What is HIPAA Compliance?

The Health Insurance Portability and Accessibility Act (HIPAA) is a regulation designed to protect patients’ healthcare information within the US. Certain organizations that have access to protected health information (PHI) are required to implement the security controls, processes, and procedures outlined in the HIPAA regulation.

Compliance Datasheet Request a Demo

What is HIPAA Compliance?

Who needs to be HIPAA compliant and why?

HIPAA defines two types of organizations that are required to comply with its requirements:

  • Covered Entities: HIPAA defines “covered entities” as healthcare organizations and their employees that have access to PHI. This includes doctors, nurses, and insurance companies.
  • Business Associates: Under HIPAA, “business associates” are organizations that provide services to covered entities that involve access to PHI. For example, an organization that handles billing for a healthcare provider has access to patients’ name, address, etc., which are protected as PHI under HIPAA.

 

Under HIPAA, both covered entities and business associates must comply with HIPAA. Covered entities are directly regulated by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). HIPAA requirements are enforced for business associates via their contracts with covered entities.

 

However, the regulation only applies to organizations that fit the definition of covered entities or business associates under the law. Other organizations that have access to health information but do not receive it from covered entities are not subject to HIPAA regulations. For example, developers of health and fitness apps that collect health information directly from users but are not a healthcare organization are not required to comply with its directives.

 

However, these organizations could benefit from doing so. HIPAA describes best practices for protecting PHI and complying with these best practices can reduce an organization’s exposure to cyber threats and the probability and impact of a potential data breach. Additionally, in the event of a breach or security incident, complying with the regulation helps to demonstrate that the company performed due diligence and made a good effort to protect its customers’ data.

What are the HIPAA Rules?

HIPAA is broken up into two major rules: the Privacy Rule and the Security Rule. In addition to these rules are the Breach Notification Rule, which describes how organizations should report a breach of PHI, and the Omnibus Rule, which extended HIPAA requirements to include business associates as well.

Privacy Rule. The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) mandates how healthcare organizations should protect certain types of health information entrusted to them. The Privacy Rule defines cases in which PHI can be accessed and disclosed. It also defines safeguards that covered entities should have in place to protect PHI and gives patients certain rights regarding their PHI.

 

Security Rule. The Security Standards for the Protection of Electronic Protected Health Information (Security Rule) describes the IT security controls that companies should have in place for protected health information (PHI) that is stored or transferred electronically. It provides concrete IT security controls, processes, and procedures that organizations must have in place to fulfill the data protection requirements outlined within the Privacy Rule.

The Data Protected Under HIPAA

HIPAA is designed to protect PHI provided by patients to covered entities and their business associates. HHS defines eighteen types of PHI identifiers, including:

  1. Name
  2. Address
  3. Key Dates 
  4. Social Security Number
  5. Telephone number
  6. Email address
  7. Fax number
  8. Health plan beneficiary number
  9. Medical record number
  10. Certificate/license number
  11. Account number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. IP address
  15. Web URLs
  16. Full-face photos
  17. Biometric identifiers such as fingerprints or voiceprints
  18. Any other unique identifying numbers, characteristics, or codes

Common HIPAA violations

HIPAA compliance is mandatory for covered entities, and these organizations can be penalized for non-compliance. HIPAA defines four tiers of violations:

  • Tier 1: The covered entity was unaware of the violation, and the violation could not realistically have been prevented if the covered entity made a good faith effort to comply with HIPAA. Penalties range from $100 to $50,000.
  • Tier 2: The covered entity was aware of the violation but it was not preventable given good faith efforts to comply with HIPAA. Penalties range from $1,000 to $50,000.
  • Tier 3: The violation occurred due to “willful neglect” of HIPAA rules that the covered entity made an attempt to correct. Penalties range from $10,000 to $50,000.
  • Tier 4: The violation occurred due to “willful neglect” that the covered entity made no attempt to correct. Penalties start at $50,000.

Most HIPAA violations include the break of PHI, intentionally or otherwise. Some common HIPAA violations include:

  • Lost or stolen devices
  • Ransomware and other malware
  • Compromised user credentials
  • Accidental data sharing via email, social media, etc.
  • Physical office break-in
  • Breach of electronic health records (EHR)

HIPAA Compliance Checklist

Achieving HIPAA compliance is a multi-step process. Some key steps to take include:

  1. Determine Your Compliance Obligations: As mentioned earlier, HIPAA applies to covered entities and – through them – their business associates. Under HIPAA, covered entities are defined as healthcare providers, health plans, and healthcare clearinghouses. Their business associates are any organization with whom they share PHI. 
  2. Learn the HIPAA Rules: The HIPAA Privacy and Security Rules define a covered entity or business associate’s responsibilities under HIPAA. Understanding the required controls, policies, and processes is essential for achieving and maintaining compliance. 
  3. Identify Scope of Compliance: HHS defines eighteen types of data that qualify as PHI and must be protected under HIPAA. Identifying where these types of data are stored, processed, and transmitted within an organization’s IT environment is essential to determining which systems and personnel are subject to HIPAA’s mandates. 
  4. Perform a Gap Assessment: An organization may have some of the required HIPAA controls in place but others may be missing. A gap assessment against HIPAA requirements is necessary for identifying where the company falls short of compliance requirements. 
  5. Deploy Missing Controls: A gap assessment may identify places where the organization is currently non-compliant. After identifying these gaps, develop and implement a strategy for closing the holes. 
  6. Create Required Documentation: HIPAA requires that covered entities have certain documented policies and processes. If any processes are missing or are undocumented, generate the required documents. 
  7. Prepare for Compliance Audits: Passing a compliance audit requires the ability to demonstrate to an auditor that an organization’s security controls, processes, and procedures meet the regulation’s requirements. Develop a plan for going through the audit and gather any required data and reports before the audit.

How Check Point can help

The primary goal of HIPAA is to protect the PHI entrusted to covered entities and their business associates. The HIPAA Privacy and Security Rules mandate that organizations control and monitor access to PHI and protect it against unauthorized access.

Check Point offers a variety of solutions that help healthcare providers and other organizations to achieve compliance with HIPAA and other regulations. Check Point CloudGuard performs compliance monitoring, data collection, and report generation for cloud-based environments. To learn more about achieving cloud compliance with CloudGuard, you’re welcome to sign up for a free demo.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK