ADVERTISEMENT
Healthcare professionals in a modern medical compliance environment — HipaaDirectory.com
HHS / OCR Verified Guidance

The Authoritative HIPAA Compliance Directory

Verified resources, tools, and guidance for healthcare organizations navigating HIPAA/HITECH compliance. Aligned with HHS Office for Civil Rights enforcement standards and 45 CFR Parts 160 and 164.

Browse Compliance Tools → Read HIPAA Guides →
🛡️ OCR-Aligned Guidance
🔒 BAA-Ready Tools Only
📋 45 CFR Referenced
⚖️ Updated May 2025
Compliance Areas

Browse by Compliance Area

Every category is mapped to the applicable 45 CFR regulatory provisions enforced by the HHS Office for Civil Rights.

🛡️
Compliance Software
45 CFR § 164.308 — Administrative Safeguards
🏥
EHR / EMR Systems
45 CFR § 164.312 — Technical Safeguards
📱
Telehealth Platforms
45 CFR § 164.312(e)(2) — Encryption
🧾
Medical Billing
45 CFR § 164.504(e) — BAA Required
☁️
Healthcare Cloud Storage
45 CFR § 164.312(c) — Integrity Controls
🔐
Security & Encryption
45 CFR § 164.312(a)(2)(iv) — Encryption
📚
HIPAA Training
45 CFR § 164.308(a)(5) — Workforce Training
📄
Business Associate Tools
45 CFR § 164.504(e) — BAA Requirements
💻
Healthcare IT Security
45 CFR § 164.308(a)(1) — Risk Analysis
🚨
Breach Response
45 CFR § 164.400–414 — Breach Notification
Regulatory Landscape

Critical Compliance Facts

Data sourced from HHS Office for Civil Rights enforcement statistics and the HHS Breach Portal.

$10.9B
OCR Settlements Since 2003
HHS Office for Civil Rights has resolved over 36,000 complaints and collected more than $10.9 billion in settlements and civil money penalties under HIPAA enforcement actions since the Privacy Rule took effect in 2003.
96%
Breaches Involve Unauthorized Access
According to HHS Breach Portal reporting, the overwhelming majority of large breaches affecting 500 or more individuals involve unauthorized access to PHI — including hacking, improper disposal, and lost or stolen devices or media.
30 Days
Internal Documentation Benchmark
While 45 CFR § 164.408 allows 60 days to notify HHS of a breach, industry best practice and multiple state breach notification laws require internal documentation within 30 days of discovery to maintain OCR audit readiness and demonstrate timely action.
⚠️
OCR Civil Money Penalties: $100–$50,000 Per Violation / Up to $1.9 Million Annual Cap Per Violation Category
Under 45 CFR § 160.404, HHS enforces four penalty tiers based on culpability: (1) Unknown violation: $100–$50,000/violation; (2) Reasonable cause: $1,000–$50,000/violation; (3) Willful neglect, corrected within 30 days: $10,000–$50,000/violation; (4) Willful neglect, not corrected: $50,000/violation. All tiers carry an annual cap of $1,900,000 per violation category. Criminal penalties under 42 U.S.C. § 1320d-6 may additionally apply, with fines up to $250,000 and imprisonment up to 10 years for wrongful disclosure with intent to sell or transfer PHI.
Regulatory Framework

Key Regulatory Citations

All resources in this directory are evaluated against the three foundational HIPAA rules codified in Title 45 of the Code of Federal Regulations.

45 CFR §§ 164.500–164.534
HIPAA Privacy Rule
Establishes national standards for the protection of individually identifiable health information (PHI). Governs permissible uses and disclosures, patient rights of access to records under 45 CFR § 164.524, Notice of Privacy Practices (NPP) requirements under § 164.520, and the minimum necessary standard under § 164.502(b). Applies to covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. Effective April 14, 2003; HITECH amendments effective February 17, 2010.
45 CFR §§ 164.302–164.318
HIPAA Security Rule
Establishes national standards for protecting electronic PHI (ePHI) at rest and in transit. Requires covered entities and business associates to implement administrative safeguards (§ 164.308), physical safeguards (§ 164.310), and technical safeguards (§ 164.312). Includes required specifications — such as access controls (§ 164.312(a)) and audit controls (§ 164.312(b)) — and addressable specifications that organizations must implement or document rationale for alternative measures. Mandatory risk analysis under § 164.308(a)(1)(ii)(A). Effective April 21, 2005.
45 CFR §§ 164.400–164.414
Breach Notification Rule
Requires covered entities to notify affected individuals (§ 164.404), HHS (§ 164.408), and in breaches affecting 500+ residents of a state, prominent media outlets (§ 164.406), following a breach of unsecured PHI. All notifications must occur without unreasonable delay and within 60 days of discovery of the breach. Business associates must notify covered entities within 60 days of breach discovery under § 164.410. Added by HITECH Act (Pub. L. 111-5); effective September 23, 2009. Interim final rule published August 24, 2009.
Featured Resources

Featured HIPAA-Compliant Tools

All featured vendors maintain Business Associate Agreements as required under 45 CFR § 164.504(e).

