Know the Difference!
A hippo is a four-legged semiaquatic animal, known for their large size and aggressive nature.
HIPAA is the Health Portability and Accountability Act of 1996, designed to protect U.S. citizens’ private health information.
Hippos, it turns out, are terrible at protecting private health information (don’t ask me how I know that!)
So, let’s just talk about HIPAA instead, since HIPAA (commonly misspelled “HIPPA”) compliance is critical for organizations handling sensitive health data while meeting regulatory requirements. We’ll cover what it is, why it matters, and how to get HIPAA compliant.
HIPAA Compliance Definition
HIPAA compliance refers to adhering to the rules and regulations established by the Health Insurance Portability and Accountability Act of 1996.
These guidelines were established to protect the privacy, integrity, and availability of sensitive patient data, specifically their protected health information (PHI) .
Bear with me, this will all make sense in a minute.
PHI is sensitive patient data protected by HIPAA and can include:
Medical history
Social security number
Financial info
Birth date
Name
Address
Genetic information
Image
Test results
Fingerprints
Insurance information
It’s the kind of information that you wouldn’t want falling into the wrong hands, possibly leading to identity theft, fraud, or worse.
Why is HIPAA Compliance Important?
HIPAA compliance is important because protecting PHI is the foundation of healthcare operations. It safeguards patients’ highly sensitive information, reduces the risk of breaches, and prevents businesses from costly penalties and lawsuits.
I’ve seen a lot of content that says HIPAA compliance builds patient trust, but that’s silly. Patients deserve – and expect – to have their information guarded. Protecting their most sensitive data isn’t some value-add, it’s table stakes. Every organization in healthcare needs to recognize how serious this matter is. HIPAA exists to make sure they do, with some fines costing up to $50,000 for the first violation.
HIPAA Compliance History
In 1996, HIPAA was a pretty big step forward for the healthcare industry. The industry was being revolutionized by new information technology, specifically electronic health records (EHRs) and moving away from the slower, more inconsistent paper-based health record systems.
Yes, for the younger folks reading this, if you can imagine it, medical records were once etched into stone tablets. Er, written on paper, rather.
As organizations moved towards EHRs, privacy concerns began to grow. After all, these EHRs included highly sensitive PII (Personally Identifiable Information) tied to patient identities including their medical conditions, addresses, contact information, and more. EHRs are more easily accessible than their paper counterparts, so bad actors could potentially obtain this information to steal peoples’ identities (a practice that was becoming increasingly lucrative).
So, congress passed HIPAA to encourage this digital shift but also to ensure that employees didn’t lose their health insurance benefits when changing jobs (hence the “portability” in the name).
Who Needs to Comply with HIPAA?
Organizations that must be HIPAA compliant fall into two categories—-covered entities and business associates.
What are HIPAA Covered Entities?
HIPAA-covered entities include medical organizations and healthcare providers that regularly receive, maintain or transmit PHI in their operations. They are directly responsible for HIPAA compliance and include doctors, hospitals, insurance companies, healthcare clearinghouses, and pharmacies.
These covered entities must ensure they safeguard PHI and maintain its confidentiality and integrity through policies and procedures. Such procedures include how PHI is stored, how it’s disclosed, and how they respond to breaches.
What are HIPAA Business Associates?
Business associates can include any third-party individual or organization that handles PHI on behalf of a covered entity. They don’t directly provide healthcare or plans but provide crucial support to covered entities.
IT service providers, billing companies, consultants, law firms, and other third-party services like marketing firms or transcription services are common business associates. This includes many modern SaaS and healthtech companies!
They are required to sign Business Associate Agreements (BAAs) with the covered entities they work with, which outline their expectations for compliance, and the penalties for non-compliance. The BAA must be in place before any PHI is shared, so this is done during the contract negotiation process. All parties should regularly review the BAA in order to maintain HIPAA compliance as requirements evolve.
Key Elements of HIPAA Compliance
HIPAA compliance is about following a set of key rules. If you can understand and adhere to each of these, your organization will do a fine job of handling sensitive patient information.
