A lot of people ask what is HIPAA compliant right after they buy a new tool. The clinic has started telehealth. The billing team moved files into the cloud. A practice manager is comparing video platforms, e-signature tools, and storage vendors. Someone on the team says, “If the software is HIPAA compliant, we're covered.”

That's the mistake.

HIPAA compliance isn't something you purchase like a printer or a phone plan. It's an operating condition. The software matters, but your policies, access controls, vendor contracts, training, breach response, and documentation matter just as much. If your organization handles health information, you need to know where responsibility stays with the vendor and where it stays with you.

The High Stakes of Handling Health Information

A small clinic adding virtual visits usually starts with convenience. The goal is simple. Reduce missed appointments, make follow-up easier, and stop asking patients to drive in for every routine conversation. Then the actual questions show up. Can staff text reminders? Can nurses join from home? Can recordings be stored in the cloud? What happens if a laptop disappears?

Those aren't theoretical worries. Healthcare remains the most expensive industry for breach costs, averaging $10.93 million per incident, and 168 million patient records were exposed in 2025 alone, according to Medha Cloud's HIPAA compliance statistics summary. That's why “what is HIPAA compliant” isn't a legal trivia question. It's a risk management question.

An infographic highlighting the cybersecurity risks, financial costs, and privacy threats associated with healthcare data breaches.

Where small teams get exposed

Most failures don't start with a dramatic hack movie scene. They start with ordinary operational shortcuts.

  • Shared accounts: Two front-desk staff use the same login because it's faster.
  • Unvetted tools: A team starts using a consumer video app before legal or IT reviews it.
  • Loose disposal practices: Old drives, phones, or copiers leave the building without documented sanitization. If you're replacing equipment, a resource on Georgia ePHI data destruction helps show what compliant disposal should look like in practice.
  • Missing documentation: Controls may exist, but no one can prove they were implemented, reviewed, or enforced.

Practical rule: If you can't show how PHI is protected, limited, and audited, you're not in a strong compliance position.

The stakes aren't only financial. A breach can interrupt operations, force patient notifications, trigger regulatory scrutiny, and damage trust that took years to build. In healthcare and healthcare-adjacent businesses, trust is infrastructure.

Deconstructing HIPAA A Simple Framework

When people ask what is HIPAA compliant, I usually translate the law into two basic questions. Who is covered? And what data is protected? Once those answers are clear, the rest of the framework becomes much easier to manage.

HIPAA is legally defined by adherence to four regulations: the Privacy Rule, Security Rule, Breach Notification Rule, and Omnibus Rule, which require administrative, physical, and technical safeguards for electronic Protected Health Information across covered entities and their business associates, according to the HHS overview of HIPAA laws and regulations.

Who HIPAA applies to

The two groups that matter most in day-to-day operations are Covered Entities and Business Associates.

A covered entity is typically the healthcare side of the relationship. Think medical practices, health plans, and clearinghouses. A business associate is the outside company that handles protected information on that covered entity's behalf. That could include a billing vendor, cloud storage provider, IT support firm, appointment scheduling service, or telehealth platform.

A simple analogy helps. Think of PHI as valuables in a vault.

  • Covered Entities own the vault and decide why the valuables are being used.
  • Business Associates are the contractors allowed inside to maintain systems, transport materials, or support operations.
  • HIPAA is the set of rules that tells both groups how access must be controlled, documented, and secured.

What PHI actually means

Protected Health Information, or PHI, is health-related information tied to an identifiable person. If a piece of information tells you who someone is and something about their health, care, payment, or treatment context, treat it carefully.

That's why HIPAA surprises non-clinical teams. A scheduling note, billing record, therapy session link, insurance communication, or intake form can all pull a company into HIPAA territory if it contains or touches PHI.

A good way to think about PHI is this: it combines the sensitivity of personal identity data with the confidentiality of private medical context.

A privacy policy can sound respectful and still fall short of HIPAA obligations. That's why I like seeing companies publish a clear philosophy, such as the Donely privacy commitment, while also recognizing that privacy values alone are not a substitute for regulated controls.

Why this distinction matters

Misclassification creates expensive mistakes. A clinic may assume only clinicians need HIPAA training. An outsourced admin team may assume they're “just handling scheduling.” In reality, if they touch PHI for a covered entity, they can fall under HIPAA obligations.

That's the first mental shift. HIPAA doesn't only apply where care happens. It applies anywhere health information moves.

The Three Pillars of HIPAA Safeguards

Once you know who's involved and what data is protected, the next question is how compliance works in practice. HIPAA security controls are easiest to understand as three pillars: administrative, physical, and technical safeguards.

Think of a fortress.

  • The administrative safeguards are the rules of the castle.
  • The physical safeguards are the walls, doors, and guards.
  • The technical safeguards are the locks, alarms, and coded access systems.

