What is HIPAA?

The HIPAA Act is a federal law that requires the creation of national standards in order to protect sensitive patient health information 

HIPAA Meaning

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.

The HIPAA Act is a federal law signed by President Bill Clinton in 1996 which required the creation of national standards in order to protect sensitive patient health information or PHI from being disclosed without the patient’s consent or knowledge. 

So, what is HIPAA and why is it important? In 2020, data breaches affected 26.4 million records in the U.S. alone which cost the healthcare industry over $13 billion.

When you think about the amount of personal information stolen at the hands of eager cybercriminal entrepreneurs, it makes HIPAA easy to understand as HIPAA safeguards against cyber attacks. 

HIPAA provides data privacy and security in healthcare in order to protect patients’ medical information. This is especially important for healthcare providers or organizations that use electronic means such as EHR which stands for Electronic Health Record.

An EHR stores digital records of patient health information such as diagnoses, medications, radiology images, and billing data.

It is commonly used in hospitals and other healthcare facilities and must adhere to the highest level of HIPAA standards.

Looking for a HIPAA Compliant Cybersecurity Solution ?

Who is Covered by HIPAA?

As defined by HIPAA rules, covered entities include healthcare providers, healthcare clearinghouses (public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements), and health plans, as a health plan is considered a covered entity (CE).

These entities are responsible for dealing with transactions that involve payment and or billing, and insurance.   

Other covered entities include:

  • Physicians
  • Nurses
  • Hospitals
  • Dentists 
  • Chiropractors 
  • Nursing Homes
  • Pharmacies

Under the HIPAA Department of Health and Human Services (HHS), HIPAA requires that all covered entities designate a privacy official, as the job of a privacy official is to be responsible for developing and implementing privacy policies and procedures.

A privacy official is a contact person responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.

Business Associates Must Comply with The HIPAA Privacy Standards

Business associates which are defined as entities or persons that perform or assist in an activity involving PII such as claims processing, quality assurance reviews, data analysis, or any other function regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule.

Pharmaceutical suppliers are considered business associates and must follow strict HIPAA regulations in relevance to selling pharmaceuticals to physicians.

Other examples of business associates include:

  • Accountants
  • Consultants 
  • Suppliers (medical devices)
  • Legal 
  • Data Aggregation
  • Administrative/Management
  • Financial Services

The HIPAA Omnibus Rule states who is required to protect ePHI and was finalized by the OCR (Office Civil Rights).

The Omnibus Rule relates to business associates under HHS OCR HIPAA compliance standards. The HIPAA Omnibus Rule requires healthcare providers to update their Business Associate Agreements and lasts 50 years after an individual’s death.  

A covered entity (CE) must have an established complaint process to meet the HHS privacy rule. That is the HIPAA privacy rule summary for covered entities.

Looking for a HIPAA Compliant Network Security Solution?

What Information is Protected by HIPAA?

Protected health information (PHI) as defined in the 2003 Privacy Rule encompasses all information that can be used to identify a patient. HIPAA Security Rule safeguard categories of PHI information, which include eighteen specific identifiers such as: 

  • Name
  • Address
  • Telephone
  • Social Security 
  • Email 
  • Medical Records
  • Fax Numbers
  • IP Addresses
  • URLs
  • Biometric identifiers such as fingerprints 
  • Account Numbers 
  • Photos
  • Vehicle License Plates

Only authorized individuals may process the information listed above as HIPAA security rule safeguards against unauthorized access. 

What is ePHI?

ePHI is defined as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media. ePHI stands for Electronic Protected Health Information and is governed by the HIPAA Security Rule. 

ePHI HIPAA best practices and safeguards include:

  • Strong passwords and the use of Multi-Factor Authentication (2FA)
  • Unique accounts for each user
  • Providing each user the minimum ePHI access required to work
  • Record all changes to ePHI (change of patient address, telephone, email, etc.) 

How Does HIPAA Address Employees’ Access to ePHI?

Healthcare providers must have access to ePHI on a “need to know” limited basis. ePHI must be protected by providers regardless of where they are.

One method of protecting patient information is through end-to-end encryption which can only be deciphered with a decryption key, otherwise, the data appears scrambled and unreadable.

