What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that safeguards the security and privacy of sensitive health information. HIPAA applies to:
- All individuals, as everyone can or may possess PHI
- Health plans (a "covered entity")
- Healthcare clearing houses (a "covered entity")
- Qualifying healthcare providers (a "covered entity")
- Business associates providing a service to or on behalf of a covered entity
Created by the Federal Department of Health and Human Standards (HHS) in 1996, HIPAA contains the following privacy protection standards, broken down into five general rules:
1. HIPAA Security Rule
The HIPAA Security Rule addresses the administrative, physical, and technical safeguards that covered entities must put in place to secure electronic protected health information (ePHI). These protections help ensure the confidentiality, integrity, and security of electronically stored, transmitted, or received PHI.
The Security Rule essentially helps covered entities implement and enforce the privacy protections enumerated in the HIPAA Privacy Rule, as pertaining to ePHI. Due largely to the HITECH Act, much, if not most, of all patient health information is now in digital form and is therefore subject to the HIPAA Security Rule.
2. HIPAA Privacy Rule
The HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information, specifically protected health information (PHI), electronic protected health information (ePHI), and personally identifiable information (PII) when it is considered PHI.
The HIPAA Privacy Rule gives patients the right to:
- Request corrections to their data
- Access their medical records
- Limit how their healthcare data can be shared by covered entities without their authorization
- Ensure that only authorized parties can access PHI
- Secure the appropriate use and disclosure of their health information
3. HIPAA Breach Notification Rule
HIPAA’s Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. Specifically, covered entities must notify:
- Affected individuals
- The Secretary of Health and Human Services
- In certain circumstances, the media
Business associates must notify covered entities if the breach occurred within their jurisdiction. Notification must be provided to affected individuals no more than 60 days after the breach and must include:
- A brief description of the breach
- What type of information was involved
- How individuals should protect themselves from potential harm resulting from the breach
- How the covered entity is handling the breach and preventing future breaches
- Contact information for the covered entity
The 60-day notification limit remains the same across all other cases (i.e., when notifying the Secretary or media, and when a business associate must notify a covered entity)
4. HIPAA Enforcement Rule
The HIPAA Enforcement Rule outlines provisions pursuant to:
- HIPAA compliance
- HIPAA investigations
- Procedures for hearings
- Civil monetary penalties (CMPs) for HIPAA violations
5. HIPAA Omnibus Rule
HIPAA’s Omnibus Rule is a set of legal requirements aimed at increasing the level of security and privacy of health information shared between healthcare providers by extending HIPAA protections up to 50 years following the death of an individual. It also was the Rule that expanded the definition of “business associate” to include “all entities that create, receive, maintain, or transmit PHI on behalf of a covered entity, making clear that companies that store PHI on behalf of health care providers and health plans are business associates.”
The Omnibus Rule was enacted by the OCR in 2013 to strengthen the protections established under the HITECH Act. Further provisions can be found here.
The Importance of Protected Health Information (PHI)
Protected health information (PHI) is data about a patient's:
Or any information stored within the same dataset as the above which could identify an individual.
The General HIPAA Provisions define PHI as “individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.” As technology continues to expand, the definition of PHI will as well. Compliance with HIPAA laws will depend largely on covered entities’ ability to stay ahead of these changes and correctly identify and secure PHI in all its various forms.
Rights and Responsibilities of Individuals Under HIPAA
Under HIPAA, individuals have the right to:
Access to their health records
Obtain copies of their health records
Receive privacy notices
Request corrections to their health records
File complaints if their health privacy rights are violated
Control who can share their health information and under what circumstances
This presupposes individuals’ responsibility to take the appropriate actions to exercise these rights, such as submitting requests for health records, access, and corrections, filing complaints when rights are violated, and communicating with covered entities to express limitations in information sharing when desired.
HITECH Act
Health Information Technology for Economic and Clinical Health Act
Hand-in-hand with HIPAA is the HITECH Act (Health Information Technology for Economic and Clinical Health Act), which passed in 2009 and urges health providers to:
- Adopt electronic health records (EHR) to improve quality of patient care
- Adhere to expanded data breach notification requirements
- Secure ePHI data using appropriate privacy protections
Both HIPAA and HITECH address ePHI security, but measures within HITECH support the enforcement of HIPAA through the Breach Notification Rule and the HIPAA Enforcement Rule.
HIPAA Compliance for Organizations
Organizations that fail to comply with HIPAA regulations can see substantial fines levied against them, even if no actual PHI breach occurs. In addition, criminal charges and even civil action lawsuits can be filed following a breach. In 2023 alone, the U.S. Department of Health and Human Services (HHS) issued over $4 million in HIPAA-related fines for infractions affecting 109 million patients.
