working as a department of one."Omar Barazanji - Machine Learning / MLOps / Agentic AI Engineer
The Office for Civil Rights is the federal agency within HHS responsible for enforcing HIPAA compliance and investigating breaches.
The Health Insurance Portability and Accountability Act of 1996 establishes national standards for protecting patient health information. Its implementing regulations are codified at 45 CFR Parts 160 and 164. Its implementing regulations are codified at 45 CFR Parts 160 and 164.
A federally mandated annual assessment required under 45 CFR §164.308(a)(1)(ii)(A) to evaluate whether current safeguards adequately protect ePHI. Methodology is informed by the NIST SP 800-39 risk management framework.
The HIPAA Security Rule (45 CFR Part 164, Subpart C) establishes national standards for protecting ePHI through administrative safeguards (§164.308), physical safeguards (§164.310), and technical safeguards (§164.312).
The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) governs the use and disclosure of Protected Health Information (PHI), establishing patient rights, authorization requirements, and the minimum necessary standard for disclosures.
The Breach Notification Rule (45 CFR Sections 164.400 through 164.414) requires covered entities and business associates to provide notification following a breach of unsecured protected health information.
Use this as a practical roadmap for building a complete compliance program.
Understand what HIPAA requires, who it applies to, and why it matters for your organization.
Learn what qualifies as PHI, the 18 HIPAA identifiers, and how to handle it properly.
Know your obligations when a breach occurs—timelines, reporting steps, and penalty risks.
Understand role boundaries so contracts, obligations, and audits stay clean.
Understand the access, amendment, and disclosure rights your patients are entitled to.
And any/all other healthcare providers or business associates that handle PHI.
If you are not sure what to tackle first, reach out and we will help you map the next step.