In 2022, Advocate Aurora Health disclosed that tracking pixels from Meta and Google, embedded in their patient portal, had transmitted patient data to third-party advertisers without a signed contract in place. 3.3 million patients were affected. The breach did not come from their Electronic Health Record (EHR) system. It came from technology embedded in their outreach and engagement infrastructure.
That case illustrates the compliance gap most HIPAA checklists skip. Healthcare organizations that text, call, or digitally engage patients are running outreach stacks that touch sensitive patient data. Every vendor in that stack carries HIPAA obligations. Any platform that accesses patient records must have a signed Business Associate Agreement (BAA) in place before it handles a single record.
This guide covers the full 2026 HIPAA compliance framework, with a focus on what your outreach tools specifically require: what HIPAA demands of communication vendors, what a BAA must include, and how to verify that the platform contacting your patients is genuinely compliant.
The 2026 Security Rule update changed the baseline for every item on this list. The “addressable vs. required” distinction that let organizations defer safeguards since 2003 is gone. Every safeguard is now mandatory.
What is HIPAA compliance?
HIPAA compliance means a covered entity or business associate has implemented the policies, safeguards, and procedures required by the Health Insurance Portability and Accountability Act to protect patients’ Protected Health Information (PHI). Compliance spans three distinct rules: Privacy, Security, and Breach Notification. Penalties for violations range from $100 to $50,000 per violation, up to $1.9 million annually per violation category.
PHI is any individually identifiable health information: names, addresses, dates of birth, medical record numbers, diagnosis codes, treatment history, and any other data element that can be linked to a specific patient. PHI is protected whether stored, transmitted, or accessible in any form.
The three rules divide the compliance framework:
- Privacy Rule: Governs how PHI can be used and disclosed
- Security Rule: Governs technical, administrative, and physical safeguards for electronic PHI (ePHI)
- Breach Notification Rule: Governs what an organization must do when PHI is compromised
Who needs to be HIPAA compliant?
Two categories of organizations carry HIPAA obligations.
Covered entities include healthcare providers (hospitals, clinics, individual practitioners), health plans, and healthcare clearinghouses. If you provide medical services, administer insurance, or process health transactions, you are a covered entity.
Business associates are any vendor or contractor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Billing services, cloud storage providers, EHR vendors, legal firms handling patient records, and any platform used to communicate with patients all qualify.
The classification most healthcare operations teams miss: if your organization uses a texting or calling platform to contact patients, that platform is a business associate.
It handles PHI (patient contact lists, appointment data, care coordination details) and it must sign a BAA before you use it for any patient outreach. No BAA means a direct HIPAA violation, regardless of the platform’s own security certifications.
The complete HIPAA compliance checklist (2026)

Privacy Rule checklist
- ☐ Designate a HIPAA Privacy Officer with defined accountability
- ☐ Publish a Notice of Privacy Practices (NPP) and display it in patient-facing spaces
- ☐ Obtain written patient authorizations for disclosures that require them
- ☐ Implement the minimum necessary standard: restrict PHI access to what each role requires
- ☐ Establish patient rights procedures covering access requests, amendment, accounting of disclosures, and restrictions
- ☐ Train all workforce members on Privacy Rule requirements annually
- ☐ Document all privacy policies and retain records for six years
Security Rule checklist (updated for 2026)
The 2026 Security Rule update eliminates the “addressable vs. required” distinction that existed since 2003. Every safeguard below is now mandatory. No organization can defer implementation by classifying a safeguard as “addressable.”
