HIPAA Compliance

Complying with HIPAA is more complex than ever and threats to healthcare data are growing. Attack both problems with a robust compliance solution.

What Is HIPAA?

Text

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that safeguards the security and privacy of sensitive health information. HIPAA applies to: 

  • All individuals, as everyone can or may possess PHI
  • Health plans (a "covered entity")
  • Healthcare clearing houses (a "covered entity")
  • Qualifying healthcare providers (a "covered entity")
  • Business associates providing a service to or on behalf of a covered entity

Created by the Federal Department of Health and Human Standards (HHS) in 1996, HIPAA contains the following privacy protection standards, broken down into five general rules:

1. HIPAA Security Rule

The HIPAA Security Rule addresses the administrative, physical, and technical safeguards that covered entities must put in place to secure electronic protected health information (ePHI). These protections help ensure the confidentiality, integrity, and security of electronically stored, transmitted, or received PHI.

The Security Rule essentially helps covered entities implement and enforce the privacy protections enumerated in the HIPAA Privacy Rule, as pertaining to ePHI. Due largely to the HITECH Act, much, if not most, of all patient health information is now in digital form and is therefore subject to the HIPAA Security Rule.

The Importance of Protected Health Information (PHI)

Protected health information (PHI) is data about a patient's:

Health
Treatment
Payment for treatment
Text

Or any information stored within the same dataset as the above which could identify an individual.

The General HIPAA Provisions define PHI as “individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.” As technology continues to expand, the definition of PHI will as well. Compliance with HIPAA laws will depend largely on covered entities’ ability to stay ahead of these changes and correctly identify and secure PHI in all its various forms.

 

Rights and Responsibilities of Individuals Under HIPAA

Under HIPAA, individuals have the right to:

Access to their health records

Obtain copies of their health records

Receive privacy notices

Request corrections to their health records

File complaints if their health privacy rights are violated

Control who can share their health information and under what circumstances

Text

This presupposes individuals’ responsibility to take the appropriate actions to exercise these rights, such as submitting requests for health records, access, and corrections, filing complaints when rights are violated, and communicating with covered entities to express limitations in information sharing when desired.

HITECH Act

Media
Image
Medical professional holding a tablet and smiling at the camera
Text

Health Information Technology for Economic and Clinical Health Act

Hand-in-hand with HIPAA is the HITECH Act (Health Information Technology for Economic and Clinical Health Act), which passed in 2009 and urges health providers to:

  • Adopt electronic health records (EHR) to improve quality of patient care
  • Adhere to expanded data breach notification requirements
  • Secure ePHI data using appropriate privacy protections

Both HIPAA and HITECH address ePHI security, but measures within HITECH support the enforcement of HIPAA through the Breach Notification Rule and the HIPAA Enforcement Rule.

HIPAA Compliance for Organizations

Text

Organizations that fail to comply with HIPAA regulations can see substantial fines levied against them, even if no actual PHI breach occurs. In addition, criminal charges and even civil action lawsuits can be filed following a breach. In 2023 alone, the U.S. Department of Health and Human Services (HHS) issued over $4 million in HIPAA-related fines for infractions affecting 109 million patients.

Ignorance of HIPAA compliance requirements is not a valid defense against HIPAA violations. According to HIPAA security laws and regulations for professionals, the Office for Civil Rights (OCR) within the HSS is responsible for enforcing Privacy and Security Rules, establishing compliance requirements, and levying civil monetary penalties. It should be noted that the OCR issues fines whether a HIPAA violation is inadvertent or the result of willful neglect.

To avoid an OCR investigation, audit, or fine, it is advisable to ensure your administrative policies, physical security measures, and technical solutions remain in place and HIPAA-compliant.

