What Is HIPAA Compliance?

Compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) requires companies that work with protected health information (PHI) to implement and follow physical, network, and process security measures.

Business Associates (BAs) are also bound by HIPAA. BAs are third parties accessing patient information to provide treatment, payment, or operations services on behalf of a HIPAA-bound entity. Examples of Business Associates include a freelance medical transcriptionist, a hospital utilisation review consultant, and a third-party healthcare insurance claims processor.^[1]

HIPAA laws are a series of federal regulatory standards outlining the lawful use and disclosure of protected health information in the United States. HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

HIPAA compliance is a living culture that healthcare organisations must implement within their business to protect the privacy, security, and integrity of protected health information.^[2] In addition to ensuring sensitive patient information is protected and secured, HIPAA compliance is critical for healthcare organisations to avoid legal and financial penalties.

The Health Insurance Portability and Accountability Act of 1996 was passed by the U.S. Congress and signed into law by President Bill Clinton.

HIPAA laws were enacted primarily to:

• Modernise the flow of healthcare information.
• Stipulate how personally identifiable information (PII) maintained by the healthcare and health insurance industries should be protected from fraud and theft.
• Address limitations on healthcare insurance coverage, such as coverage continuation despite job changes, for example, and coverage of individuals with pre-existing conditions.^[3]

HIPAA mandated national standards to protect sensitive patient health information from disclosure without patient knowledge or consent. The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement this mandate.^[4]

The Privacy Rule contains 12 exceptions wherein patient data can be shared with other entities without patient consent. They include:

• Victims of domestic violence or other assault.
• Judicial and administrative proceedings.
• Cadaveric organ, eye, or tissue donation.
• Workers compensation.^[5]

Another key element of HIPAA compliance is the Security Rule, a subset of the Privacy Rule. This includes all individually identifiable health information that a covered entity creates, receives, maintains, or transmits electronically. Key elements of the HIPAA Security Rule include:

• Ensure the confidentiality, integrity, and availability of all electronic protected health information.
• Detect and safeguard against anticipated threats to the security of the information.
• Protect against anticipated impermissible uses or disclosures.
• Certify workforce compliance.

Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, social security numbers, medical records, financial information, and full facial photos, to name a few.^[6]

For a complete list of protected health information requiring de-identification under Section 164.514(a) of the HIPAA Privacy Rule, view the De-Identification Standard at HHS.gov.

Understanding which entities must comply with these regulations is crucial for maintaining data privacy and avoiding potential penalties. In general, there are two main categories of organisations that must be HIPAA-compliant:

• Covered Entities
• Business Associates

Covered Entities

Covered entities (CEs) are those directly involved in providing or administrating healthcare services. They include:

• Medical practitioners, such as physicians, dentists, pharmacists, and nurses; hospitals; clinics; nursing homes; and other healthcare providers delivering or administering medical care.
• Health plans: These organisations offer health insurance coverage, such as HMOs (health maintenance organisations), PPOs (preferred provider organisations), Medicare/Medicaid programmes, employer-sponsored health plans, and others.
• Healthcare clearinghouses: These businesses process nonstandard PHI into a standard format for electronic transmission between covered entities.

Business Associates

Business associates (BAs) are third-party service providers who access PHI while performing services on behalf of covered entities. Examples include:

• Billing companies: Organisations responsible for processing claims or managing patient accounts.
• Electronic health record (EHR) vendors: Companies that develop, host, or manage EHR systems for healthcare providers.
• IT service providers: Firms offering technical support, data storage, or cybersecurity services to covered entities.
• Consultants and auditors: Professionals who access PHI while assessing a covered entity’s operations and compliance status.

In addition to these primary categories, subcontractors working with business associates may also be required to comply with HIPAA regulations if they handle PHI. This is known as the “Business Associate Chain” concept.

To comply with HIPAA requirements, covered entities and business associates must implement appropriate safeguards for protecting PHI. These measures include adhering to the HIPAA Privacy Rule, the HIPAA Security Rule, and other relevant guidelines established by the U.S. Department of Health & Human Services (HHS).

Understanding HIPAA Privacy and Security Rules is essential for organisations that handle protected health information (PHI). These rules ensure that PHI is secure from unauthorised access or disclosure while preserving its confidentiality, integrity, and availability.

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards for protecting individuals’ medical records and other personal health information. It applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates who transmit electronic PHI (ePHI).

• Covered Entities: Healthcare providers such as doctors, clinics, and hospitals; health plans, including insurance companies; healthcare clearinghouses like billing services.
• Business Associates: Third-party service providers that create, receive, maintain, or transmit ePHI on behalf of covered entities. Examples include IT contractors or cloud storage vendors.