Administrative safeguards:
- ☐ Designate a HIPAA Security Officer with defined accountability
- ☐ Conduct an annual Security Risk Analysis (SRA): this is the single most cited deficiency in Office for Civil Rights (OCR) audits
- ☐ Implement workforce security procedures including access authorization, modification, and termination protocols
- ☐ Establish and deliver an ongoing security awareness and training program
- ☐ Develop, test, and maintain a contingency plan covering emergency mode operations and disaster recovery
- ☐ Implement a sanction policy for workforce members who violate security policies
Physical safeguards:
- ☐ Implement facility access controls for all locations where ePHI is stored or accessed
- ☐ Define and enforce workstation use and security policies
- ☐ Establish device and media controls covering disposal, reuse, and accountability for hardware leaving the organization
Technical safeguards (all mandatory under the 2026 rule):
- ☐ Encrypt ALL ePHI in transit and at rest: no exceptions under the 2026 update
- ☐ Implement multi-factor authentication (MFA) for every user with ePHI access
- ☐ Establish audit controls and activity logging for all systems containing ePHI
- ☐ Conduct vulnerability scanning at minimum every six months
- ☐ Conduct penetration testing annually
- ☐ Maintain a documented technology asset inventory and network map
- ☐ Achieve 72-hour system restoration capability following a security incident
The HHS HIPAA Security Rule guidance provides the full regulatory text for each safeguard category.
Breach Notification Rule checklist
- ☐ Define internally what constitutes a breach versus a permitted disclosure
- ☐ Establish a documented 60-day notification procedure for notifying affected individuals
- ☐ Document the process for notifying the HHS Secretary via the OCR breach portal
- ☐ Maintain a breach log and retain it for six years
- ☐ Establish media notification procedures for breaches affecting 500 or more individuals in a single state or jurisdiction
- ☐ Establish 72-hour system restoration protocols following a breach (2026 update)
- ☐ Conduct post-breach analysis for every documented incident
HIPAA compliance for patient communication tools

If you run patient outreach programs, your compliance obligations extend beyond your internal data systems. Appointment reminders, care coordination calls, health campaigns: every one of them involves patient data. Every vendor running those programs is a business associate under HIPAA and needs a BAA before it handles a single record.
This is the section most HIPAA compliance guides leave out. It is also where most healthcare organizations have active gaps.
HIPAA and patient texting
Standard SMS is not HIPAA compliant. Regular text messages travel over carrier networks without encryption, leave no audit trail, and provide no access control.
The question is not whether standard SMS is compliant. It is not. The question is what a compliant alternative actually requires.
A platform qualifies for HIPAA-compliant patient texting when it provides:
- End-to-end encryption for messages in transit and at rest
- Access controls restricting which staff members can send to which patients
- Audit logs that record who sent what, to whom, and when
- Automatic logoff after a defined inactivity period
- Remote wipe capability for devices used to send messages
- A signed BAA from the platform vendor
The minimum necessary standard applies to message content regardless of the platform. Even a fully compliant texting system cannot fix PHI oversharing in the message text itself. Train staff on what can and cannot appear in an outbound patient text.
For a complete breakdown of what makes a texting platform compliant, secure text messaging for healthcare organizations covers the technical requirements and vendor evaluation framework.
HIPAA and patient calling
Outbound calling programs that contact patients carry their own compliance requirements.
Voicemail rules: HIPAA permits leaving voicemails for patients, but the message must apply the minimum necessary standard. A detailed voicemail that includes diagnosis information, medication names, or specific clinical details may reach family members or others not authorized to receive that PHI. Standard practice: name, callback number, and a generic reason for the call. No clinical specifics in the message.
Script and PHI handling: Outbound calling scripts should be reviewed for inadvertent PHI collection. Any information entered into a calling platform during a patient conversation becomes ePHI that platform is handling on your behalf, which adds to its business associate obligations. Keep your calling platform separate from any system that should not hold PHI.
For healthcare organizations running structured outbound calling programs, the phone banking compliance guide for healthcare outreach covers how HIPAA and TCPA obligations intersect in patient contact workflows.
What to verify in a communication vendor before signing
Before any communication platform accesses your patient data, verify these six requirements:
| Requirement | What to confirm |
|---|---|
| Business Associate Agreement | Vendor signs a BAA before any PHI access |
| Encryption | Messages encrypted in transit and at rest |
| Audit logs | Complete logs accessible to your compliance team |
| Access controls and MFA | Role-based access, MFA enforced for all users |
| Breach notification procedure | Documented timeline and process per HIPAA |
| Security certification | SOC 2 Type II or equivalent third-party audit |
No BAA means no access to patient data. This is non-negotiable under HIPAA and not a negotiating point with vendors.
Organizations evaluating whether existing vendor relationships meet the current standard should also review the established business relationship rules for healthcare contact for the consent and authorization framework that governs patient outreach programs.