Medical records, for instance, must have this added layer of security to defend against malicious hackers.  

Other ePHI examples include: 

  • Emailed lab results or blood test reports 
  • E-prescriptions, stored X-rays, MRIs, or other digital photos of a patient
  • Patient notes stored in a mobile device
  • Appointments and procedures stored on an e-calendar

PHI Compliance  

HIPAA Compliance PHI refers to the protected health information of patients and is mandatory for the majority of healthcare facilities in the United States.

HIPAA does permit PHI email sending, however, all emails must be fully encrypted and have a high level of PHI security. The HIPAA Security Rule establishes national standards for protecting PHI.

PHI Policies and Procedures

PHI policies are the job of a privacy official under the HIPAA Act. Privacy officials are responsible for mitigating risks and handling business-related complaints.

PHI procedures place strict emphasis on access to confidential information and should be given only to authorized personnel.

HIPAA Medical

Healthcare data security standards protect patient confidentiality and must comply with HIPAA regulations.

It is also crucial to update HIPAA medical software routinely to avoid potential vulnerabilities which cybercriminals can easily expose.

The exploits open a door to malicious actors that can quickly steal patient information and sell it for as little as $5.40 on the black market. 

HIPAA compliant medical software protects against some of the most common risk factors:

  • Outdated legacy systems (which should be replaced with a HIPAA compliant VPN)
  • Unsecured network security
  • Malicious emails such as Phishing scams
  • Weak passwords (i.g 12346, Qwerty, and even astonishingly the word “password” itself)
  • Lack of training among employees and other third-party providers

Healthcare professionals must abide by stringent medical HIPAA laws, in addition to an ethical code and moral obligations. All healthcare facilities are required to appoint a privacy officer to ensure that HIPAA rules and regulations are being enforced. 

Physicians should follow strict HIPAA regulations for medical records storage and remain in HIPAA ICD-10 compliance for all transactions as covered by the Health Insurance Portability and Accountability Act of 1996.

HIPAA Compliance Checklist Medical Office  

  1. Train Your Staff on HIPAA Policies and Procedures – Employees should be very well familiar with the HIPAA Policies & Procedures Desk Reference which can be purchased online via Amazon. Although there are regular updates, this book acts as a starting point and is highly recommended. 
  2. Set Up a HIPAA Policy for The Medical Office Develop a manual with written policies and step-by-step procedures for everyone to follow. Don’t be afraid to quiz staff every once in a while to make sure everyone is up to date.
  3. Maintain Privacy Never disclose any patient information or leave patient files unattended as not to disclose HIPAA compliance patient names. Always knock before entering any room and avoid noisy places when speaking with patients. 

HIPAA Compliance Software – This not only includes installing the latest security updates but also staying current with new HIPAA regulations on electronic medical records and HIPAA medical record storage requirements.

What Are Patient Rights Under HIPAA?

  1. Right to Obtain a Copy of Your Health Data – Every patient has the right to either view or obtain a copy of their health data. A copy of your medical records will be provided within 30 days. A small fee might be applied. 
  2. Right to Find Out Who Has Received Your Health Data – Covered entities must provide information on a patient’s health data over the past six years.  
  3. Right to Restrict Sharing of Your Health Data – Patients can choose who to share their PHI with. HIPAA covered entities are not permitted to sell health data or use it for marketing, advertising, or research, without first obtaining written authorization.
  4. Right to File a Complaint for a Privacy Violation – A patient may file a complaint if they feel that any PHI has been accessed by unauthorized individuals. 
  5. Right to Correct Errors in Your Health Records – HIPAA provides patients with the right to make any needed changes to their health information to correct mistakes. Requests must be submitted in writing. 
  6. Notification of Privacy Practices – All HIPAA covered entities are required by law to notify you about how your medical data will be used. 

One popular question physicians research is “are sign-in sheets required by law?” The answer is that, yes, covered entities may use sign-in sheets as long as the information disclosed is limited, according to the Department of Health and Human Services.

What is a Compliance Breach?

A compliance breach is a result of not complying with HIPAA breach notification rules, guidelines, and policies. Breaches can also occur due to human error, but proper investigations into the incident will help determine the cause and whether or not it is a HIPAA violation.

