One name, several rules — plus the law layered on top.

People say "HIPAA" as if it were a single regulation. It is actually several: chiefly the Privacy Rule and the Security Rule, with the Breach Notification Rule and the HITECH amendments alongside them. A working program also has to satisfy the law that sits on top — state privacy and breach statutes that often reach further than HIPAA, and, depending on the data you hold, other federal regimes. The two rules you work with most have full guides below; a Rote review reads your program against the rest of that landscape, not only the two.

45 CFR 164 · Subpart C
Security Rule update

The proposed 2026 overhaul in plain terms: whether it is real yet, the one change that matters most (addressable would become required), and the three moves worth making now.

Read the Security Rule guide →
45 CFR 164 · Subpart E
Privacy Rule

What it actually requires: permitted uses of PHI, the minimum necessary standard, the Notice of Privacy Practices, patient rights, and business associates.

Read the Privacy Rule guide →
45 CFR 164 · Subpart D
Breach Notification

When PHI is exposed, this sets who you must notify, how fast, and what to document. Part of every HIPAA program, not an optional add-on.

45 CFR Part 160 · HITECH
Enforcement & HITECH

How OCR investigates and penalizes, and the HITECH amendments that made business associates directly liable and raised the stakes.

Stricter than the floor
State laws

HIPAA is a floor. State medical-privacy and breach-notification laws frequently go further, and where they do, they apply on top of it.

Where they overlap
Other federal laws

Depending on the data you hold: 42 CFR Part 2 for SUD records, the FTC Health Breach Notification Rule, and more.

Covered entities and their business associates.

HIPAA reaches two groups. Covered entities are health plans, health care clearinghouses, and health care providers — though a provider is only covered if it transmits health information electronically in connection with certain standard transactions, such as submitting a claim. Business associates are the vendors that create, receive, maintain, or transmit protected health information on a covered entity's behalf; the subcontractors they hand that data to are business associates as well. Both are directly liable for much of the rule, not just the terms of their contract.

That second group is where a lot of modern exposure sits. If you are a healthtech company handling PHI for a customer, you are almost certainly a business associate, and the agreement you signed has to meet 45 CFR 164.504(e). The relationship is governed by a business associate agreement on both sides.

One thing HIPAA does not have: an official certification. HHS does not certify anyone as HIPAA compliant. You demonstrate compliance through your own documented program, which is exactly what Rote's analysis is built to assess.

From a first read to a maintained program.

The same method Rote points at any regulation, aimed at HIPAA. Start free and run it yourself, or have Rote read your actual documents and build the corrections. Each rung credits toward the next.

Enter where your program actually is:

Fees credit forward. The Review credits in full toward an Alignment Project — you don't pay twice to climb.
OfferPriceWhat you get
HIPAA Self-Check Free Run the open-source HIPAA skills yourself, or start with the free Snapshot. A first read of your policies against the Security and Privacy Rules, in your own environment.
HIPAA Review ~$3,500 Rote runs Gap Analysis, BAA Review, and Control Assessment against your actual policies and BAAs, mapped to specific CFR citations and prioritized by enforcement exposure. The fee credits forward.
HIPAA Alignment Project ~$8,000 to $12,000 The corrected and built documentation from the Review findings: policies, procedures, and BAA language brought current with the rule.
Maintenance from ~$750/mo A quarterly re-run plus a watch on the proposed Security Rule overhaul, so the program stays current as the rule moves.

Pricing is disclosed up front. The HIPAA Review fee credits in full toward an Alignment Project. The skills beneath each rung are below.

Start with a free Snapshot Run the skills yourself

The ladder above builds your HIPAA foundation, the same documented program any covered entity or business associate needs, with or without AI. If you're also evaluating an AI vendor, shipping an AI feature into a clinical or RCM workflow, or need AI-specific policy and ongoing regulatory monitoring, AI Governance is the layer that builds on top of this foundation.

See AI Governance →

Common questions about HIPAA.

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act. Its regulations at 45 CFR Part 164 set national standards for protecting health information. The two that drive most compliance work are the Privacy Rule (how protected health information may be used and disclosed) and the Security Rule (the safeguards required for electronic protected health information).

Who has to comply with HIPAA?

Covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates, the vendors that create, receive, maintain, or transmit protected health information on their behalf. Business associates are directly liable for much of the rule and must operate under a business associate agreement.

What is the difference between the HIPAA Privacy Rule and the Security Rule?

The Privacy Rule governs what you may do with protected health information in any form and the rights patients have over it. The Security Rule sets the administrative, physical, and technical safeguards for electronic protected health information specifically. Most organizations are subject to both.

Is there an official HIPAA certification?

No. HHS does not certify or endorse any organization as HIPAA compliant. Compliance is demonstrated through your own documented program: risk analysis, safeguards, policies, training, and business associate agreements. Third-party frameworks like HITRUST or SOC 2 can support that story but are not a HIPAA certification.

Is HIPAA changing in 2026?

A proposed overhaul of the Security Rule is under review, the first major rewrite in over two decades. As of the last-reviewed date it is a proposed rule, not final, and not being enforced. The Privacy Rule core remains in effect. See the Security Rule update guide for what would change and what is worth doing now.

Where should we start?

With an honest read of where you stand. The free Readiness Snapshot places you on a maturity matrix and points to the thin spots across HIPAA, without a sales call attached.

See where your HIPAA program stands.

The Readiness Snapshot is free. It places your organization on Rote's compliance maturity matrix and shows where your documentation is thin against HIPAA, within one week. Diagnostic, not a sales call.