The Privacy Rule
The Security Rule
The Breach Notification Rule
The Enforcement Rule
The Transaction Rule
The Identifiers Rule
We will cover the Privacy, Security, Breach Notification, and Enforcement rules in this article. Transaction and Identifier rules provide standards on how medical transactions, data, and entities are labeled and used. Important, but not relevant to privacy or security!
Now, I don’t know about you but I love learning about rules and regulations. I know not everybody feels this way, and that’s okay. Stick with me on this and you’ll learn the stuff you need to know, no more and certainly no less!
The Privacy Rule
The first major rule is privacy. Patient information must only be used when necessary and appropriate. It’s simple but it accomplishes a lot. Whatever task needs doing, only the minimum amount of PHI is to be used or disclosed.
That sounds quite general, so let’s give the rule some context. A doctor would have access to full patient records, while billing staff only have access to what is necessary to process insurance. Or a front-desk receptionist can verify someone’s appointment with minimal information, without needing to access their medical diagnoses.
Another example is creating secure patient portals, so that patients can access their medical records on demand, without needing to make a request and then wait around for the provider.
This keeps PHI from flying around all willy nilly. But it also grants patients the right to access their health records and defines instances where PHI can be shared without patient authorization (like for treatment or payment).
The Security Rule
This rule applies specifically to electronic PHI, or ePHI for short. Organizations, according to this rule, must implement policies and procedures to manage security risks, conduct regular assessments, and protect ePHI.
They will usually use a combination of physical safeguards (secure server rooms) and technical safeguards (encryption and firewalls) to build a stronger cybersecurity posture and reduce the risk of breaches. More on that shortly.
The Breach Notification Rule
Implemented in 2009 under the HITECH Act, this rule addresses how organizations must respond in the event of a breach. If a breach occurs, you must notify the Department of Health and Human Services (HHS) and your customers within 60 days of discovering a breach. This rule also has specifics of what details are to be included in the notification, such as:
A description of the breach
Types of PHI involved
Steps affected individuals should take
How the organization is taking corrective action
Contact information for further assistance
Additionally, the media must be notified if there is a breach involving 500 or more residents of a jurisdiction (state, city, etc.).
A well-prepared incident response plan will include the specific process for notifying parties, what information is to be included, and who at your organization owns the notification process. Be sure to create a strong one that incorporates all the elements in the Breach Notification Rule.
The Enforcement Rule (and the Public “Wall of Shame”)
HIPAA non-compliance results in serious penalties. The Enforcement Rule holds organizations accountable for their lack of compliance, with fines ranging from $100 to $50,000 per violation.
Violations differ in scope. It may be as small as an email sent to an address not authorized to receive PHI. Hopefully, this is caught and immediately corrected, but it still counts as a violation. Or it may be as large as a hospital knowingly failing to encrypt ePHI (after having received prior warnings about their security risks), exposing a significant number of patients to a breach.
Penalty severity differs based on the level of negligence. If a minor incident was the result of an oversight in an otherwise committed security program, the penalty is not as severe as if it were caused by a known and unaddressed issue. This should be a strong incentive to do your due diligence and make every effort to comply with HIPAA!
Fun fact—Healthcare data breaches affecting 500 or more individuals will be listed on the “HIPAA Wall of Shame” which is the public database (also called the “Breach Portal”) maintained by the HHS. It’s highly public, easy to search, and acts as a deterrent to prevent significant data breaches.
HIPAA Security Safeguards
The HIPAA Security Rule prescribes three categories of safeguards, plus organizational and documentation requirements. The safeguards are designed to protect ePHI and are functionally control lists . Controls are either considered Required or Addressable. Required controls must be implemented by every HIPAA-regulated entity, while Addressable controls can be excluded – but only if you can document why they do not apply to your organization!https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
Documented proof of these safeguards must be kept for six years and updated periodically. In the event of a breach, you need to be able to prove what policies and procedures are in place to retain HIPAA compliance.