 

Responsibilities of Covered Entities

Under HIPAA, covered entities have the responsibility to:

  • Provide individuals with the rights outlined above
  • Comply with HIPAA policies that protect the privacy and security of patient health data
Text

Responsibilities include:

Privacy responsibilities

  • Obtaining written consent from patients for the use of their PHI beyond treatment, research, legal, and payment purposes
  • Responding to patient medical record access requests within 30 days
  • Providing patients with a Notice of Privacy Practices (NPP)

Security responsibilities

  • Developing and implementing security policies
  • Securing against threats to ePHI
  • Preventing unauthorized uses or disclosures of ePHI
  • Ensuring employee compliance with the above security policies and procedures

And more, including:

  • Having an incident response plan in place
  • Documenting HIPAA policies, practices, and configuration settings
  • Implementing a risk management program
  • Authenticating entities with whom the covered entity or business associate communicates
  • Encrypting information travelling over open networks

Steps to Ensure HIPAA Compliance

Text

As many organizations find that they are either covered entities or business associates subject to HIPAA law, the question of how to become HIPAA compliant is top of mind. “Unexpected covered entities” can include organizations in fields from marketing to finance, and all are expected to comply (see FAQs for more).

Icon of a report with a shield and check mark

Perform a Risk Assessment

Covered entities have been fined for failing to implement regular risk assessments as part of their ongoing HIPAA-compliant strategies. Identify and prioritize potential security threats to PHI and ePHI, and factor in elements like human error, natural disasters, and technical shortcomings.

cog icon

Establish HIPAA Compliance Controls

Implement PHI safeguards in the following three areas:

  • Administrative: Train employees to properly access and handle PHI. Includes role-based access, the principle of least privilege, PHI and ePHI storage and transmission best practices, security awareness training, integrity and audit controls, and more.
  • Physical: Physically protect areas containing PHI and ePHI, such as server rooms, file cabinets, and workstations. Implement mandatory log-out or lock screen policies when employees are away from their desks, require ID badges to access sensitive health information, and lock paper files containing patient health data.
  • Technical: These safeguards center around ensuring the security of electronic PHI (ePHI) by employing cybersecurity-oriented HIPAA compliance solutions like secure file transfer (SFT), data encryption, data loss protection (DLP), data classification, and more.
icon

Assign a HIPAA Compliance Officer

Establish a HIPAA point person and a chain of command leading up to them. This team will be responsible for heading and keeping track of HIPAA-related efforts, involving all stakeholders, overseeing the creation of HIPAA privacy and security practices, implementing employee HIPAA compliance training, and creating a breach plan that includes HIPAA-mandated notification, reporting, and mitigation.

Icon of a phone

Create a Breach Notification Process

Put a plan in place to facilitate mandatory breach reporting within 60 days of a discovered breach. This must include notifying the Office for Civil Rights (OCR) and all affected parties. Include the media when the breach affects more than 500 individuals in a particular jurisdiction, and all notifications must be accomplished “without unreasonable delay.”

File with a shield and checkmark icon

Document all HIPAA-Related Policies and Procedures

HIPAA standards require accurate documentation of all HIPAA-related policies and procedures. In the event of an OCR audit, these records will prove an organization’s HIPAA compliance — or failure to comply. Documentation includes:

HIPAA privacy policies

HIPAA security controls

HIPAA remediation plans

Internal audit reports

Certificates of employee training

Risk assessments

And more. 

Consequences and Penalties of HIPAA Noncompliance

How Do You Violate HIPAA?

Text

HIPAA violations occur when the HIPAA Administrative Simplification Regulations have been breached.

The HIPAA Administrative Simplification Regulations are “what most people consider to be HIPAA because they contain the General Provisions and the Enforcement Rule (Part 160), the Standards for Electronic Transactions and Data Elements (Part 162), and the Privacy, Security, and Breach Notification Rules (Part 164)." However, they were not published with HIPAA in 1996, but rather several years later. For all intents and purposes, the Administrative Simplification Regulations are the regulatory portion of the HIPAA Act, comprising all the standards and legal requirements outlined in the HIPAA Rules.

