The federal standard for protected health information security and privacy.
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for the protection of individually identifiable health information (Protected Health Information, or PHI). The Security Rule applies specifically to electronic PHI (ePHI) and requires Covered Entities and Business Associates to implement administrative, physical, and technical safeguards.
The HITECH Act (2009) strengthened HIPAA enforcement, introduced mandatory breach notification, and extended HIPAA requirements directly to Business Associates. Documentation is central to HIPAA compliance: organizations must maintain evidence of risk analysis, workforce training, policy development, access control implementation, and breach response — and must be able to demonstrate these to HHS Office for Civil Rights (OCR) investigators.
Documented risk analysis of ePHI threats and vulnerabilities — required by 45 CFR § 164.308(a)(1).
Risk management plan and treatment documentation implementing the risk analysis findings.
Training programme records demonstrating workforce awareness of HIPAA policies.
Documentation of ePHI access controls, unique user identification, and emergency access procedures.
Audit logging implementation documentation and log review procedures.
BAA documentation for all third-party vendors with access to PHI.
Breach risk assessment procedures and notification documentation (60-day reporting).
Workstation use policies, media disposal documentation, and device access controls.
Templates and implementation resources for HIPAA / HITECH are available through the ELDR Institute Knowledge Hub and via direct request.