The Health Insurance Portability and Accessibility Act (HIPAA) is a regulation designed to protect patients’ healthcare information within the US. Certain organizations that have access to protected health information (PHI) are required to implement the security controls, processes, and procedures outlined in the HIPAA regulation.
HIPAA defines two types of organizations that are required to comply with its requirements:
Under HIPAA, both covered entities and business associates must comply with HIPAA. Covered entities are directly regulated by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). HIPAA requirements are enforced for business associates via their contracts with covered entities.
However, the regulation only applies to organizations that fit the definition of covered entities or business associates under the law. Other organizations that have access to health information but do not receive it from covered entities are not subject to HIPAA regulations. For example, developers of health and fitness apps that collect health information directly from users but are not a healthcare organization are not required to comply with its directives.
However, these organizations could benefit from doing so. HIPAA describes best practices for protecting PHI and complying with these best practices can reduce an organization’s exposure to cyber threats and the probability and impact of a potential data breach. Additionally, in the event of a breach or security incident, complying with the regulation helps to demonstrate that the company performed due diligence and made a good effort to protect its customers’ data.
HIPAA is broken up into two major rules: the Privacy Rule and the Security Rule. In addition to these rules are the Breach Notification Rule, which describes how organizations should report a breach of PHI, and the Omnibus Rule, which extended HIPAA requirements to include business associates as well.
Privacy Rule. The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) mandates how healthcare organizations should protect certain types of health information entrusted to them. The Privacy Rule defines cases in which PHI can be accessed and disclosed. It also defines safeguards that covered entities should have in place to protect PHI and gives patients certain rights regarding their PHI.
Security Rule. The Security Standards for the Protection of Electronic Protected Health Information (Security Rule) describes the IT security controls that companies should have in place for protected health information (PHI) that is stored or transferred electronically. It provides concrete IT security controls, processes, and procedures that organizations must have in place to fulfill the data protection requirements outlined within the Privacy Rule.
HIPAA is designed to protect PHI provided by patients to covered entities and their business associates. HHS defines eighteen types of PHI identifiers, including:
HIPAA compliance is mandatory for covered entities, and these organizations can be penalized for non-compliance. HIPAA defines four tiers of violations:
Most HIPAA violations include the break of PHI, intentionally or otherwise. Some common HIPAA violations include:
Achieving HIPAA compliance is a multi-step process. Some key steps to take include:
The primary goal of HIPAA is to protect the PHI entrusted to covered entities and their business associates. The HIPAA Privacy and Security Rules mandate that organizations control and monitor access to PHI and protect it against unauthorized access.
Check Point offers a variety of solutions that help healthcare providers and other organizations to achieve compliance with HIPAA and other regulations. Check Point CloudGuard performs compliance monitoring, data collection, and report generation for cloud-based environments. To learn more about achieving cloud compliance with CloudGuard, you’re welcome to sign up for a free demo.