We’ll take a quick look at the three categories of safeguards now, Administrative, Physical, and Technical, along with a few of their required controls.
Administrative Safeguards
Administrative safeguards cover the information governance needed for HIPAA compliance. PHI must be handled with extreme care at every stage of the process, from creation to disposal, while holding the organization and its employees accountable.
Required Control: Assign a Security Officer
One example of a required control is to appoint a single person as a security officer. They’ll be accountable for developing and implementing policies and procedures that protect ePHI. As such, it is their duty to take ownership of the process and enforce policy updates, ongoing training, and audits.
Required Control: Security and Awareness Training
Another required control is to hold regular security and awareness training in order to keep everybody up to date on security best practices, threat awareness, and HIPAA compliance standards (which do evolve over time). This training is especially important since most HIPAA breaches are the result of human error. That’s why the goal is to arm every employee with the knowledge of how they can prevent unauthorized access or other security incidents.
Physical Safeguards
Physical safeguards help protect your physical infrastructure. This might be servers, workstations, or access to specific medical equipment.
Required Control: Facility Access Controls
To keep these safe, you’ll want to limit access to physical locations through locks, security systems, visitor logs, and badge systems.
When it comes to devices like laptops and mobile phones that might contain ePHI, you need to lock them out, dispose of them securely, and track devices when appropriate.
You might be wondering how physical safeguards work for your business that uses AWS, GCP, or other cloud providers. To make a long story short, you partially inherit the cloud provider’s security controls. If you wind up under investigation, AWS (for example) would provide sufficient documentation that you can use.
Required Control: Workstation Security
Keeping workstations secure is critical, even if ePHI is hosted in AWS or GCP. Therefore, you need to set up procedures for locking corporate offices, securing remote workstations, and protecting mobile devices.
Computer screens, for example, should be locked when not in use and auto-lock after inactivity. Even the position of the computer screens must not be facing towards public areas. VPNs and strong authentication should be used for remote access to ePHI.
Technical Safeguards
Technical safeguards are the ways you use technology to protect ePHI. These are focused on electronic systems like adjusting access controls, encrypting ePHI (at rest and in transit), using monitoring tools to detect unauthorized activity, and investing in intrusion detection systems (IDS) to catch suspicious activity in real-time.
Required Control: Unique User Identification
Any employee who has access to ePHI must be assigned a unique user identification number. By requiring individual logins (usually with multi-factor authentication or MFA), you can hold users accountable and prevent unauthorized intrusions.
Required Control: Audit Controls
As an organization that handles PHI, you must implement mechanisms to log and monitor these individual users. This allows you to keep track of who is accessing what, identify unauthorized access attempts, and monitor any suspicious activity. Audit logs must be stored securely for a minimum of six years.
How to Achieve HIPAA Compliance
To be clear, HIPAA doesn’t have a formal audit or certification process . Becoming HIPAA compliant is a matter of creating a program that meets all the requirements, prevents compliance slip, and keeps everything documented just in case. The law is only enforced reactively, which is to say, in the event of a breach or complaint.
In order to create and implement a program that reaches and maintains HIPAA compliance, you must proactively implement the necessary safeguards. We’ve already covered some of the safeguards above (and will cover more below), so let’s first talk about how to create an overarching program to keep your ePHI secure at all times.
1. Conduct a Gap Assessment
The first step is to complete a comprehensive evaluation of your organization’s current stance against HIPAA’s required controls through a security gap assessment . You’ll have to examine every relevant policy, procedure, safeguard, and safety measure currently in use, including:
PHI handling and storage – how is PHI handled, stored, accessed, shared?
Access controls – which authorized employees have access to PHI?
Data encryption – is your PHI encrypted at rest and in transit?
Incident response plan – is your documented incident response plan up to date?
Employee training and awareness – are all your employees informed enough to prevent breaches?
