The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law designed to protect individual privacy by establishing national standards for maintaining sensitive patient health information and medical records. HIPAA compliance rules incorporate requirements from several other legislative acts, including the Public Health Service Act and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
In this article, we give an in-depth view of HIPAA requirements and provide all the details your organization needs to know from an IT security perspective to ensure HIPAA compliance. To learn more about compliance best practices, check out the HIPAA Compliance Checklist.
What Is HIPAA Compliance?
HIPAA compliance requirements set standards for protecting electronic patient health and medical data. Lawmakers established HIPAA to meet several core goals:
- Improve healthcare
- Protect patient privacy.
- Require entities to provide medical records to patients upon request.
- Improve health insurance portability.
- Ensure patients are notified in the event of health data breaches.
The U.S. Department of Health and Human Services (HHS) oversees HIPAA, and the HHS Office for Civil Rights (OCR) periodically conducts HIPAA audits to assess compliance.
What Is Protected Health Information (PHI)?
To comply with HIPAA, an organization must have appropriate data security measures like HIPPA Compliance Software in place for protected health information.
Protected health information (PHI) is any personally identifiable health information that is transmitted or stored electronically, on paper or verbally. PHI includes any information about an individual that relates to their past, present or future health; details of health care treatments; and payment information that can identify the individual. Examples of PHI include:
- Social Security number
- Name
- Dates of birth, death or treatment, and other dates relating to patient care
- Photographs
- Contact information
- Medical record numbers
Who Must Comply with HIPAA?
HIPAA regulates information for two groups that handle patient healthcare data: covered entities and business associates.
What Is a Covered Entity?
A covered entity is a person or organization that processes and holds PHI for customers. Examples include doctors, pharmacies, nursing homes, clinics and health insurance companies.
However, not every organization that deals with health information is considered a covered entity. One example is research organizations that don’t provide healthcare services and don’t transmit healthcare information in connection to any transactions covered by a HIPAA regulation.
What Is a Business Associate?
A business associate is an organization that provides services to covered entities to assist with healthcare activities and functions. Covered entities may disclose PHI to business associates for assistance with healthcare functions but not for the business associate’s independent purposes or use.
In general, a business associate agreement or contract is necessary when establishing a relationship between a covered entity and a business associate. In some cases, however, an agreement is not needed, so it’s necessary for organizations to do their own research.
How HIPAA Protects Patient Privacy
HIPAA’s primary form of patient protection is its Privacy Rule. The HIPAA Privacy Rule provides standards for the use and disclosure of individuals’ health information. It also sets standards for patients’ privacy rights and controls over the use of their health information.
Patients’ Right to Access their PHI
Individual patients have the right to access their own health information under the Privacy Rule. Individuals can also designate who else can see their PHI with written and signed documentation.
When a patient requests PHI, information is typically delivered in a designated record set, which contains:
- Billing and medical records like lab test results, treatment records and X-rays
- Claims, enrollment and payment information for the patient’s health plan
- Other records used for making decisions about the patient
Some information is excluded from the designated record set since the information wasn’t used to make decisions. This includes data regarding:
- Patient safety records
- Quality control information
- Information gathered for legal proceedings
Fulfilling PHI Requests
A covered entity might require PHI requests in writing or through electronic communications like email or a web portal. Covered entities may not create unreasonable measures for requests or verification, nor can they reasonably delay a patient from obtaining access.
Requests can be fulfilled in paper or electronic format, depending on what information was requested. A covered entity must provide the requested information within 30 calendar days of the request.
A covered entity can charge fees to recoup costs incurred from:
- Creating copies
- Purchasing supplies for the request
- Postage
- Preparing summaries of PHI, if agreed to by the individual
In certain cases, a covered entity will deny a PHI request. These circumstances can include:
- Psychotherapy notes
- PHI that is part of an in-progress research study
- Situations when access is reasonably likely to cause harm to someone
EHR Security and Privacy
In September 2013, legislators incorporated the HITECH Act into HIPAA with the Omnibus Rule. The HITECH Act was designed to encourage healthcare providers to use electronic health records (EHRs), also known as electronic protected health information (ePHI). The HITECH Act also stipulated that entities found to not be in HIPAA compliance could be subject to substantial fines.
HIPAA Standard Transactions
HITECH addresses standard transactions in the Transaction and Code Set Rule (TCS). The TCS rule adopts standards for the electronic transmission of healthcare data between providers, health insurers and health insurance customers.
Security Management for HIPAA
The HIPAA Security Rule
To ensure data security for EHRs, the HIPAA Security Rule established safety standards for covered entities and business associates. According to the rule, covered entities must:
- Ensure the confidentiality, integrity and availability of all e-PHI they create, receive, maintain or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
To ensure compliance with the HIPAA Security Rule, an organization can follow guidelines established by the National Institute of Standards and Technology (NIST), which include controls and policy recommendations for organizations to implement for HIPAA compliance.
HIPAA Safeguards
NIST outlines three categories of EHR safeguards:
- Administrative safeguards
- Technical safeguards
- Physical safeguards
These safeguards can be required (must be implemented) or addressable (should be implemented if reasonable and appropriate for the environment).
