The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the federal law that created national standards for protecting sensitive patient health information from being disclosed without the patient’s knowledge or consent. Read more about this US regulation and find out how to comply.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was primarily about solving insurance coverage for individuals that are between jobs. Without this law, employees would have faced the risk of losing their insurance coverage for the period between jobs.

Another goal was to ensure that all data is properly secured and no unauthorized individuals can access healthcare data.

HIPAA applies in the United States and is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR). 

HIPAA compliance

Purpose of HIPAA

The HIPAA was created in order to modernize the flow of healthcare information and to make sure that Personally Identifiable Information gathered in healthcare and insurance companies are protected against fraud and theft, and cannot be disclosed without consent.

Patients' healthcare information is treated more sensitively and can be quickly accessed by various healthcare providers. HIPAA regulations require that records are better secured and protected against leakage. HIPAA Journal ,a great source for HIPAA regulations and compliance info, has a comprehensive checklist for companies during their journey for compliance. 

What is Protected Health Information?

Any company or individual that works with Protected Health Information (PHI) needs to be compliant with HIPAA. PHI is created when any health data is combined with personally identifiable information, such as the following:

  • Names
  • Geographical identifiers
  • Phone and fax numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Vehicle information
  • Website URLs
  • Fingerprints, retinal and voice prints
  • Social security numbers
  • Health insurance beneficiary numbers
  • Certificate and license numbers
  • Device information, IP addresses
  • Full face photographs

      When PHI is stored electronically, it’s called ePHI.

      HIPAA privacy rule

      The Scope of HIPAA

      There are several entities that regularly work with Protected Health Information and therefore must follow The Health Insurance Portability and Accountability Act:

      • Healthcare providers
      • Health plans
      • Healthcare clearinghouses
      • Business associates

        HIPAA Rules

        HIPAA consists of the following rules:

        • Privacy Rule
        • Security Rule
        • Breach Notification Rule
        • Omnibus Rule
        • Enforcement Rule


        HIPAA Privacy Rule

        The Privacy Rule defines how, when and under what circumstances PHI can be used and disclosed. Without a patient’s prior consent, the use of information about the patient is limited. Patients and their representatives are allowed to obtain a copy of their health records and request corrections in case of errors.

        HIPAA Security Rule

        The Security Rule sets standards to protect ePHI. The Security Rule must be followed by anyone who works with ePHI. Security Officers and Privacy Officers must perform risk assessments and audits to identify any threats to PHI integrity.

        Breach Notification Rule

        The Department of Health and Human Services must be notified in case of a data breach, as must the affected individuals. If more than five hundred patients in a particular jurisdiction are affected, a press release must be issued in a news outlet covering the area.

        Omnibus Rule

        The Omnibus Rule is a part of the HITECH Act (Health Information Technology for Economic and Clinical Health Act) that came into force in 2009 and was created to encourage the use of electronic health records by healthcare providers.

        The Omnibus Rule prohibits the use of PHI for marketing or fundraising purposes without authorization.

        Enforcement Rule

        The Enforcement Rule is about determining the appropriate fine when a breach occurs. A fine can be lower in case of negligence, however if the violation happens due to willful neglect it can be much higher. 

          The Rights of Individuals

          Within the HIPAA Privacy Rule, individuals have the legal right to see and receive copies of medical information. 

          Individuals have the right to: 

          • Access PHI
          • Amend PHI
          • Request restriction on who uses PHI and how it is disclosed
          • Request confidential communications
          • Request accounting of disclosures
          • File a complaint

          Even though patients have the right to access their records, some types of information are excluded from the Right to Access. The following information is excluded:

          Excluded information is the following: 

          • Quality assessment or improvement records
          • Safety activity records
          • Business and management records
          • Psychotherapy notes
          • Information compiled for use in civil, criminal, or administrative action or proceedings

            HIPAA Violations

            A HIPAA violation occurs when a HIPAA entity or a business associate fails to comply with any of the HIPAA Rules. Penalties for HIPAA violations are issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. HIPAA uses four categories of penalties:

            • Tier 1: Lack of Knowledge

            The entity was not aware of the violation; therefore, it could not have been avoided. The penalty per such violation is $120—$30,113.

            • Tier 2: Reasonable Cause

            The entity should have been aware of the violation, however, could not have avoided it. The penalty per such violation is $1,205—$60,226.

            • Tier 3: Willful Neglect

            The entity willfully neglected HIPAA Rules, but tried to correct the violation. The penalty per such violation is $12,045—$60,226.