Business Associate Agreements: What every healthcare organization must check

A BAA is a required HIPAA contract that specifies how a vendor may use PHI on behalf of a covered entity and what safeguards the vendor will maintain. HHS requires a signed BAA before a covered entity provides PHI access to any business associate.
What an HHS-compliant BAA must include:
- The permitted uses and disclosures of PHI by the business associate
- A prohibition on uses or disclosures not authorized by the agreement or required by law
- Requirements for appropriate safeguards to prevent unauthorized use or disclosure
- Requirements to report breaches and security incidents to the covered entity
- Requirements to make PHI available to the individual who is the subject of that PHI if requested
- Requirements to return or destroy PHI at contract termination
- Requirements ensuring the vendor’s own subcontractors sign equivalent BAAs
BAA checklist: eight items to verify before any vendor gets PHI access:
- ☐ The BAA is signed and dated before PHI access is granted
- ☐ Permitted uses and disclosures are specific, not “as needed for services”
- ☐ The vendor agrees to implement safeguards equivalent to the HIPAA Security Rule
- ☐ The vendor will notify you of any breach within a specific timeline (24 to 48 hours is recommended, not just HHS’s 60-day maximum)
- ☐ The BAA covers all subcontractors the vendor uses to deliver services
- ☐ The agreement specifies the procedure for returning or destroying PHI at contract end
- ☐ The BAA has been reviewed since the 2026 Security Rule update (encryption and MFA are now mandatory requirements)
- ☐ The BAA is stored in a central contracts repository with a scheduled review date
The 2026 Security Rule changes may require renegotiating existing BAAs. Vendors that were previously “addressable” on encryption are now required to provide it. If your current agreement does not explicitly require encryption and MFA from the vendor, update it before your next OCR audit cycle.
How to conduct a HIPAA Security Risk Analysis
The SRA is the most frequently cited deficiency in OCR audits. The OCR HIPAA enforcement data consistently shows SRA failures at the top of every audit finding list.
Organizations that complete an annual SRA and document it correctly survive audits. Organizations that treat it as a checkbox activity do not.
An effective SRA covers five steps:
- Scope: Identify every location, system, and process where ePHI exists. This includes cloud storage, email systems, EHRs, texting platforms, calling platforms, and any device that can access PHI.
- Threat identification: List every threat that could lead to unauthorized ePHI access, modification, or destruction. Include technical threats (cyberattacks, malware, system failures) and non-technical ones (workforce misuse, physical theft, natural disasters).
- Vulnerability assessment: For each threat, identify whether existing controls adequately reduce the likelihood of that threat occurring. Gaps are vulnerabilities.
- Impact analysis: For each vulnerability, estimate the potential impact if the threat were realized. Consider both the harm to affected patients and the organizational consequences.
- Risk prioritization: Rank identified risks by likelihood times impact. Address high-priority risks first. Document the prioritization and your remediation plan.
Documentation that must survive an audit:
- The completed SRA with date, scope, methodology, and findings
- The risk management plan that responds to SRA findings
- Evidence that remediation steps were completed
- The date of the next scheduled SRA
Conduct an SRA annually and any time significant changes occur in your environment: new systems deployed, major vendor changes, office relocations, workforce changes at the leadership level, or any merger or acquisition that brings new systems into scope.
HIPAA audit preparation: What OCR investigators look for

OCR investigations are triggered by three main sources: individual complaints, breach notifications, and random audits under the HIPAA Audit Program. Organizations that survive investigations share three characteristics.
Three things that survive audits:
- A current, documented SRA with a risk management plan and evidence of remediation. An SRA completed three years ago does not satisfy the current annual requirement.
- Recent training records showing all workforce members received security awareness training within the past 12 months. Generic completion certificates are not sufficient. Training content must reflect your organization’s specific policies.
- Documented breach responses for every incident that occurred, even if the incident did not meet the threshold for patient notification. OCR reviews how you handled incidents, not just whether you had them.
