Cost of Compliance 2020

What is HIPAA Compliance?

Understanding the Law, Rules & Regulations

Compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) requires companies that deal with protected health information (PHI) to have physical, network, and process security measures in place and follow them.

Anyone providing treatment, payment, and operations in the field of healthcare are subject to HIPAA compliance rules. Business associates, including anyone who has access to patient information and provides support in treatment, payment, or operations, must also meet HIPAA compliance. Also bound by HIPAA are other entities, such as subcontractors and any other related business associates.1

HIPAA Compliance Definition

HIPAA is a series of federal regulatory standards that outline the lawful use and disclosure of protected health information in the United States. HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

HIPAA compliance is a living culture that health care organizations must implement within their business in order to protect the privacy, security, and integrity of protected health information.2

HIPAA Compliance History

The Health Insurance Portability and Accountability Act of 1996 was passed by the U.S. Congress and signed into law by President Bill Clinton.

HIPAA was enacted primarily to:

  • Modernize the flow of healthcare information
  • Stipulate how personally identifiable information (PII) maintained by the healthcare and health insurance industries should be protected from fraud and theft
  • Address limitations on healthcare insurance coverage, such as portability and the coverage of individuals with pre-existing conditions.3

HIPAA mandated national standards to protect sensitive patient health information from being disclosed without the patient’s knowledge or consent. The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement this mandate.4

The Privacy Rule does have 12 exceptions where patient data can be shared with other entities without the consent of the patient. They include:

  • Victims of domestic violence or other assault
  • Judicial and administrative proceedings
  • Cadaveric organ, eye, or tissue donation
  • Workers compensation5

Another key element of HIPAA is the Security Rule, which exists within the Privacy Rule. This subset is all individually identifiable health information that a covered entity creates, receives, maintains, or transmits in electronic form. Key elements of the HIPPA Security Rule include:

Ensure the confidentiality, integrity, and availability of all electronic protected health information
Detect and safeguard against anticipated threats to the security of the information
Protect against anticipated impermissible uses or disclosures
Certify compliance by their workforce.

Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos, to name a few.6

HIPAA Compliance Analysis

Health care providers and other entities dealing with PHI are moving to computerized operations. These include computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Similarly, health plans provide access to claims as well as care management and self-service applications.

While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data.7 And these new risks make HIPAA compliance more important than ever.

HHS details both the physical and technical safeguards that entities hosting sensitive patient data must follow:

  • Limited facility access and control with authorized access in place
  • Policies about use and access to workstations and electronic media
  • Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI

Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorized personnel to access ePHI. Access control includes:

  • Using unique user IDs
  • Emergency access procedures
  • Automatic log off
  • Encryption and decryption
  • Audit reports or tracking logs that record activity on hardware and software.

Other technical policies for HIPAA compliance include the need to cover integrity controls, or measures put in place to confirm that electronic patient health information (ePHI) is not altered or destroyed. IT disaster recovery and offsite backup are key components that ensure that electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact.

One final technical safeguard is network or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private networks, such as a private cloud.

The best healthcare data protection solutions recognizes that data doesn’t lose itself. It’s exposed though people—people who are negligent, malicious or compromised by an outside attacker.

That’s why effective compliance is people-centric, focusing on all the ways people can inadvertently or purposely expose patient data in all forms—including structured and unstructured data, emails, documents, and scans—while allowing healthcare providers to share data securely to ensure the best possible patient care.

Patients entrust their data to healthcare organizations, and it is the duty of these organizations to take care of their protected health information.5

The Seven Elements of Effective Compliance

The HHS Office of Inspector General (OIG) created the Seven Elements of an Effective Compliance Program in order to give guidance for organizations to vet compliance solutions or create their own compliance programs.

These are the barebones, absolute minimum requirements that an effective compliance program must address. In addition to addressing the full extent of mandated HIPAA Privacy and Security standards, an effective compliance program must also have the capacity to handle each of the Seven Elements.

The Seven Elements of Effective Compliance Program are as follows:

  1. Implementing written policies, procedures, and standards of conduct.
  2. Designating a compliance officer and compliance committee.
  3. Conducting effective training and education.
  4. Developing effective lines of communication.
  5. Conducting internal monitoring and auditing.
  6. Enforcing standards through well-publicized disciplinary guidelines.
  7. Responding promptly to detected offenses and undertaking corrective action.

Over the course of a HIPAA investigation carried out by OCR in response to a HIPAA violation, federal HIPAA auditors will compare your organization’s compliance program against the Seven Elements to judge its effectiveness.8

Shadow IT Resources

1 Digital Guardian. “A Definition of HIPAA Compliance.”
2 Compliancy Group. “What is HIPAA Compliance?”
3 The HIPAA Guide. “HIPAA for Dummies.”  2007-2018
4 Centers for Disease Control and Prevention.
5 Ibid.
6 Compliancy Group. “What is Protected Health Information?”
7 Digital Compliance. “The need for HIPAA compliance”
8 Compliancy Group. “What are the Seven Elements of a Effective Compliance Program?”