The Privacy Rule requires covered entities to implement appropriate safeguards to protect patient privacy by limiting unnecessary access to PHI. They must also establish policies regarding using and disclosing PHI in various situations, such as treatment purposes or public interest matters like disease control.

HIPAA Security Rule

The HIPAA Security Rule specifically focuses on protecting ePHI by setting guidelines for implementing technical safeguards within an organisation's IT infrastructure. This rule aims to ensure ePHI confidentiality while maintaining its integrity and availability to authorised users.

The Security Rule outlines three main safeguard categories:

• Administrative Safeguards: Policies, procedures, and actions an organisation's management takes to protect ePHI. Examples include risk assessments, workforce training programmes, and incident response plans.
• Physical Safeguards: Measures implemented to secure physical access to facilities where ePHI is stored or processed. These may involve facility access controls, workstation security measures, and device disposal policies.
• Technical Safeguards: The use of technology solutions such as encryption tools or firewalls that help prevent unauthorised access or disclosure of ePHI. This category also includes audit controls for monitoring system activity and ensuring data integrity during transmission.

In summary, the HIPAA Privacy Rule protects patient privacy by properly handling PHI in various situations. The Security Rule safeguards electronic PHI from potential threats using administrative, physical, and technical measures. Compliance with both rules is crucial for organisations dealing with sensitive health information to avoid penalties associated with non-compliance.

Healthcare providers and other entities handling PHI are moving to computerised operations. These include computerised physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Similarly, health plans provide access to claims, care management, and self-service applications.

While these electronic methods provide increased efficiency and interoperability, they also drastically increase the security risks of healthcare data.^[7] And these new risks make HIPAA compliance more critical than ever.

HHS details both the physical and technical safeguards that entities hosting sensitive patient data must follow:

• Limited facility access and control with authorised access in place.
• Policies about use and access to workstations and electronic media.
• Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI.

Similarly, HIPAA’s technical safeguards require access control, only allowing authorised personnel to access ePHI. Access control includes:

• Using unique user IDs.
• Emergency access procedures.
• Automatic log off.
• Encryption and decryption.
• Audit reports or tracking logs that record activity on hardware and software.

Other technical policies for HIPAA compliance include implementing integrity controls or measures to confirm that electronic patient health information (ePHI) is not altered or destroyed. IT disaster recovery and offsite backup are vital components that ensure electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact.

One final technical safeguard is network or transmission security, ensuring HIPAA-compliant hosts protect against unauthorised access to ePHI. This safeguard addresses all methods of data transmission, including email, the internet, or private networks, such as a private cloud.

The best healthcare data protection solutions recognise that data doesn’t lose itself. Data is exposed to people—people who are negligent, malicious, or compromised by an outside attacker.

That’s why effective compliance is people-centric, focusing on how people can inadvertently or purposely expose patient data in all forms—including structured and unstructured data, emails, documents, and scans—while enabling healthcare providers to share data securely to ensure the best possible patient care.

Patients entrust their data to healthcare organisations, so these organisations must safeguard protected health information.^[5]

The HHS Office of Inspector General (OIG) created the Seven Elements of an Effective Compliance Program to guide organisations in vetting compliance solutions or creating their own compliance programmes.

These are the barebones, absolute minimum requirements an effective compliance programme must address. In addition to addressing the full extent of mandated HIPAA Privacy and Security standards, an effective compliance programme must also be able to handle each of the Seven Elements.

The Seven Elements of an Effective HIPAA Compliance Program are as follows:

1. Implementing written policies, procedures, and standards of conduct.
2. Designating a compliance officer and compliance committee.
3. Conducting effective training and education.
4. Developing effective lines of communication.
5. Conducting internal monitoring and auditing.
6. Enforcing standards through well-publicised disciplinary guidelines.
7. Responding promptly to detected offences and undertaking corrective action.

Throughout an OCR (Office for Civil Rights) HIPAA investigation in response to a violation, federal HIPAA auditors compare an organisation's compliance programme against the Seven Elements to judge its effectiveness.^[8]

To maintain HIPAA compliance, organisations must implement a combination of physical and technical safeguards alongside well-defined policies. To ensure the security of PHI, it is essential to implement physical and technical safeguards combined with clear policies.

Physical Safeguards

• Facility Access Controls: Organisations should establish procedures to limit access to facilities containing PHI. This may include implementing security systems such as access control cards, surveillance cameras, or biometric authentication.
• Workstation Use & Security: Workstations that handle PHI should be secured from unauthorised access. Employees must follow guidelines on how workstations can be used while handling sensitive data. Additionally, organisations should consider using privacy screens or positioning monitors away from public view.
• Device & Media Controls: Properly managing electronic media containing PHI is essential. Organisations need policies for disposing or reusing devices securely while ensuring data is wiped clean before disposal or reuse.