Breaches must be reported 60 days after discovery, known as “reasonable diligence” to a privacy or security officer. 

Failure to report the incident within 60 days may result in a massive penalty from the OCR or a lawsuit. This process should be part of an OCR HIPAA audit checklist. All breaches should be reported, regardless of scope.

Looking for a HIPAA Compliant Network Security Solution?

HIPAA Security Violations

What’s a HIPAA violation? A HIPAA violation is the failure to comply with any HIPAA aspect or provision. The penalties for these violations start from $25,000 per violation category issued by State Attorneys and upwards of $1.5 million from the Office of Civil Rights HIPAA violation. 

HIPAA violation penalties are divided into 4 tiers.

Some of the most common HIPAA security rule violations are:

  • Medical Identity Theft – This is when another person steals and utilizes your personal information to obtain money through fraudulent claims or purchase prescription drugs. What’s even more shocking is that 30% of victims were not even aware when the identity theft occurred. One way to prevent identity theft is to thoroughly read your EOB (explanation of benefits) and get a copy of your medical records just in case. 
  • Malicious Attacks on Networks – One of the most common attacks on healthcare institutions is Ransomware. In fact, just a couple of years ago in 2017, the infamous Ryuk Ransomware attack on Universal Health Services (UHS), which had over 400 locations took place. The attack disrupted over 80 medical facilities and cost approximately $67 million in lost revenue. Having a secure Business VPN can help alleviate this type of headache.  
  • Downloading PHI Onto Unauthorized Devices – Employees must be trained properly when it comes to the handling and transmitting of PHI. Specific permissions and least privilege access must be granted by IT in order to prevent any PHI from leaking out. 
  • Employees Snooping on Medical Records – Snooping on healthcare records is one of the most common HIPAA violations committed by employees. Once again, proper training should be provided to all new employees and an annual review for existing employees just to be on the safe side. 

HIPAA violations are mainly discovered by HIPAA covered entities through internal audits. Employees involved in such violations can face severe penalties and even prison time if caught and convicted. 

HIPAA Law  

HIPAA laws are designed to protect the privacy and security of patients’ health information. The HHS law enforces federal civil rights laws that protect the rights of individuals and entities from unlawful discrimination on the basis of race, color, national origin, disability, age, or sex in health and human services.

The HIPAA law can be broken down into five titles. Each title or section provides different rules and provisions. 

  • Title I – HIPAA Health Insurance Reform
  • Title II – HIPAA Administrative Simplification 
  • Title III – HIPAA Tax Related Health Provisions
  • Title IV – Application and Enforcement of Group Health Plan Requirements
  • Title V – Revenue Offsets

In HIPAA Title II, organizations must implement safe electronic access to PHI under the United States Department Of Health and Human Services (HHS).

HIPAA Law and COVID

The HIPAA privacy law states that covered entities may disclose the protected health information of an individual who has been infected with or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without consent from the individual. 

The other exceptions of HIPAA laws and COVID include:

  • When first responders may be at risk of infection
  • When disclosure is needed to provide treatment
  • When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual
  • When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public
  • When such notification is required by law

What Are the Three Rules of HIPAA?

  1. The Privacy Rule – establishes national standards to protect PHI and applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically.
  1. The Security Rule – requires physicians to protect patients’ ePHI by using appropriate administrative, physical and technical safeguards.
  1. The Breach Notification Rule – requires covered entities to notify patients when their unsecured PHI is impermissibly used or breached in a way that compromises the privacy and security of the PHI.

90/10 Rule HIPAA

The 90/10 Rule establishes good security standards which state that: 

  • 10% of security safeguards are technical 
  • 90% of security safeguards rely on the computer user to adhere to good computing practices

Is HIPAA a Federal Law?

HIPAA is a federal law which is enforced by the HHS’ Office for Civil Rights. The federal law began in 2003 and is stated in the HIPAA Privacy Rule which sets limits on who can view and receive your health information, and the Security Rule, which requires health information in electronic form.