The five most common HIPAA violations:
| Violation | How to prevent it |
|---|---|
| Impermissible uses and disclosures of PHI | Regular Privacy Rule training; access logs reviewed quarterly |
| No Business Associate Agreement with vendors | BAA tracking system with review and expiration dates |
| Inadequate or missing Security Risk Analysis | Annual SRA with documented methodology and findings |
| Failure to implement Security Rule safeguards | Technical controls aligned to 2026 mandatory standards |
| Lack of documented HIPAA policies and procedures | Policy repository with annual review dates assigned |
What triggers an OCR investigation: Breach notifications filed for 500 or more records automatically place an organization on OCR’s investigation list. Patient complaints filed directly with OCR are the second major trigger. Random audits under the HIPAA Audit Program can occur at any time regardless of whether an organization has had a reported incident.
Ready to make your patient communications HIPAA-compliant?
HIPAA compliance does not stop at your EHR. Your texting platform, calling software, and broadcast tools are subject to the same standards. Every vendor accessing PHI on your behalf needs a signed BAA, mandatory encryption, and audit logs your team can access.
The 2026 Security Rule update closed the workaround that let organizations defer these requirements for two decades. Encryption and MFA are now required. If your current outreach vendors do not meet those requirements, your BAAs need updating before your next audit cycle.
CallHub is built for healthcare outreach teams that need these requirements met across the full stack: peer-to-peer texting, phone banking, and broadcast messaging. Review CallHub’s security certifications and compliance documentation at callhub.io/security.
Frequently asked questions
What is PHI under HIPAA?
Protected Health Information (PHI) is any individually identifiable health information held by a covered entity or business associate. This includes names, addresses, dates of birth, Social Security numbers, medical record numbers, diagnosis codes, treatment records, and any other data element that could reasonably identify a specific patient. PHI is protected in every form: electronic, paper, and verbal.
What are the penalties for HIPAA non-compliance?
Civil penalties range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category. The penalty tier depends on the level of culpability: unknowing violations carry the lowest penalties, while willful neglect that is not corrected carries the maximum. Criminal penalties apply for willful misuse of PHI, with fines up to $250,000 and imprisonment up to 10 years for the most serious violations.
Does texting patients violate HIPAA?
Not automatically, but standard SMS is not HIPAA compliant because it lacks encryption, audit trails, and access controls. Texting patients violates HIPAA when the platform handling those messages has not implemented required safeguards and has not signed a BAA. Using an encrypted, access-controlled texting platform with a signed BAA is compliant.
What is a Business Associate Agreement (BAA)?
A BAA is a required HIPAA contract between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on the covered entity’s behalf. The BAA specifies what the vendor may do with PHI, what safeguards the vendor must maintain, how the vendor must respond to breaches, and what happens to PHI at contract termination. No covered entity may provide PHI access to a business associate without a signed BAA in place first.
How often should HIPAA risk assessments be conducted?
The HIPAA Security Rule requires an annual SRA as a mandatory baseline. Organizations must also conduct a new SRA any time there is a significant change in the operating environment: new systems deployed, major vendor changes, facility changes, mergers, or significant shifts in workforce composition. All SRA documentation must be retained for six years.
What changed in the 2026 HIPAA Security Rule update?
The 2026 update, finalized in January 2025 and in effect this year, eliminates the “addressable vs. required” distinction that existed since 2003. Every safeguard is now mandatory. Specific new requirements include: encryption for all ePHI in transit and at rest, MFA for all ePHI access, vulnerability scanning every six months, annual penetration testing, and a 72-hour system restoration requirement following security incidents. Organizations with legacy BAAs or deferred “addressable” safeguards need to review their compliance posture.
Who is a covered entity vs. a business associate under HIPAA?
A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that directly transmits PHI for covered transactions. A business associate is any vendor or contractor that creates, receives, maintains, or transmits PHI on behalf of a covered entity to perform a service. Both carry HIPAA requirements, but the covered entity is ultimately responsible for ensuring its business associates have signed BAAs and maintain equivalent safeguards.
What is the HIPAA minimum necessary standard?
The minimum necessary standard requires covered entities and business associates to limit PHI use, disclosure, and access to the minimum amount needed to accomplish the intended purpose. Practically: staff access only the patient records their role requires, outbound messages include only the clinical detail necessary for that communication, and system access is role-based rather than open. The minimum necessary standard applies to internal access, outbound disclosures, and requests from other covered entities.