Technical Safeguards

• Data Encryption: To protect against unauthorised access during transmission over networks or on stored devices like laptops and smartphones, encryption technologies like SSL/TLS certificates must be used.
• User Authentication: All users accessing PHI must have unique identification credentials to allow system traceability. This includes username and password combinations along with multi-factor authentication options like tokens or biometrics.
• Audit Controls: Organisations must implement mechanisms to record and examine activity on systems that contain or use PHI. Regular audits help identify potential security incidents, track user access, and ensure policy compliance.

Policies & Procedures

• Risk Analysis: Regular and thorough risk analyses should be conducted to identify infrastructure vulnerabilities. This includes assessing physical locations where PHI is stored as well as reviewing technical safeguards like encryption methods.
• Training Programmes: All employees handling PHI must undergo regular training on HIPAA regulations and best practices for maintaining data privacy. Training programmes can include online courses, workshops, or seminars tailored to your organisation's specific needs.
• Breach Notification Policy: In case of a data breach involving unsecured PHI, organisations are required by law to notify affected individuals promptly. A clear policy outlining how breaches will be handled ensures timely response and mitigates damage caused by unauthorised disclosure of sensitive information.

Healthcare entities must have both physical and technical protections in place, as well as policies adhering to HIPAA regulations. Understanding HIPAA compliance requirements is essential to ensure data protection for these organisations.

HIPAA compliance requirements must be met by all covered entities and business associates who handle both PHI and ePHI in the United States.

To achieve HIPAA compliance, organisations must address the following requirements:

• Administrative Safeguards: The development of written policies and procedures related to PHI security and privacy, designation of a privacy and security officer, workforce training on HIPAA regulations, and risk analysis and management.
• Physical Safeguards: Controlling access to facilities where PHI is stored, such as ensuring that only authorised personnel can enter secure areas, using security cameras and other security measures, and maintaining proper disposal procedures for any PHI-containing devices or media.
• Technical Safeguards: Ensuring that ePHI is protected through access controls, such as unique user IDs and passwords, encryption of data at rest and in transit, regular security updates and software patching, and monitoring network activity to identify any unauthorised access or data breaches.
• Breach Notification: In a data breach involving PHI, organisations must follow specific procedures to effectively notify affected individuals and the Department of Health and Human Services.
• Business Associate Agreements: Covered entities must establish agreements with their business associates, including provisions requiring them to adhere to HIPAA regulations.
• Privacy Rule: Enforces how covered entities and their business associates use and disclose PHI. Organisations must set policies and procedures to comply with these regulations, including obtaining individual consent before using or disclosing PHI, implementing reasonable safeguards to protect PHI, and providing individuals with the right to access and request corrections to their PHI.
• Security Rule: A general rule that enforces the requirements above and requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect ePHI from unauthorised access, use, or disclosure.

By adhering to these HIPAA compliance requirements, organisations can effectively protect patient privacy and maintain the trust of their patients and clients.

Violating HIPAA compliance regulations can result in severe consequences for organisations and individuals involved. Ramifications of HIPAA violations can include hefty fines, reputational harm, and legal action. This section will explore the consequences of HIPAA non-compliance and provide examples to illustrate their severity.

Types of HIPAA Violations

An organisation or individual can violate HIPAA rules in several ways. Common violations include:

• Unauthorised access or disclosure: Accessing or disclosing protected health information (PHI) without proper authorisation.
• Breach notification failure: Failing to notify affected individuals and authorities within the required timeframe after discovering a PHI breach.
• Lack of safeguards: Not implementing appropriate physical, technical, and administrative safeguards to protect PHI.
• Poor training: Inadequate employee training on handling PHI consistent with HIPAA requirements could lead to violations due to negligence or mistakes.

HIPAA Penalties

The Office for Civil Rights (OCR), which enforces HIPAA regulations under the Department of Health & Human Services (HHS), categorises violations into four tiers based on severity. The corresponding penalty amounts range from $100 per violation up to $1.5 million per year for each provision violated. Here’s an overview of these tiers:

• Tier I – Unknowing: The covered entity was unaware they violated any provisions; penalties range from $100 to $50,000 per violation.
• Tier II – Reasonable Cause: The covered entity should have known about the violation but did not act with wilful neglect; penalties range from $1,000 to $50,000 per violation.
• Tier III – Wilful Neglect (Corrected): The covered entity acted with wilful neglect but corrected the issue within 30 days; penalties range from $10,000 to $50,000 per violation.
• Tier IV – Wilful Neglect (Not Corrected): The covered entity acted with wilful neglect and failed to correct the issue within 30 days; penalties can reach up to a maximum of $1.5 million for each provision violated annually.

Real-World Examples of HIPAA Violations

To better understand how these violations occur and their consequences in real-world scenarios, let’s look at some examples:

• Anthem, Inc.: In one of the largest data breaches in history involving PHI, Anthem, Inc., a major health insurance provider, agreed on a settlement worth over $16 million due to its failure to implement appropriate security measures that led to unauthorised access by cybercriminals who stole information related to nearly 79 million individuals in 2015.
• New York-Presbyterian Hospital/Columbia University Medical Center: A joint breach report submitted by both entities revealed that an improperly deactivated server resulted in search engines being able to access PHI. This incident affected approximately 6,800 patients’ records and led to a settlement of $4.8 million in 2014.
• Memorial Healthcare System: In 2012, Memorial Healthcare System discovered that its employees had been accessing patient records without authorisation for over a year. The breach affected more than 115,000 patients and resulted in a $5.5 million settlement.

HIPAA compliance violations can have severe consequences for organisations and individuals involved. It is crucial to understand the regulations thoroughly and implementing appropriate safeguards is critical to protect PHI from unauthorised access or disclosure while ensuring timely reporting of any possible breaches that may occur.

In recent years, the U.S. Department of Health and Human Services has made several updates to HIPAA regulations in response to emerging cybersecurity threats and technological advancements. Therefore, remaining compliant requires covered entities and business associates to stay current on these developments.

Information Blocking Rule

On April 5, 2021, the Information Blocking Rule became effective as part of the 21st Century Cures Act Final Rule to promote interoperability between electronic health record systems while ensuring patient access to their health information. This rule requires covered entities such as hospitals and doctors' offices to not only comply with HIPAA but also avoid any practices that could be considered “information blocking”. Non-compliance can result in penalties or other enforcement actions by HHS.

OCR’s Right of Access Initiative

In 2019, the Office for Civil Rights (OCR) launched its Right of Access Initiative. The goal is to ensure patients have timely access to their medical records without unreasonable barriers or delays. Under this initiative, OCR has aggressively pursued enforcement actions against healthcare providers who fail to provide patients with prompt access or charge excessive fees for copies of their records.

• New Guidance on Ransomware Attacks: In June 2021, OCR released a fact sheet outlining the importance of a secure cybersecurity programme to prevent and respond to ransomware attacks. This guidance emphasises the importance of maintaining a robust cybersecurity programme that includes regular risk assessments, employee training, data backups, and incident response plans.
• Telehealth Flexibilities: In response to the COVID-19 pandemic, HHS temporarily relaxed certain HIPAA enforcement rules related to telehealth. These changes allowed healthcare providers to use non-public-facing remote communication technologies for patient care without fear of penalties for potential HIPAA violations. While these flexibilities are still in place as of 2023, it is important for organisations using telehealth services to monitor any future updates or changes in this area.

To stay up-to-date with the latest HIPAA compliance news and regulatory updates, consider subscribing to newsletters from reputable sources such as HIPAA Journal.

Proofpoint provides proven solutions to help organisations remain HIPAA compliant and effectively protect their patient's PHI. Through automated protection in maintaining HIPAA compliance to advanced security solutions to prevent insider and external threats, Proofpoint delivers world-class capabilities for covered entities and business associates. Two of the most powerful solutions the company provides include:

• Insider Threat Management: Deploying an insider threat management tool like Proofpoint ITM helps healthcare cybersecurity teams detect insider threats, streamline the incident investigation process, maintain HIPAA compliance (and other types), and prevent data breaches without impeding your organisation's day-to-day performance.
• Information Protection: A vital measure to any HIPAA-compliant organisation is maintaining optimal protection of sensitive data and PHI. Proofpoint’s Information Protection solutions unify content, threat, and behaviour insights and provide a people-centric approach to data loss prevention, enabling organisations to protect against accidental mistakes, attacks, and insider risk across your cloud services, email, endpoint, web, on-premises, and shared cloud repositories.

For more information about how Proofpoint can help ensure secure PHI and HIPAA compliance, contact Proofpoint today.

[1] Digital Guardian. “A Definition of HIPAA Compliance”
[2] Compliancy Group. “What is HIPAA Compliance?”
[3] The HIPAA Guide. “HIPAA for Dummies”
[4] Centers for Disease Control and Prevention
[5] Ibid.
[6] Compliancy Group. “What is Protected Health Information?”
[7] Digital Compliance. “The need for HIPAA compliance”
[8] Compliancy Group. “What are the Seven Elements of an Effective Compliance Program?”