Administrative Safeguards
- Security management process: Use systems to detect, prevent, contain and correct security violations.
- Assigned security responsibility: Designate official responsible for implementation and development of policies and procedures.
- Workforce security: Grant ePHI access only to employees who need it and prevent unauthorized users from gaining access.
- Information access management: Use security systems for authorizing access to ePHI.
- Security awareness and training: Train all employees on data security practices and awareness.
- Security incident procedures: Establish protocols for security incidents.
- Contingency plans: Develop emergency management plans for system damages.
- Evaluation: Perform periodic system evaluations to gauge data security and reliability.
Technical Safeguards
- Access control: Allow access only to individuals or software programs that have been granted access rights.
- Audit controls: Use systems that record and examine activity regarding ePHI.
- Integrity: Establish ways to prevent mishandling of
- Person or entity authentication: Use security systems with robust verification measures.
- Transmission security: Implement security measures to guard against unauthorized ePHI access during electronic transmission.
Physical Safeguards
- Facility access control: Limit physical access to ePHI.
- Workstation use: Establish workflows and configuration requirements for workstations where ePHI gets accessed.
- Workstation security: Restrict workstation use to authorized users.
- Device and media control: Govern receipt and removal of hardware and media containing ePHI.
Data Risk Analysis
Under the Security Management Process guidelines, the Security Rule requires risk analysis, or risk assessment and management.
NIST guidance on data risk analysis has multiple steps, which include:
- Identifying vulnerabilities and threats.
- Assessing current data security.
- Determining threat likelihood and potential impacts.
Cost of HIPAA Violations
Breach Notification
A breach is any unauthorized use or disclosure of PHI under the Privacy Rule. In some cases, an organization can demonstrate a low probability of compromised PHI based on a risk analysis.
If a data breach occurs, an organization must notify affected individuals by mail or email, alert the media, and file a report to the HHS Secretary through an online form — all within 60 days.
HIPAA Penalties and Fines
When breaches result in HIPAA violations, the HIPAA Enforcement Rule governs investigations, hearings and penalties. Common causes of HIPAA penalties include non-encrypted devices being lost or stolen, lack of employee training, database breaches, and office gossip about patient information.
The HITECH Act outlines four levels of fines for violations:
- Tier A: Violation where a person or entity did not know they committed a violation.
- Tier B: Violation of reasonable cause but not willful neglect.
- Tier C: Violation due to willful neglect but the person or entity can amend the situation.
- Tier D: Tier C violation where the situation is not amended within 30 days.
HHS OCR publishes violations on their “Wall of Shame” website. Other sites publish fines and links to settlements. Recent examples include:
- In September 2020, Premera Blue Cross was fined $6,850,000 to settle a data breach affecting over 6 million individuals.
- In July 2020, Lifespan Health System was fined over $1 million for a stolen laptop that was not encrypted.
In October 2019, Elite Dental Associates was fined $10,000 for disclosure of patient information over social media.
FAQ
How often is HIPAA training required?
HIPAA training should be conducted at least annually for all workforce members who handle protected health information (PHI). However, healthcare organizations don’t just check the box once a year. You’ll want additional training sessions when new employees start, when policies change, after security incidents, and when new technologies are implemented. The key to HIPAA compliance isn’t meeting minimum requirements – it’s building a security-conscious culture where protecting patient data becomes second nature.
Which best describes the HIPAA Security Rule?
The HIPAA Security Rule is your technical roadmap for protecting electronic PHI (ePHI). Unlike the Privacy Rule that focuses on who can access data, the Security Rule gets into the nuts and bolts of how to secure that data electronically. It requires covered entities to implement administrative, physical, and technical safeguards that ensure ePHI confidentiality, integrity, and availability. It’s the “how-to” guide for turning privacy principles into real-world security controls that actually work.
What is the key to HIPAA compliance?
The key to HIPAA compliance is understanding that data security starts with identity. You can’t protect what you can’t see, and you can’t control what you don’t manage. Successful HIPAA compliance requires three foundational elements: knowing who has access to PHI, monitoring what they’re doing with that access, and maintaining detailed audit trails of all activities. It’s not about perfect security – it’s about demonstrable due diligence and the ability to detect and respond to threats before they become breaches.
Does HIPAA require encryption?
HIPAA doesn’t explicitly mandate encryption, but it’s considered “addressable” under the Security Rule’s technical safeguards. The practical reality: if you store or transmit ePHI without encryption and experience a breach, you’ll face steeper penalties and notification requirements. The practical approach is treating encryption as essential, not optional. Encrypt data at rest, in transit, and even in use when possible. When implemented properly, encryption can reduce your breach notification obligations and demonstrate your commitment to protecting patient privacy.
How to ensure HIPAA compliance?
Ensuring HIPAA compliance requires a systematic approach that goes beyond policies and procedures. Start with a comprehensive risk assessment to identify vulnerabilities in your environment. Implement the principle of least privilege – give people access only to the PHI they need for their specific job functions. Deploy continuous monitoring to track who’s accessing what data and when. Establish clear incident response procedures and practice them regularly. Most importantly, remember that compliance isn’t a destination – it’s an ongoing process that requires constant attention and regular updates as your organization and the threat landscape evolve.