EHR Laws and Regulations

EHR stands for Electronic Health Records and it is a digital version of a patient’s paper chart, containing medical history, diagnoses, lab and test results, treatment plans, and medications. The Security Rule was established to protect patients’ security of electronic health information under HIPAA. Healthcare practices should also implement an effective EHR Audit Checklist as required by HIPAA Federal laws and regulations.

HIPAA Compliance and WFH Guidelines

Many healthcare practitioners discuss how HIPAA requirements could affect working from home and thus, all covered entities must abide by HIPAA rules regardless if they are working from home or at the office. 

Although there are great advantages such as reduced costs and time saved traveling, there are also drawbacks if proper security measures are not in place. 

One way to prevent this type of concern is through a HIPAA Compliant VPN, which protects against outside threats and malicious actors and encrypts all sensitive PHI data.  

HIPAA Compliance and The Cloud

  • AWS HIPAA compliance allows their customers to build HIPAA compliant apps that process, transmit and store PHI. 
  • Azure HIPAA compliance allows organizations to store, analyze and interact with regulated health data while maintaining security privacy and compliance all on the cloud. 
  • Salesforce HIPAA compliance allows HIPAA compliant emails to be sent
  • Google Workspace allows for HIPAA compliance on the Google Cloud platform. PHI is protected under HIPAA in accordance with HIPAA guidelines. 

What Is a HIPAA Scan?

HIPAA scanning requirements are put in place as the HIPAA Security Rule requires that covered entities perform security risk analyses. Vulnerability scans may take place to find known vulnerabilities in apps, networks, as well as firewalls. Vulnerability scans identify weaknesses and flaws in IT systems. 

Some of the most common flaws revealed are:

Flaws in hardware: Outdated legacy hardware systems present major problems. Two such vulnerabilities are Meltdown and Spectre which can wreak havoc on your hardware systems and can create golden opportunities for anxious hackers. 

Flaws in software: These flaws can be found in the form of bugs that have not been addressed properly and Cross-site scripting (XSS), commonly found in applications.

Additional vulnerabilities exist on operating systems such as old versions of Windows or via browsers such as Google Chrome or Mozilla.

HIPAA Rules & Regulations

The first step towards Security Rule compliance is the assignment of a security responsibility or HIPAA Security Officer.

HIPAA rules and regulations give guidance for the correct uses and disclosures of PHI, how to secure PHI, and the measures that need to be taken should there be a PHI breach.

There are also HIPAA firewall rules, where outbound connections that are from networks containing PHI access have to be explicitly authorized. 

When it comes to the application of the HIPAA privacy rules to religious organizations, it’s important to know that many religious entities, such as ministries, are not subject to the HIPAA privacy rule. 

HIPAA documentation requirements are a lengthy process but absolutely essential, as a HIPAA document organizes all levels of security efforts taking place covering all HIPAA requirements and compliance rules.

The privacy and security rules require workforce training that every new member must undergo as part of their HIPAA training.

Looking for a HIPAA Compliant Network Security Solution

HIPAA Compliance Checklist

There are rules and procedures which all healthcare organizations must follow. Implementing a HIPAA compliance checklist for reference is crucial to thwart cybercriminals from exposing sensitive information. 

The most common HIPAA guidelines include:

  • Ensuring proper HIPAA training for all members of staff 
  • Appointing a HIPAA compliance Privacy or Security officer 
  • Reviewing all third-party BAA (Business Associate Agreements) to make sure they meet HIPAA compliance standards
  • Regularly reviewing policies and procedures with staff to make sure everyone remains up-to-date

The HIPAA technology checklist consists of:

  • Access Control – where centrally controlled individual credentials for every single user are implemented.
  • Integrity Controls – where policies and procedures are put in place to ensure that ePHI stays unaltered and safe from harm. 
  • Network Security – where all devices must be able to encrypt messages sent beyond internal firewalled servers and be able to decrypt them once received.

Audit Controls – where ePHI must be recorded and examined in information systems.

HIPAA Compliant Teleconferencing

There are certain HIPAA compliant web conferencing tools such as Zoom and GoToMeeting. These HIPAA compliant video tools are especially important during COVID-19, where most health meetings must take place online.

Sensitive information can easily leak into the wrong hands with a click of a button, causing a major breach and costing healthcare organizations a lot of money, over $13.2 billion in 2020 alone.

