What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. 

admin

19.03.2024

16 min read

Why is HIPAA Important?

HIPAA was intended to improve the portability and continuity of health insurance coverage and give patients more control over their health information. It also provides data privacy and security in healthcare to protect patients’ medical information from cyber attacks.

This is especially important for healthcare providers or organizations that use electronic health records or EHR.

An EHR stores digital records of patient health information such as diagnoses, medications, radiology images, and billing data. It is commonly used in hospitals and other healthcare facilities and must adhere to the highest level of HIPAA standards.

In 2020, data breaches affected 26.4 million records in the U.S. alone, costing the healthcare industry over $13 billion.

When you think about the amount of personal information stolen at the hands of eager cybercriminal entrepreneurs, it makes HIPAA easy to understand why we have HIPAA safeguards in place.

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect PHI and applies to health plans, clearinghouses, and healthcare providers that conduct certain transactions electronically.

The purpose of the rule is to make sure that individuals’ health information is properly protected while at the same time allowing the proper flow of information necessary for high-quality care. 

What are the HIPAA Security Rules?

The HIPAA Security Rule requires physicians to protect patients’ ePHI using appropriate administrative, physical, and technical safeguards. It’s the operational side of the privacy rule and involves various technical and non-technical solutions and safeguards that covered entities must implement to secure ePHI.

All covered entities must assess the risk and put safeguards to protect patients’ health information. The job of these entities, according to the US Department of Health & Human Services, under the HIPAA rule, is to:

1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information
3. Protect against reasonably anticipated, impermissible uses or disclosures
4. Ensure compliance by their workforce

HIPAA Cost

It’s important to allocate the necessary funds to properly store and secure patients’ sensitive information. The full cost of a gap analysis or a HIPAA audit is around $20,000, according to some reports.

Here is how the cost breakdown for small businesses: 

• $2,000 for risk management and analysis planning
• Between $1,000 and $8,000 for remediation
• $3,000 or more for policy development and employee training

Your total compliance cost can range between $4,000 and $12,000, depending on your technology, resources, and number of employees.

Here is the cost breakdown for medium to larger businesses:

• $20,000-$40,000 for a full HIPAA audit
• $500-800 to scan for vulnerabilities
• $20,000 for risk management and analysis planning
• $5,000 for penetration testing
• $5,000 to $8,000 for policy development and training

The total cost for medium to large businesses can be between $40,000 and $50,000. 

The Breach Notification Rule

This rule requires covered entities to notify patients when their unsecured PHI is used without permission or breached in a way that compromises the privacy and security of the PHI.

Looking for a HIPAA-Compliant Cybersecurity Solution?

Who is Covered by HIPAA?

As defined by HIPAA rules, covered entities include healthcare providers, healthcare clearinghouses (a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements), and health plans.

These entities are responsible for dealing with transactions that involve payment and or billing, and insurance.   

Other covered entities include:

• Physicians
• Nurses
• Hospitals
• Dentists 
• Chiropractors 
• Nursing Homes
• Pharmacies
• Insurance companies
• Other healthcare programs

HIPAA requires that all covered entities designate a privacy official, as the job of a privacy official is to be responsible for developing and implementing privacy policies and procedures.

A privacy official is a contact person responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.

Business Associates Must Comply with HIPAA Privacy Standards

Business associates are entities or people that perform or assist in an activity involving PII, such as claims processing, quality assurance reviews, data analysis, or any other function regulated by the HIPAA rule.

Pharmaceutical suppliers are considered business associates and must follow strict HIPAA regulations related to selling pharmaceuticals to physicians.

Other examples of business associates include:

• Accountants
• Consultants 
• Suppliers (medical devices)
• Legal 
• Data Aggregation
• Administrative/Management
• Financial Services

Looking for a HIPAA-Compliant Network Security Solution?

What Information is Protected by HIPAA?

Protected health information (PHI), as defined in the 2003 Privacy Rule, encompasses all information that can be used to identify a patient. HIPAA Security Rule safeguards categories of PHI information, which include eighteen specific identifiers such as: 

• Name
• Address
• Telephone
• Social Security 
• Email 
• Medical Records
• Fax Numbers
• IP Addresses
• URLs
• Biometric identifiers such as fingerprints 
• Account Numbers 
• Photos
• Vehicle License Plates
• Customer Transactions

Only authorized individuals may process the information listed above as HIPAA security rules safeguard against unauthorized access.

What is ePHI?

ePHI is any protected health information (PHI) created, stored, transmitted, or received in any electronic format or media. ePHI stands for Electronic Protected Health Information and is governed by the HIPAA Security Rule. 

ePHI HIPAA best practices and safeguards include:

• Strong passwords and the use of Multi-Factor Authentication (2FA)
• Unique accounts for each user
• Providing each user the minimum ePHI access required to work
• Record all changes to ePHI (change of patient address, telephone, email, etc.) 