Ignorance of HIPAA compliance requirements is not a valid defense against HIPAA violations. According to HIPAA security laws and regulations for professionals, the Office for Civil Rights (OCR) within the HSS is responsible for enforcing Privacy and Security Rules, establishing compliance requirements, and levying civil monetary penalties. It should be noted that the OCR issues fines whether a HIPAA violation is inadvertent or the result of willful neglect.
To avoid an OCR investigation, audit, or fine, it is advisable to ensure your administrative policies, physical security measures, and technical solutions remain in place and HIPAA-compliant.
Responsibilities of Covered Entities
Under HIPAA, covered entities have the responsibility to:
- Provide individuals with the rights outlined above
- Comply with HIPAA policies that protect the privacy and security of patient health data
Responsibilities include:
Privacy responsibilities
Security responsibilities
And more, including:
Steps to Ensure HIPAA Compliance
As many organizations find that they are either covered entities or business associates subject to HIPAA law, the question of how to become HIPAA compliant is top of mind. “Unexpected covered entities” can include organizations in fields from marketing to finance, and all are expected to comply (see FAQs for more).
Perform a Risk Assessment
Covered entities have been fined for failing to implement regular risk assessments as part of their ongoing HIPAA-compliant strategies. Identify and prioritize potential security threats to PHI and ePHI, and factor in elements like human error, natural disasters, and technical shortcomings.
Covered entities have been fined for failing to implement regular risk assessments as part of their ongoing HIPAA-compliant strategies. Identify and prioritize potential security threats to PHI and ePHI, and factor in elements like human error, natural disasters, and technical shortcomings.
Establish HIPAA Compliance Controls
Implement PHI safeguards in the following three areas:
- Administrative: Train employees to properly access and handle PHI. Includes role-based access, the principle of least privilege, PHI and ePHI storage and transmission best practices, security awareness training, integrity and audit controls, and more.
- Physical: Physically protect areas containing PHI and ePHI, such as server rooms, file cabinets, and workstations. Implement mandatory log-out or lock screen policies when employees are away from their desks, require ID badges to access sensitive health information, and lock paper files containing patient health data.
- Technical: These safeguards center around ensuring the security of electronic PHI (ePHI) by employing cybersecurity-oriented HIPAA compliance solutions like secure file transfer (SFT), data encryption, data loss protection (DLP), data classification, and more.
Implement PHI safeguards in the following three areas:
- Administrative: Train employees to properly access and handle PHI. Includes role-based access, the principle of least privilege, PHI and ePHI storage and transmission best practices, security awareness training, integrity and audit controls, and more.
- Physical: Physically protect areas containing PHI and ePHI, such as server rooms, file cabinets, and workstations. Implement mandatory log-out or lock screen policies when employees are away from their desks, require ID badges to access sensitive health information, and lock paper files containing patient health data.
- Technical: These safeguards center around ensuring the security of electronic PHI (ePHI) by employing cybersecurity-oriented HIPAA compliance solutions like secure file transfer (SFT), data encryption, data loss protection (DLP), data classification, and more.
Assign a HIPAA Compliance Officer
Establish a HIPAA point person and a chain of command leading up to them. This team will be responsible for heading and keeping track of HIPAA-related efforts, involving all stakeholders, overseeing the creation of HIPAA privacy and security practices, implementing employee HIPAA compliance training, and creating a breach plan that includes HIPAA-mandated notification, reporting, and mitigation.
Establish a HIPAA point person and a chain of command leading up to them. This team will be responsible for heading and keeping track of HIPAA-related efforts, involving all stakeholders, overseeing the creation of HIPAA privacy and security practices, implementing employee HIPAA compliance training, and creating a breach plan that includes HIPAA-mandated notification, reporting, and mitigation.
Create a Breach Notification Process
Put a plan in place to facilitate mandatory breach reporting within 60 days of a discovered breach. This must include notifying the Office for Civil Rights (OCR) and all affected parties. Include the media when the breach affects more than 500 individuals in a particular jurisdiction, and all notifications must be accomplished “without unreasonable delay.”
Put a plan in place to facilitate mandatory breach reporting within 60 days of a discovered breach. This must include notifying the Office for Civil Rights (OCR) and all affected parties. Include the media when the breach affects more than 500 individuals in a particular jurisdiction, and all notifications must be accomplished “without unreasonable delay.”
Document all HIPAA-Related Policies and Procedures
HIPAA standards require accurate documentation of all HIPAA-related policies and procedures. In the event of an OCR audit, these records will prove an organization’s HIPAA compliance — or failure to comply. Documentation includes:
HIPAA privacy policies
HIPAA security controls
HIPAA remediation plans
Internal audit reports
Certificates of employee training
Risk assessments
And more.
HIPAA standards require accurate documentation of all HIPAA-related policies and procedures. In the event of an OCR audit, these records will prove an organization’s HIPAA compliance — or failure to comply. Documentation includes:
HIPAA privacy policies
HIPAA security controls
HIPAA remediation plans
Internal audit reports
Certificates of employee training
Risk assessments
And more.