An infographic showing the three pillars of HIPAA safeguards: administrative, physical, and technical safeguards for protecting PHI.

Administrative safeguards

Many organizations are weaker than they think. They've bought secure tools, but they haven't defined how people are supposed to use them.

Administrative safeguards include the governance layer around PHI:

  • Risk assessment practices: You need a repeatable way to identify where ePHI lives, who can access it, and what could go wrong.
  • Workforce training: Staff need role-specific guidance, not a one-time slideshow nobody remembers.
  • Sanctions and accountability: If employees bypass security rules, leadership needs documented consequences.
  • Vendor oversight: Teams must know which vendors touch PHI and what agreements are in place.

A secure platform doesn't fix weak internal process. If the wrong employee still has access months after changing roles, that's an administrative failure.

Physical safeguards

Physical controls sound old-fashioned until a lost laptop or unsecured reception workstation becomes the source of a reportable incident.

Here's what physical safeguards look like in real operations:

AreaPractical control
WorkstationsPosition screens to reduce unauthorized viewing and require lock screens
DevicesControl how laptops, phones, drives, and removable media are issued and returned
FacilitiesLimit access to server rooms, records areas, and storage closets
DisposalDocument how paper and electronic media containing PHI are destroyed or sanitized

Physical security matters because HIPAA protects data wherever it exists, not only inside software dashboards.

Technical safeguards

This is the pillar most vendors advertise, and for good reason. Technical controls are visible and testable. But they still need to fit into your wider compliance process.

For video conferencing and telehealth, the encryption baseline matters. A HIPAA-compliant video conferencing platform must use AES-256 for data at rest and TLS 1.2+ or DTLS-SRTP for media in transit, according to the Censinet guide to HIPAA-compliant video conferencing.

That matters because interception risk isn't abstract. If data isn't properly encrypted in storage and transit, unauthorized parties may be able to read or reconstruct information they capture.

Technical safeguards often include:

  • Access controls: Unique accounts, role-based permissions, and session restrictions.
  • Audit controls: Logs that show who joined, viewed, changed, or exported data.
  • Encryption: Protection for stored files, messages, and live communications.
  • Authentication: Strong identity checks before users reach PHI.

If administrative safeguards answer “who should be allowed,” technical safeguards answer “how the system enforces it.”

The Myth of a HIPAA Compliant Product

The phrase “HIPAA-compliant software” is useful shorthand, but it often causes real confusion. People hear it and assume the software itself transfers compliance onto the buyer. It doesn't.

No vendor can certify your organization as HIPAA compliant. According to Compliancy Group's HIPAA FAQ, the organization using the tool remains responsible for implementing the administrative, physical, and technical safeguards around it.

What a product can do

A product can be HIPAA-ready or appropriate for HIPAA-regulated use. In practice, that means the vendor may provide features such as encryption, access controls, and support for a Business Associate Agreement.

That's helpful. It's necessary, even. But it's not the finish line.

A telehealth platform can give you secure meeting transport, recording controls, and vendor commitments. It cannot decide which staff members should access patient sessions. It cannot train your workforce. It cannot run your internal sanctions policy. It cannot perform your risk analysis for every workflow that touches PHI.

What the organization still owns

The healthcare provider, clinic, law firm, or service company still has to answer questions like these:

  • Which users should have access to PHI?
  • Are permissions reviewed when job roles change?
  • Is remote access allowed on unmanaged devices?
  • How are recordings handled?
  • What happens when a breach is suspected?
  • Can the organization produce documentation during an audit or investigation?

That's the core answer to what is HIPAA compliant. It's not a badge on a login screen. It's an ongoing state of controlled operations.

A secure tool reduces risk. It doesn't absorb your liability.

How to Verify a Vendor Is HIPAA Compliant

Vendor review shouldn't feel like marketing evaluation. It should feel like evidence collection. If a provider will store, transmit, or process PHI, ask for proof, not promises.

The first document to request is the most important one. The Business Associate Agreement, or BAA. HIPAA requires a signed BAA with every vendor that processes, transmits, or stores PHI, legally binding that vendor to safeguard data and define breach notification responsibilities under HIPAA §164.502(e), as explained in the Fortinet article on HIPAA-compliant video conferencing platforms.

Start with the legal layer

If a vendor won't sign a BAA, stop there. It doesn't matter how polished the interface is or how strong the feature list looks.

Use this sequence during due diligence:

  1. Request the BAA early. Don't wait until procurement is nearly done.
  2. Confirm scope. Make sure the agreement covers the exact services that will handle PHI.
  3. Review responsibilities. Look for breach reporting obligations and permitted uses of data.
  4. Check subcontractor handling. Ask whether downstream service providers are also governed appropriately.

A missing BAA is not a paperwork issue. It's a compliance failure.

Then inspect the security controls

Once the legal requirement is satisfied, move into technical and operational validation.