How Does HIPAA Address Employees’ Access to ePHI?

Healthcare providers must have access to ePHI on a “need-to-know” basis, and that’s pretty limited. ePHI must be protected by providers regardless of where they are.

One method of protecting patient information is through end-to-end encryption, which can only be deciphered with a decryption key. Otherwise, the data appears scrambled and unreadable.

Medical records, for instance, must have this added layer of security to defend against malicious hackers.  

Other ePHI examples include: 

• Emailed lab results or blood test reports 
• E-prescriptions, stored X-rays, MRIs, or other digital photos of a patient
• Patient notes stored in a mobile device
• Appointments and procedures are stored on an e-calendar
• Any kind of identifiable health information

HIPAA Procedures

PHI policies are the job of a privacy official under the HIPAA Act. Privacy officials are responsible for mitigating risks and handling business-related complaints.

PHI procedures place strict emphasis on access to confidential information and should be given only to authorized personnel.

HIPAA policies and procedures include: 

• The proper use and disclosure of a patient’s PHI
• A Notice of Privacy is given to the patient to inform them how their health information could potentially be used
• Standards and guidelines that describe to the patient their rights over their PHI

HIPAA Regulations

HIPAA regulations establish national standards to protect individuals’ medical records and other identifiable health information. These laws apply to health plans, healthcare facilities of any kind, healthcare clearinghouses, and individual practitioners and employees.

The 3 main HIPAA regulations include the HIPAA privacy rule, the HIPAA security rule, and the breach notification rule. And these require strict compliance.

HIPAA Compliance Requirements

HIPAA Compliance PHI refers to patients’ protected health information and is mandatory for most healthcare facilities in the United States. The HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.

HIPAA does permit PHI email sending. However, all emails must be fully encrypted and have a high level of PHI security. The HIPAA Security Rule establishes national standards for protecting PHI.

HIPAA Medical

Healthcare data security standards protect patient confidentiality and must comply with HIPAA regulations.

It is also crucial to update HIPAA medical software routinely to avoid potential vulnerabilities that cybercriminals can easily expose. Malicious actors can quickly steal patient information and sell it for as little as $5.40 on the black market. 

HIPAA-compliant medical software protects against some of the most common risk factors:

• Outdated legacy systems
• Unsecured network security
• Malicious emails, such as Phishing scams
• Weak passwords (ex: 12346, Qwerty, and even astonishingly, the word “password” itself)
• Lack of training among employees and other third-party care providers

Healthcare professionals must abide by stringent medical HIPAA laws, an ethical code, and moral obligations. All healthcare facilities must appoint a privacy officer to ensure that HIPAA rules and regulations are being enforced. 

Physicians should follow strict HIPAA regulations for medical records storage and remain in HIPAA ICD-10 compliance for all electronic transactions as covered by the Health Insurance Portability and Accountability Act of 1996.

HIPAA Compliance Checklist for a Medical Office

1. Train Your Staff on HIPAA Policies and Procedures – Employees should be very familiar with the HIPAA Policies & Procedures Desk Reference, which can be purchased online via Amazon. Although there are regular updates, this book acts as a starting point and is highly recommended. 
2. Set Up a HIPAA Policy for The Medical Office – Develop a manual with written policies and step-by-step procedures for everyone to follow. Don’t be afraid to quiz staff occasionally to make sure everyone is up to date.
3. Maintain Privacy – Never disclose any patient information or leave patient files unattended. Always knock before entering any room and avoid public places when speaking with patients. 
4. Use HIPAA Compliance Software – This not only includes installing the latest security updates but also staying current with new HIPAA regulations on electronic medical records and HIPAA medical record storage requirements. 

If HIPAA compliance requirements are not met, the business can face legal action by government entities (which can be monetary penalties) and be forced to create a corrective action plan. 

What Are Patient Rights Under HIPAA?

1. The Right to Obtain a Copy of Your Health Data – Every patient has the right to either view or obtain a copy of their health data. A copy of your medical records will be provided within 30 days. A small fee might be applied. 
2. The Right to Find Out Who Has Received Your Health Data – Covered entities (such as health care providers) must provide information on a patient’s health data over the past six years.  
3. The Right to Restrict Sharing of Your Health Data – Patients can choose who to share their PHI with. HIPAA-covered entities are not permitted to sell health data or use it for marketing, advertising, research, or any kind of personal gain or commercial advantage without first obtaining written authorization.
4. The Right to File a Complaint for a Privacy Violation – A patient may file a complaint if they feel that unauthorized individuals have accessed any PHI. 
5. The Right to Correct Errors in Your Health Records – HIPAA gives patients the right to change their health information to correct mistakes. Requests must be submitted in writing. 
6. Notification of Privacy Practices – All HIPAA-covered entities are required by law to notify you about how your medical data will be used. 