Consequences and Penalties of HIPAA Noncompliance
How Do You Violate HIPAA?
HIPAA violations occur when the HIPAA Administrative Simplification Regulations have been breached.
The HIPAA Administrative Simplification Regulations are “what most people consider to be HIPAA because they contain the General Provisions and the Enforcement Rule (Part 160), the Standards for Electronic Transactions and Data Elements (Part 162), and the Privacy, Security, and Breach Notification Rules (Part 164)." However, they were not published with HIPAA in 1996, but rather several years later. For all intents and purposes, the Administrative Simplification Regulations are the regulatory portion of the HIPAA Act, comprising all the standards and legal requirements outlined in the HIPAA Rules.
HIPAA Civil Violation Penalty Structure
HIPAA civil violations are handled by the Office for Civil Rights and classified by severity. The following four categories are used by the OCR to determine the severity and financial penalty of each violation.
HIPAA Tier 1 Violation
HIPAA Tier 2 Violation
HIPAA Tier 3 Violation
HIPAA Tier 4 Violation
HIPAA Criminal Violations
The U.S. Department of Justice (DOJ) handles criminal violations of HIPAA requirements. Those subject to these punishments and their penalties include:
Covered entities that “knowingly” obtain or disclose PHI in violation of HIPAA Administrative Simplification Regulations
Up to $50,000 in fines and 1 year imprisonment
Covered entities that “knowingly” commit HIPAA violations under false pretenses
Up to $100,000 in fines and 5 years imprisonment
Covered entities that “knowingly” commit HIPAA violations with the intent to sell, use, or transfer PHI for personal gain, malicious harm, or commercial advantage
Up to $250,000 in fines and 10 years imprisonment
Very specific guidelines around how health data is stored and shared by hospitals, clinics, insurers, research facilities, pharmacies, and public health organizations are necessary to ensure patient privacy. Breaching the trust of individuals who’ve entrusted their data comes with consequences.
HIPAA Security Rule Checklists
The HIPAA Security Rule is a set of national standards requiring appropriate:
- administrative safeguards,
- physical safeguards, and
- technical safeguards
to ensure the confidentiality, integrity, and availability of electronic PHI that is created, maintained, received, or used by a covered entity. The Security Rule is a subset of the Privacy Rule, applying only to electronic health information, and explains how to protect digital patient data as covered under the Privacy Rule. Its intent is to provide the necessary technical, physical, and administrative specifications to comply with HIPAA privacy law protecting digital health data.
Fortra helps covered entities and business associates comply with the Security Rule by providing the technical security solutions necessary to protect electronically stored, transmitted, and generated health information under HIPAA law. These include solutions for:
And more.
There are three categories of safeguards to help ensure the HIPAA Security Rule is adhered to by covered entities and business associates — administrative, physical, and technical.
Administrative Safeguards to Meet HIPAA Security Rule Requirements
Per the HIPAA Security Rule, covered entities must enforce:
Identify and analyze risks
Designate a Privacy Official
Manage information access
Train your workforce
Evaluate policies and procedures
Physical Safeguards for HIPAA Security Rule Compliance
Per the HIPAA Security Rule, covered entities must implement:
Limit physical access
Secure workstations and devices
Technical Safeguards for HIPAA Security Rule Compliance
Per the HIPAA Security Rule, covered entities must:
Control access to ePHI
Audit controls around ePHI
Ensure the integrity of ePHI
Secure the transmission of ePHI
HIPAA Security Solutions from Fortra
Covered entities and business associates meet their HIPAA Security Rule obligations through proven, robust technical solutions, regardless of infrastructure, end to end. Putting robust technical safeguards in place is not only necessary under HIPAA, but doing so makes HIPAA compliance easier. This is especially true when data security solutions are coupled with automation. Such a pairing reduces the risks of human error and lowers the compliance burden on a covered entity’s IT staff.
Fortra’s security solutions enable covered entities and business associates to not only safeguard healthcare information, but do so in a way that meets critical HIPAA compliance requirements and keeps them out of today’s breach headlines. Fortra’s arsenal of compliance-ready solutions can help your healthcare organization increase efficiency and productivity, seamlessly integrate automation into your critical business processes, and achieve HIPAA compliance with minimal impact on your internal resources and workflow.
Fortra’s HIPAA compliance solutions include:
Data Loss Protection (DLP)
Secure Managed File Transfer (MFT)
Data Classification
Secure Collaboration
IBM i Security and Compliance Solutions
Offensive Security
Integrity Management
Managed Security Services
Learn More About How Fortra Can Help with HIPAA Security Rule Compliance
Fortra is the single provider you need to feel confident in your ability to implement the technical safeguards central to HIPAA Security Rule compliance.