This will allow you to determine how well you’re holding to HIPAA compliance with your existing program, as well as where the gaps are. Once these gaps are fleshed out, you can proactively work to implement safeguards before they lead to compliance failures, or even a security incident!
Be sure to document all of your policies and procedures throughout your gap assessment. It’s important to be and remain proactive. HIPAA violations come with heavy penalties but if you can prove your proactivity, it can help your case.
2. Build a Program to Meet HIPAA Compliance
It’s time to develop a structured compliance program using HIPAA’s three core safeguard categories:—Administrative, Physical, and Technical, as discussed above. Everything must be well-documented. Hopefully, you don’t need to prove it, but the information needs to be available if you wind up under investigation. Don’t take this lightly.
Let’s briefly go over some crucial security measures you can use to close your HIPAA compliance gaps.
1. Risk Assessments
You must conduct regular risk assessments , as a requirement under the HIPAA security rule. Risk assessments pertain specifically to PHI handling. What security controls are you using to mitigate risk? Document all of it and don’t lose your documents for at least six years (though hopefully, you’re updating your program more regularly than that).
2. Encryption
PHI must be encrypted at rest and while being transmitted. Take every possible measure to secure this information using encrypted email channels, VPNs, and similar tools.
3. RBAC
Role-based access control (RBAC) is changing user permissions to suit the information relevant to their role. A doctor should be able to securely access detailed medical diagnoses rather than a front desk associate.
4. Audit Logging
Audit logs allow you to see what individual users are accessing, changing, or sharing PHI. Additional systems like an IDS (intrusion detection system) or SIEM (Security Information & Event Management) can help detect and prevent unwanted access.
5. Incident Response Plan
An incident response plan is a detailed document describing exactly what happens in the event of a security incident. This should include who does what, who needs to be informed (affected individuals, HHS, possibly the media), and how the incident will be handled in a timely fashion.
Once every requirement of HIPAA compliance is met, you must remain compliant over time through regular re-evaluations. You must stay proactive through continuous monitoring, updates, and enforcement to keep PHI secure. If you can do this and keep everything well-documented, you can significantly reduce risk and ensure long-term HIPAA compliance.
3. (Optional) Get Assessed by a Third-Party
Getting assessed by a third party isn’t essential like in some other frameworks. However, it might be ideal for an experienced third-party to independently review your program against HIPAA standards.These firms have the expertise to conduct a HIPAA audit and find potential vulnerabilities or areas you may have overlooked.
Of course, this also helps to reduce the risk of potential incidents. And it helps to boost vendor and partner trust, since an external HIPAA assessment adds credibility to the fact that you are compliant. If you decide to go this route, please make sure you work with a compliance consulting firm or cybersecurity company that knows what they’re doing when it comes to healthcare security audits.
The Role of HIPAA Audits and Enforcement
Unless you’re out of compliance or there’s some kind of security incident, you don’t have to worry about HIPAA audits or enforcement. Again, HIPAA doesn’t mandate routine compliance audits.
However, if you do find yourself dealing with a complaint, getting reported for non-compliance, or having a data breach, the Office for Civil Rights (OCR) will investigate.
The OCR is under the Department of Health and Human Services. It’s their job to conduct an in-depth dive into your risks, controls, potential violations, and documentation. If you’ve been doing your own self assessments and ongoing monitoring (and can prove it through your careful documentation), you’ll be in a much stronger position to demonstrate compliance. This could result in potentially reduced penalties when factored into the whole of the investigation.
Companies pursuing SOC 2 compliance can actually map their HIPAA controls to SOC 2. But be careful, HIPAA has some specific requirements you will have to include beyond SOC 2’s normal framework! For example, SOC 2 and HIPAA both want you to have a strong incident response policy and security awareness training, but HIPAA requires specific PHI-related protections built into your policy and practices.
HIPAA Compliance and Patient Rights
Patient rights are the heart of HIPAA compliance. If you’re seeking HIPAA compliance, it helps to understand these rights from a patient perspective so you can better pursue compliance.