Screenshot from https://aonmeetings.com

When I review collaboration vendors, I look for evidence in five areas:

  • Encryption details: Ask exactly how data is protected in transit and at rest.
  • Access model: Confirm whether the platform supports role-based access control and strong authentication.
  • Audit visibility: Check whether logs are available and whether they're resistant to tampering.
  • Storage and location controls: Understand where recordings, files, and metadata reside. A practical primer on data residency requirements helps frame the questions teams should ask before procurement.
  • Retention and deletion workflows: Ask how long data persists and how it can be securely removed.

Watch for vague answers

Strong vendors usually respond with specific documentation, contract language, and product settings. Weak vendors respond with broad reassurance.

A useful comparison:

Vendor answerWhat it usually means
“We take privacy seriously”Marketing language, not proof
“We support HIPAA workflows with a BAA”Better, but still incomplete without configuration details
“Here is our BAA, encryption model, audit logging capability, and admin control documentation”The review can proceed

If you need to mention a specific tool during evaluation, mention it factually. For example, AONMeetings is one platform that offers HIPAA-focused meeting capabilities and BAA support, but it still needs to be reviewed inside your organization's own policies and workflows.

A Practical Checklist for Evaluating Video Conferencing Tools

Teams comparing platforms rarely require a long memo. Instead, a short checklist can identify obvious failures before procurement, rollout, or patient use.

Use these questions as a hard-screening list when evaluating telehealth or meeting software. If the answer is unclear, treat that as a warning sign.

A checklist infographic for ensuring HIPAA compliance during professional video conferencing and telehealth meetings.

Yes or no questions that matter

  • BAA availability: Will the vendor sign a BAA for the exact plan and workflow you'll use?
  • Encryption coverage: Does the service protect video, audio, chat, files, and recordings with appropriate encryption?
  • Access management: Can you limit hosts, participants, and admins by role?
  • Meeting controls: Are waiting rooms, passcodes, lock controls, and moderator permissions available?
  • Audit trail: Can your team review session joins, recording access, and admin changes?
  • Storage clarity: Do you know where recordings and transcripts are stored, and how they're deleted?
  • Policy fit: Do the vendor's settings align with your own documented procedures?

For teams comparing vendors side by side, a guide to HIPAA-compliant video platforms can help organize feature checks against compliance requirements.

Don't ask only whether a platform is secure. Ask whether your team can operate it securely, consistently, and with evidence.

The best checklist is the one your staff will use before they start inviting patients, clients, or outside partners into a meeting.

HIPAA Compliance Scenarios and FAQs

Rules make more sense when you apply them to ordinary work.

Scenario one: the therapist doing remote sessions

A therapist moves appointments online. The video tool offers private meeting links and encrypted communications, but the therapist also records some sessions for internal training. That changes the risk profile. Now the practice needs recording policies, access restrictions, retention decisions, and audit visibility. Security isn't only about the live call.

If the practice uses meeting capture or notes, tools for recording and transcription workflows need the same level of review as the meeting itself.

Scenario two: the law firm reviewing medical records

A litigation team receives client medical records as part of a case. The firm isn't providing healthcare, but it may still handle PHI in a regulated context depending on the engagement and relationship structure. The key mistake here is assuming HIPAA only lives inside hospitals. Legal, consulting, and support firms can all end up handling sensitive health information through service relationships.

Scenario three: the outsourced admin team

A small company handles scheduling, billing support, or patient communications for a medical practice. The staff never provide clinical care. They still access PHI. That often makes them a business associate.

Many SMBs in marketing, IT, or tele-admin roles don't realize they can be legally classified as Business Associates, and 40% of HIPAA violations stem from business associate failures, according to Scrut's overview of HIPAA covered entities and business associates.

Common questions

Does HIPAA only apply to doctors and hospitals?

No. It also reaches many vendors and service providers that create, receive, store, or transmit PHI on behalf of covered entities.

If my software vendor says they're HIPAA compliant, am I compliant too?

No. A vendor can support compliant use. Your organization still owns configuration, policies, training, access management, and documentation.

Is encryption alone enough?

No. Encryption is essential, but it doesn't replace BAAs, role controls, workforce training, or breach procedures.

What about non-clinical employees?

They're often the overlooked risk. Front-desk teams, billing staff, IT contractors, marketers, and call center workers may all touch PHI depending on the workflow.

What's the shortest practical definition of what is HIPAA compliant?

An organization is HIPAA compliant when it can show that it has the required safeguards, contracts, controls, and procedures in place to protect PHI and respond appropriately when something goes wrong.


If you're evaluating secure meeting platforms for healthcare, legal, education, or regulated business use, AONMeetings is worth reviewing as part of your vendor shortlist. Look at it the right way: as a tool that can support HIPAA-aligned workflows with features like secure conferencing and BAA support, then map those capabilities to your own policies, access rules, and documentation before rollout.

Leave a Reply

Your email address will not be published. Required fields are marked *