            • Tier 4: Willful Neglect and not corrected

            The entity willfully neglected HIPAA Rules and didn’t make any attempt to correct the violation. The penalty per such violation is $60,226—$1,806,757.

            The Most Common HIPAA Risks


            verified_user 

            Keeping unsecured records

            Employees leave sensitive documents at their desks or don’t use passwords to access digital data. Make sure that the workspace is secured, and passwords are used at your company.

            no_encryption 

            Unencrypted data

            Encryption of your data is not mandatory by HIPAA, but it is highly recommended. Even if data is leaked, when it is encrypted it can’t be accessed without authorization.

            phishing 

            Hacking or phishing campaigns

            Keep your anti-virus software up to date, regularly change passwords and use a DLP solution to protect your data against leakage.

            laptop_mac 

            Loss or Theft of Devices

            Valuable devices can be lost in the blink of an eye. Encrypt your data, so even if a device is lost, no one unauthorized can access it.

            group 

            Sharing PHI

            Always keep in mind that people like to talk. Very often employees don’t even realize that they have been sharing sensitive information with each other. Educate them about sensitive data handling, and make sure that only authorized individuals can access the data.

            school 

            Lack of employee training

            Employees might not even realize that they have been working with PHI and the violation can be harmful to both the company and patients. Educate them regularly and make sure they understand what PHI and HIPAA are, as well as the consequences of violation.

            login 

            Unauthorized Access

            Employees who are not authorized to process sensitive information can still access it and go through the documents. Set the proper security policies and make sure your employees are aware of them.

            Insider Threats in the Healthcare

            As you can see above, violations often stem from mistakes made by employees, whether they lose a device, click on a phishing campaign, or just talk with their colleagues about patients. HIPAA violations can happen easily. Insider threats can be either unintentional or malicious. However, 56% of insider threat incidents are caused by negligent employees.

            And according to Ponemon Institute, the average total cost of a data breach for healthcare companies jumped 29% to $9.23 million. Health and pharmaceuticals are among the industries with the highest annual insider threat costs, at over $10M per year (Ponemon Institute, 2022). 

            Read more about insider threats here.

            How to Secure Data For HIPAA Compliance?

              1. Adopt security policies and define authorized employees to access your PHI
              2. Use a DLP solution to protect your data against insider threats and to enforce security policies.
              3. Educate your employees on a regular basis
              4. Secure your workplace, adopt policies on how to work with sensitive documents


              Talk to us

              How Safetica Secures Your Data For HIPAA Compliance?

              1. Safetica encrypts your data and keeps it protected in case of device loss or theft.
              2. Safetica is a DLP solution that protects your data against insider threats. Define which operations can be risky and block them or make Safetica notify you and your employees about potential risks.
              3. With Safetica it is easy to adopt security policies and define authorized employees that can work with PHI. You can set your security policies and monitor whether your company’s sensitive data is being misused, and only allow authorized individuals to access it.
              4. Educate your employees on a regular basis. Safetica notifies your employees in the event of risky operations, so they are more aware of data security.
              5. Secure your workplace, and adopt policies on how to work with sensitive documents. Safetica performs security audits and provides you with regular reports that allow you to adjust your security policies.

              HIPAA compliance

              Customer Stories:
              How Safetica Helps in Healthcare

              Gyncentrum Clinic protects their clients' sensitive data with Safetica. Read more here.

              Our staff, both administrative and medical, has access to our patients’ sensitive data on a daily basis. These are personal and medical information, examination results and psychological evaluations. Thanks to Safetica, I can, as the person responsible for data protection in the clinic, decide who has access, how data is processed and whether it can be shared with third parties or not. Employees’ activities are reported, and patients’ data protected.

              Says Paweł Czerwiński, Owner of Gyncentrum.

                Author
                Kristýna Svobodová
                Content Strategist @Safetica

                Next articles

                SAMA’s Cyber Security Framework: The Scope, Purpose, and How to Comply

                The Saudi Arabian Monetary Authority (SAMA) has introduced a Cyber Security Framework designed to fortify the nation's financial systems and critical industries against cyber threats. Throughout this guide, we'll explore the key components, while also providing tips and insights on how to achieve compliance with its requirements.

                HITRUST framework: The Scope, Purpose, and How to Comply

                This article will guide you through HITRUST's evolution, its current scope, and how it can be a game-changer for your organization's data protection strategy.

                Understanding SOC 2: The Scope, Purpose, and How to Comply

                Get started with your SOC 2 compliance efforts: what SOC 2 is, why it matters, and, most importantly, what steps you need to take if you want to get a SOC 2 report for your organization.