Like many things “privacy” as opposed to “security” – these come down to legal notification, consent, and process agreements. We will briefly cover them here.
Right to Access Health Information
Patients can request medical records (paper or electronic), billing information, and any other records obtained by a healthcare provider. Providers must respond to record requests within 30 days and may charge a reasonable, cost-based fee for copies.
The fact that patients are able to review their records means they’ll be able to better understand their medical history, seek second opinions, or spot inaccuracies, rather than being left in the dark.
Right to Privacy and Confidentiality
HIPAA helps keep patient info confidential. It can only be disclosed in very specific circumstances and as minimally as possible. Without explicit authorization, PHI can be only shared for treatment, payment, and healthcare operations without explicit authorization. Patients can also ask that providers restrict how their information is shared.
Right to Request Amendments to Records
Patients, under HIPAA, can request corrections or amendments to their records if they have reason to believe they’re wrong or incomplete. The process to do this is usually to submit a written request to correct errors, which might be as simple as outdated personal information.
Then, providers must respond within 60 days or provide a written explanation of why the amendment was denied. If approved, the provider must identify which record needs updating and then make the necessary changes.
The amendment must be clearly documented and the patient must receive a written confirmation along with a copy of the amended record. In some cases, it may also be necessary to make a reasonable effort to inform additional parties, such as other healthcare providers, insurance companies, or business associates handling PHI. It’s important for providers to have a system in place to make sure requests like these are handled in a timely manner to prevent violations.
Common HIPAA Violations and How to Avoid Them
HIPAA violations are very expensive but they don’t just cost you monetarily if you’re slapped with a violation. You’ll also possibly have to deal with lawyers, legal fees, settlements, and the hit to your organization’s reputation.
Again, since there is no audit process, avoiding HIPAA violations is about preventing compliance slip. The trouble that companies have is that they suffer a breach, which is enough of a problem on its own. But then, the government notes that you’ve suffered a breach, and then takes a closer look at your program. This could lead to further violations, negligence, fines, and so on.
So, here are some violations and what you can do to avoid them:
Failure to Conduct Risk Assessments
Risk analysis is the first required HIPAA security safeguard for a reason. You must conduct risk assessments regularly, not as a recommendation, but a requirement. While other safeguards are set up and then maintained, this particular step requires significant proactivity.
To stay on top of your risk assessments, run at least one annually plus whenever you have a notable operational change, such as the adoption of a new platform. As always, keep extensive documentation of every finding and corrective action so you can show you’re keeping compliant.
Remember, HIPAA fines are less severe if you can prove you’ve been diligently following the rules!
Inadequate Security Measures
Now, let’s say your safeguards are simply inadequate, and now you’ve left PHI vulnerable to a breach. If you’re not staying on top of your compliance, your security measures will no longer hold up over time. For example, you might have outdated software, lack of encryption, unpatched systems, or weak passwords.
To prevent this, follow through going over HIPAA Security Rule requirements, especially when it breaks down administrative, physical, and technical safeguards, which we’ve covered in part here. Go through each category and make sure you are encrypting PHI, regularly updating software, and using methods like multi-factor authentication to prevent unauthorized access.
Delayed Breach Notifications
Covered entities must notify any parties affected by a breach (and the HHS) within 60 days of its discovery. Delaying only leads to greater penalties and further reputational damage.
A clear breach response plan can prevent this from happening, but you need to create one that is effective prior to a breach. It should include everything your teams need to know. Ask, in the event of a breach, who does what, what are the timelines, and what are the notification procedures so we don’t get fined into oblivion?
Best Practices for Maintaining HIPAA Compliance
Compliance is not a one time deal. The key to successful HIPAA compliance is to avoid compliance slip! To do this, you must create systems that allow your organization to maintain compliance and to prevent things like human error as much as possible. This way, your systems do most of the heavy lifting, rather than leaving it to a handful of people.