Is Zoom HIPAA Compliant?

Zoom, is in fact, HIPAA compliant. The Zoom business associate agreement protects personal health information (PHI) in accordance with HIPAA guidelines.

Zoom privacy features allow you to control session attendee admittance with either individuals or groups. Secure video conferencing HIPAA takes place with this platform that is trusted by millions of healthcare professionals worldwide.

Is GoToMeeting HIPAA Compliant?

Yes, GoToMeeting is HIPAA compliant. The GoToMeeting Business Associate Agreement (BAA) is a contract that is legal which mandates that GoToMeeting contains the essential safeguards that secure all PHI transmitted through their platform.

The BAA also mentions that every signing party has its own responsibility with regards to maintaining its own compliance.

HIPAA Certification

There are many great and reliable websites that can guide you on how to get HIPAA certified. A HIPAA certification on resume demonstrates that a covered entity or business associates such as a medical device company or pharma sales rep fully complies with all HIPAA rules and regulations.

A HIPAA compliant certification should be updated as often as possible in order to avoid hefty fines and provide your employees with proper training. 

HIPAA Compliant Website

If you are working with any sort of data related to a patient through your website, such as a PHI email, your organization must follow stringent HIPAA website laws.

There are no official rules that govern HIPAA cloud storage with regards to PHI. Cloud storage providers such as Dropbox, do not have any HIPAA or HITECH certifications.

That means that you are responsible for taking appropriate security measures with protected healthcare information. 

Regardless of your organization’s size, it is absolutely crucial to have a VPN for HIPAA compliance in place. A HIPAA compliant VPN will help encrypt all ePHI and minimize the chance of a breach by granting limited privilege access to employees and third-party providers. And that is HIPAA in a nutshell.

How Perimeter 81 Helps with HIPAA Compliance

Perimeter 81 offers the most secure HIPAA compliant VPN for healthcare professionals which meets the highest HIPAA encryption compliance requirements and HIPAA security software standards. 

Curious to see if your organization meets our HIPAA Compliance Checklist? Find out how Perimeter 81 secures healthcare organizations and maintains the highest levels of HIPAA compliance for remote employees with Zero Trust.

Highlighting The Importance of Perimeter 81 for HIPAA Compliance

Encrypt Transmitted Data: Perimeter 81 helps encrypt all sensitive information such as Electronic protected health information or ePHI, making the data unreadable and indecipherable.

Secure Remote Access: Perimeter 81 leverages always-on encryption and 2FA of all traffic, as well as traffic firewalling, and device posture checks to ensure that stored and transmitted data remains private.

Centralized Cloud Platform: Grant employee and business associates limited access via least access privilege. Ensure that PHI remains confidential by establishing user roles, significantly minimizing the potential of a data breach. 

HIPAA Compliance FAQs

What does it mean to be in compliance with HIPAA?
Being HIPAA Compliant means that your organization must follow all HIPAA rules and regulations.
What are the three rules of HIPAA?
1. The Privacy Rule
2. The Security Rule
3. The Breach and Notification Rule
What are the guidelines for HIPAA compliance?
-Ensure that patients’ Protected Health Information (PHI) remains secure and confidential
-Limit access of patient information on a need to know basis
-Inform patients of their rights
-Ensure full compliance in the workforce with policies and procedures in place
-Train your staff accordingly 
What is the HIPAA compliance checklist?
The OSI Model Protocol includes 7 layers:

-Implement written policies, procedures, and standards of conduct
-Conduct the required annual audits and office assessments 
-Designate a HIPAA Compliance Officer to conduct annual HIPAA training for all members of staff
-Review policies and procedures with employees and staff to report breaches
-Enforce HIPAA standards through policies and guidelines
What are common HIPAA violations?
-Malware incidents
-Lost or stolen devices (laptop, USB, smartphone)
-Social media posts 
-EHR breach
-Mishandling of medical records 
-Misuse of PHI (discussing confidential information outside the office, sending it to the wrong patient, selling it to outside providers, etc.) 
-Lack of employee training 

Looking for a HIPAA Compliant Network Security Solution?

Simplify your network security today.