 

HIPAA Civil Violation Penalty Structure

HIPAA civil violations are handled by the Office for Civil Rights and classified by severity. The following four categories are used by the OCR to determine the severity and financial penalty of each violation. 

HIPAA Tier 1 Violation

The covered entity was unaware of the violation and could not have prevented it using reasonable measures if they were.

Tier 1 Fines: Between $100 and $50,000 per violation.

HIPAA Tier 2 Violation

The covered entity should have been aware of the violation yet still would not have been able to prevent it using a reasonable amount of care.

Tier 2 Fines: Between $1,000 and $50,000 per violation.

HIPAA Tier 3 Violation

The covered entity is guilty of “willful neglect” in the implementation of HIPAA rules but has since tried to correct the violation.

Tier 3 Fines: Between $10,000 and $50,000 per violation.

HIPAA Tier 4 Violation

The covered entity is guilty of “willful neglect” in the implementation of HIPAA rules and has not tried to correct the violation within 30 days.

Tier 4 Fines: A $50,000 minimum per violation.

HIPAA Criminal Violations

Text

The U.S. Department of Justice (DOJ) handles criminal violations of HIPAA requirements. Those subject to these punishments and their penalties include:

Image
Real time threat detection with exclamation point in crosshairs

Covered entities that “knowingly” obtain or disclose PHI in violation of HIPAA Administrative Simplification Regulations

  • Up to $50,000 in fines and 1 year imprisonment

Image
identify-phish

Covered entities that “knowingly” commit HIPAA violations under false pretenses

  • Up to $100,000 in fines and 5 years imprisonment

Image
icon

Covered entities that “knowingly” commit HIPAA violations with the intent to sell, use, or transfer PHI for personal gain, malicious harm, or commercial advantage

  • Up to $250,000 in fines and 10 years imprisonment

Text

Very specific guidelines around how health data is stored and shared by hospitals, clinics, insurers, research facilities, pharmacies, and public health organizations  are necessary to ensure patient privacy. Breaching the trust of individuals who’ve entrusted their data comes with consequences.

HIPAA Compliance FAQs

HIPAA only applies to the following entities that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards:

  • health plans,
  • healthcare clearing houses,
  • healthcare providers,

that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. This means that not all healthcare providers are subject to HIPAA, although all are still subject to state regulations. Those not subject to HIPAA would be entities not conducting electronic transactions of PHI or ePHI.

However, those that conduct electronic transactions are the vast majority, and are referred to in HIPAA as covered entities and business associates.

A covered entity is any health care provider, health plan, or health care clearinghouse who, as part of their day-to-day business, creates, maintains, or transmits PHI. There are a few exceptions, including:

  • Most health care providers employed by a hospital, as the hospital itself is the covered entity and therefore the party responsible for implementing and enforcing HIPAA compliant policies
  • Employers, even though they may maintain some healthcare data on employees. They are exempt unless they provide self-insured health coverage or benefits such as an employee assistance program (EAP). This would be considered a “hybrid” entity situation and still may be subject to HIPAA breach consequences for any unauthorized disclosure of PHI.

A business associate is defined as any person or business that provides a service to, or performs a function or activity for, a covered entity when that action involves accessing PHI maintained by the covered entity. Accountants, IT contractors, lawyers, billing companies, cloud storage services, and email encryption services are all examples of business associates.

To be in HIPAA compliance, business associates must sign a business associate agreement with the covered entity before gaining access to PHI which details what PHI they can access, how they plan to use it, and that the PHI will be returned or destroyed once the need for it or task is completed. The business associate is under the same HIPAA compliance obligations as the covered entity while they are in possession of the PHI.

An unexpected covered entity under HIPAA includes organizations and individuals that might not typically be considered covered entities, but deal with PHI in a way that makes them subject to HIPAA regulations nonetheless.