Here are a few things you can do to stay compliant:
1. Review and Update Security Policies and Procedures at Least Annually
At least every year, you must review your policies and procedures to ensure your organization is still effectively holding to HIPAA standards. As threats change over time, so should your controls and procedures to mitigate risks and prevent breaches. Go through every required or addressable rule in every category to see where you stand. If you have to make changes to your program as your operations change, just be sure to document everything.
2. Train Staff Annually
Employees need to be updated on a regular basis along with any changes to the business, to threats, or to procedures. While it’s good to do this at least annually, it wouldn’t hurt to also hold refresher courses to keep everybody sharp and to make sure they’re doing their part.
You’ll also need to make sure that all incoming employees are up-to-date on policies and procedures. Don’t forget to have each employee in attendance sign to ensure their participation is documented. Likewise, if there is a sudden policy change, make sure to update all employees immediately (with signatures).
3. Conduct Ongoing Risk Assessments Annually
As covered above, risk assessments should be conducted annually. This isn’t just because HIPAA requires them, though! Risk assessments help identify weaknesses in your security posture and drive process improvements.
Also, keep an eye out for any changes in software, technology, vendors, and business operations as they relate to compliance. Create a checklist that covers every possible point of improvement along with action steps to ensure you understand and act on your findings.
4. Conduct an Internal or External Audit Annually
Finally, conduct your HIPAA compliance audit on an annual basis. You can do this internally or you can enlist the services of a firm specializing in HIPAA compliance. Either way, this audit is for identifying potential issues or possible compliance slips so that they don’t become violations.
Focus your internal audit on the key compliance areas we’ve mentioned above, including PHI access logs, encryption standards, and incident response plans. Be sure to test your HIPAA controls to gauge their effectiveness in your program.
Again, if you decide to work with a third party for an external audit, you’ll have the added benefit of an unbiased review from a team that can catch possible oversights. Then, simply use this audit to update your policies so you can stay ahead of compliance risks.
Getting Started with HIPAA Compliance
If this all seems overwhelming, that’s because it is! There are many professionals who spend significant amounts of their full-time jobs working on HIPAA compliance. But HIPAA compliance is achievable, and it is necessary for any covered entity or organization with a signed BAA.
To get started, you should take a list of all of HIPAA’s safeguards, and compare them to your organization’s practices. This will give you a picture of how you compare to the rules. From there, you can work on implementing the required safeguards and practices, one-by-one.
If you want help, Fractional CISO offers professional Healthcare Virtual CISOs to help you through the HIPAA compliance process. We’re experts at helping organizations reach compliance, run risk assessments, create policies and procedures, and more so that you can navigate the process with confidence and get HIPAA compliant.
And I promise, we’re people – not hippos!
We can be your partner and offer expert support so you can confidently meet your compliance standards, reduce risk, and establish long-term trust with your clients. Contact us today , and we’ll gladly discuss how we can help.
FAQ about HIPAA Compliance
How Do I Know if I am HIPAA Compliant? HIPAA is a unique compliance framework in that you don’t get a certificate or run a formal audit or evaluation in order to get compliant. It’s purely regulatory. You do have to make sure you’re adhering to all of HIPAAs rules, and you can do that through regular, ongoing audits.
What Information is Protected Under HIPAA? HIPAA protects all protected health information or PHI. This could include:
Can a Non-Medical Person Violate HIPAA? Yes, anybody who accesses, uses, or discloses sensitive health information without authorization can violate HIPAA.
What Health Information is not Protected by HIPAA? De-identified information is not technically protected by HIPAA, which is simply information that has been scrubbed of any personal identifiers. This is the kind of information used in scientific research, analysis, and public health purposes.
How Do You Prove You Are HIPAA Compliant? You cannot “prove” you’re compliant with HIPAA. If you are investigated by the OCR, they will want to see that you took HIPAA seriously and actively managed the relevant risks in your organization. Just having controls in place to meet the HIPAA’s safeguard list is not enough to be “compliant.” If your controls are half-baked, or you fail to follow-through on relevant processes, the OCR could decide that your program is not good and levy larger fines against you for it.