45 CFR § 164.504(e) — Business Associate Agreements

A Business Associate Agreement (BAA) is a legally required written contract under HIPAA whenever a vendor creates, receives, maintains, or transmits protected health information on behalf of a covered entity. All listed vendors offer or support BAAs. Operating without a valid BAA is a direct HIPAA violation subject to OCR civil money penalties.

🔒 Compliancy Group
✓ BAA Available
Compliance Software OCR Audit-Ready
End-to-end HIPAA compliance management platform with built-in risk analysis, policy management, workforce training modules, and remediation tracking. Purpose-built to satisfy the OCR Phase 2 Audit Protocol requirements across all three HIPAA rule sets.
Addresses: 45 CFR § 164.308(a)(1) — Risk Analysis & Management
View Full Listing →
🔒 Doxy.me
✓ BAA Available
Telehealth Platform
HIPAA-compliant video telemedicine platform with end-to-end encrypted video sessions. No app download required for patients. BAA available on all subscription tiers, including the free tier, making it accessible to solo practitioners and small practices.
Addresses: 45 CFR § 164.312(e)(1) — Transmission Security
View Full Listing →
🔒 Microsoft Azure
✓ BAA Available
Healthcare Cloud Storage
Microsoft Azure provides a comprehensive HIPAA/HITECH BAA for covered entities and business associates. Azure Health Data Services offers FHIR-compliant APIs, AES-256 encryption at rest, TLS 1.2+ in transit, role-based access controls (RBAC), and detailed audit logs through Azure Monitor.
Addresses: 45 CFR § 164.312(a)(1) — Access Controls; § 164.312(b) — Audit Controls
View Full Listing →
🔒 Virtru
✓ BAA Available
Security & Encryption
End-to-end email and data encryption platform purpose-built for healthcare compliance. Integrates natively with Gmail and Microsoft 365. Enforces encryption policies, access revocation, and granular audit logging for PHI transmitted via email — satisfying the transmission security addressable specification.
Addresses: 45 CFR § 164.312(e)(2)(ii) — Encryption & Decryption (Addressable)
View Full Listing →
🔒 Healthie
✓ BAA Available
EHR / EMR System
API-first EHR and practice management platform for modern healthcare organizations. Provides integrated telehealth, scheduling, billing, client portal, and e-prescribing — all within a HIPAA-compliant architecture. BAA included across all plan tiers.
Addresses: 45 CFR § 164.308(a)(4) — Information Access Management
View Full Listing →
🔒 KnowBe4 Healthcare
✓ BAA Available
HIPAA Training
Healthcare-specific security awareness and HIPAA compliance training platform. Offers role-based training modules, phishing simulation, automated training assignments, and workforce attestation records suitable for OCR audit documentation and annual workforce training requirements.
Addresses: 45 CFR § 164.308(a)(5) — Security Awareness & Training
View Full Listing →
View All 25 Listed Resources →
HIPAA Guides

Latest Compliance Guides

Regulatory-grade analysis written for compliance officers, legal teams, and healthcare executives.

Compliance Operations • May 2025
HIPAA Compliance Checklist 2025: Administrative, Physical, and Technical Safeguards
A comprehensive, citation-anchored checklist covering all required and addressable implementation specifications under the HIPAA Security Rule (45 CFR §§ 164.308–164.312), with 2025 enforcement updates from HHS OCR and a complete civil money penalty reference table.
Read Guide →
Cloud Security • May 2025
HIPAA-Compliant Cloud Storage Compared: AWS, Azure, Google Cloud, Box, and Dropbox Business
Side-by-side analysis of the five leading cloud storage platforms used in healthcare, evaluated across BAA availability, encryption standards, access controls, audit logging, and alignment with 45 CFR § 164.312 technical safeguard requirements.
Read Guide →
Legal & Contracts • May 2025
What Is a Business Associate Agreement (BAA)? A Complete Legal Breakdown
An authoritative breakdown of the BAA requirement under 45 CFR § 164.504(e), including all nine required contract elements, permitted and prohibited uses of PHI, subcontractor BAA obligations, breach reporting timelines, and OCR enforcement consequences for missing BAAs.
Read Guide →
ADVERTISEMENT