These unexpected covered entities include:

  • Technology companies developing health apps, and their associated developers, data analysts, and even vendors
  • A non-health-related organization (like the owners of a fitness tracking app) that handles PHI in any capacity (i.e., tracking heartrate during sleep and exercise)
  • Marketing firms with access to PHI to be used in a targeted advertising campaign
  • Cloud storage providers storing ePHI on their cloud platform
  • Financial institutions, like banks, that perform services such as data analysis, invoicing, or healthcare lending to healthcare clients are considered unexpected covered entities or business associates under HIPAA law

If they perform functions that require the handling of electronic PHI, then those state, county, or local governments are subject to the HIPAA Privacy Rule. Examples include:

  • County health departments that operate health clinics must maintain HIPAA compliance
  • A state Medicaid program acts as a health plan and, therefore, qualifies under HIPAA
  • A local city that offers ambulance services, a hospital, or contracts with outside entities that offer such services is subject to HIPAA regulations

HIPAA Security Rule Checklists

Text

The HIPAA Security Rule is a set of national standards requiring appropriate:

  • administrative safeguards,
  • physical safeguards, and
  • technical safeguards

to ensure the confidentiality, integrity, and availability of electronic PHI that is created, maintained, received, or used by a covered entity. The Security Rule is a subset of the Privacy Rule, applying only to electronic health information, and explains how to protect digital patient data as covered under the Privacy Rule. Its intent is to provide the necessary technical, physical, and administrative specifications to comply with HIPAA privacy law protecting digital health data. 

Fortra helps covered entities and business associates comply with the Security Rule by providing the technical security solutions necessary to protect electronically stored, transmitted, and generated health information under HIPAA law. These include solutions for:

And more.

There are three categories of safeguards to help ensure the HIPAA Security Rule is adhered to by covered entities and business associates — administrative, physical, and technical.

 

Administrative Safeguards to Meet HIPAA Security Rule Requirements

Per the HIPAA Security Rule, covered entities must enforce:

Identify and analyze risks

Identify and analyze possible risks to e-PHI and place appropriate and reasonable security measures to reduce them.

Designate a Privacy Official

Designate a someone to be responsible for developing and implementing security policies and procedures.

Manage information access

Manage information access per HIPAA Privacy and Security Rules. The Privacy Rule limits the use and disclosure of ePHI to the "minimum necessary." The Security Rule requires role-based access policies and procedures to authorize access to ePHI.

Train your workforce

Train your workforce on ePHI policies and procedures and apply appropriate management policies to ensure those policies and procedures are followed. All workforce members must be trained regarding a covered entity’s security policies and procedures with appropriate sanctions for violations of them.

Evaluate policies and procedures

Periodically, current policies and procedures should be evaluated to see how well they meet the established HIPAA requirements.

Text

Physical Safeguards for HIPAA Security Rule Compliance

Per the HIPAA Security Rule, covered entities must implement:

Limit physical access

Limit physical access to and control of facilities while still allowing authorized access.

Secure workstations and devices

Policies and procedures should specify proper, secure use of and access to workstations and electronic media. To protect ePHI, they should also include provisions for the safe transfer, removal, disposal, and re-use of electronic media.

Text

Technical Safeguards for HIPAA Security Rule Compliance

Per the HIPAA Security Rule, covered entities must:

Control access to ePHI

Control access by implementing policies and procedures that allow only authorized persons to access ePHI.

Audit controls around ePHI

Audit controls by putting hardware, software, and/or procedural mechanisms in place to record and examine all access and activity surrounding ePHI.

Ensure the integrity of ePHI

Implement policies and procedures to ensure that personal health information is not improperly altered or destroyed. Electronic measures must be put in place to confirm the integrity of ePHI.

Secure the transmission of ePHI

Implement technical security measures to guard against unauthorized access when ePHI data is being transmitted over an electronic network.

HIPAA Security Solutions from Fortra

Text

Covered entities and business associates meet their HIPAA Security Rule obligations through proven, robust technical solutions, regardless of infrastructure, end to end. Putting robust technical safeguards in place is not only necessary under HIPAA, but doing so makes HIPAA compliance easier. This is especially true when data security solutions are coupled with automation. Such a pairing reduces the risks of human error and lowers the compliance burden on a covered entity’s IT staff.

Fortra’s security solutions enable covered entities and business associates to not only safeguard healthcare information, but do so in a way that meets critical HIPAA compliance requirements and keeps them out of today’s breach headlines. Fortra’s arsenal of compliance-ready solutions can help your healthcare organization increase efficiency and productivity, seamlessly integrate automation into your critical business processes, and achieve HIPAA compliance with minimal impact on your internal resources and workflow.

Fortra’s HIPAA compliance solutions include:

Data Loss Protection (DLP)

Detect, inspect, and secure your critical healthcare data across email, web, and the cloud with Fortra’s DLP solutions. Endpoint protection ensures that data flagged for HIPAA protection is secured throughout its entire lifecycle. Adaptive redaction allows for content that would constitute a HIPAA breach to be dynamically modified (redacted or sanitized), allowing the rest of the communication to be delivered unhindered. This ensures both secure and continuous collaboration.

Secure Managed File Transfer (MFT)

Invest in a multi-layered HIPAA-compliant defense structure that includes award-winning managed file transfer. Fortra’s MFT solutions helps secure and automate the exchange of ePHI, protecting healthcare information, encrypting data at rest and in motion, and providing comprehensive audit and reporting logs required for HIPAA compliance.

Fortra surrounds sensitive healthcare data at all points in time, wherever it resides. Covered entities can streamline and secure the exchange of data between systems, business associates, employees, patients, insurers, and other authorized recipients for secure collaboration, automation of vital business processes, and complete information control.

Data Classification

The foundation of a solid data security strategy begins with data classification. Fortra's data classification solutions support HIPAA compliance by allowing users to identify valuable data with classification labels or tags. This enables critical decisions to be made regarding how healthcare data is stored and transmitted. It’s important to note that an organization’s investment in, and application of, such a classification system may in itself constitute a “reasonable measures” defense, should there be a HIPAA breach charge and subsequent OCR audit.

Secure Collaboration

Fortra’s secure collaboration solutions allow healthcare entities to share their files securely by ensuring that the security policy sticks to the data, wherever it goes. When patient data must be shared externally, a covered entity can share it with the confidence that it can only be accessed by the authorized users they choose, even after its opened.

IBM i Security and Compliance Solutions

If your healthcare organization has IBM i systems in your environment, Fortra’s Powertech solutions can help you meet the technical safeguard requirements of HIPAA’s Security Rule by acting as an automatic security control to harden your system security and provide visibility to your database access.

Fortra’s automated, simplified security solutions can help healthcare entities more easily meet auditor demands and protect healthcare data as they strive to meet the rigorous requirements of HIPAA’s Security Rule.

Offensive Security

Offensive security solutions from Fortra are ideal for conducting risk analysis, a critical piece of HIPAA compliance. Vulnerability management and penetration testing solutions assess risk by uncovering, identifying, and prioritizing vulnerabilities that could be exploited by attackers. Additionally, these tools possess robust reporting capabilities that provide auditors with thorough documentation of all activities and prove that a HIPAA-required risk analysis has been effectively completed.

Integrity Management

Fortra’s integrity management solution minimizes the time spent fighting fires caused by poor network security practices and enhances data security for electronic personal health information (ePHI). 

Managed Security Services

Fortra’s portfolio of managed security services provides continuous monitoring across your environment. Our security experts help you assess, detect, and block threats that could result in the loss of ePHI and subsequent HIPAA violations.

Learn More About How Fortra Can Help with HIPAA Security Rule Compliance

Fortra is the single provider you need to feel confident in your ability to implement the technical safeguards central to HIPAA Security Rule compliance.

Contact Us