One popular question physicians research is “Are sign-in sheets required by law?” The answer is that, yes, covered entities may use sign-in sheets as long as the information disclosed is limited, according to the Department of Health and Human Services.

How Do You Break HIPAA?

Examples of HIPAA Security Rule violations include: 

• Failure to implement sufficient safeguards to ensure the confidentiality, integrity, and availability of PHI
• Improper disposal of PHI
• Impermissible disclosures of PHI
• Failure to conduct risk analysis
• Failure to manage risks properly
• Unauthorized release of PHI to individuals that are not authorized to receive the information
• Sharing PHI online on social media without permission
• Failure to encrypt PHI 
• Failure to implement access controls to limit who can view PHI and failure to terminate access when no longer required
• Failure to train employees on security awareness and HIPAA compliance
• Failure to monitor PHI access logs
• Failure to provide patients with a log of disclosures upon request
• Willful neglect of security preaches by medical providers

A HIPAA violation is failing to comply with any HIPAA aspect or provision, which can result in criminal or civil money penalties. The penalties for these violations start from $25,000 per violation category issued by State Attorneys and upwards of $1.5 million from the Office of Civil Rights. 

The possible reasons why HIPAA violations occur can be divided into four possible scenarios:

• Medical Identity Theft is when another person steals and utilizes your personal information to obtain money through fraudulent claims or purchase prescription drugs. Even more shocking is that 30% of victims are unaware of when identity theft occurs. One way to prevent identity theft is to thoroughly read your EOB (explanation of benefits) and get a copy of your medical records, just in case. 
• Malicious Attacks on Networks – One of the most common attacks on healthcare institutions is ransomware. In 2017, the infamous Ryuk Ransomware attack on Universal Health Services (UHS) occurred, which had over 400 locations. The attack disrupted over 80 medical facilities, costing approximately $67 million in lost revenue. Having a secure Business VPN can help alleviate this type of damage.  
• Downloading PHI Onto Unauthorized Devices – Employees must be trained properly on handling PHI. Specific permissions and least privilege access must be granted by IT to prevent any PHI from leaking out. 
• Employees Snooping on Medical Records – Snooping on healthcare records under false pretenses is one of the most common HIPAA violations committed by employees. Once again, proper training should be provided to all new employees, and an annual review for existing employees just to be on the safe side. 

HIPAA-covered entities mainly discover HIPAA violations through internal audits. Employees involved in such violations can face severe penalties and even prison time if they’re caught and convicted.

What is a Compliance Breach?

A compliance breach is a result of not complying with HIPAA breach notification rules, guidelines, and policies. Breaches can also occur due to human error, but proper investigations into the incident will help determine the cause and whether or not it is a HIPAA violation.

Breaches must be reported 60 days after discovery, known as “reasonable diligence,” to a privacy or security officer. 

Failure to report the incident within 60 days may result in a massive penalty from the OCR or a lawsuit. This process should be part of an OCR HIPAA audit checklist. All breaches should be reported, regardless of scope.

Looking for a HIPAA-Compliant Network Security Solution?

HIPAA Legal Requirements

HIPAA laws are designed to protect the privacy and security of patients’ health information. The HHS enforces federal civil rights laws that protect the rights of individuals and entities from unlawful discrimination on the basis of race, color, national origin, disability, age, or sex in health and human services.

The HIPAA law can be broken down into five titles. Each title or section provides different rules and provisions. 

• Title I – HIPAA Health Insurance Reform
• Title II – HIPAA Administrative Simplification 
• Title III – HIPAA Tax-Related Health Provisions
• Title IV – Application and Enforcement of Group Health Plan Requirements
• Title V – Revenue Offsets

In HIPAA Title II, organizations must implement safe electronic access to PHI under the United States Department Of Health and Human Services (HHS).

HIPAA Law and COVID

The HIPAA privacy law states that covered entities may disclose the protected health information of an individual infected with or exposed to COVID-19 with law enforcement, paramedics, other first responders, and public health authorities without consent from the individual. 

The other exceptions of HIPAA laws and COVID include:

• When first responders may be at risk of infection
• When disclosure is needed to provide treatment
• When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual
• When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public
• When such notification is required by law

90/10 Rule HIPAA

The 90/10 Rule establishes good security standards which state that: 

• 10% of security safeguards are technical 
• 90% of security safeguards rely on the computer user to adhere to good computing practices

Is HIPAA a Federal Law?

HIPAA is a federal law enforced by the HHS Office for Civil Rights. It sets limits on who can view and receive your health information in physical or electronic form.

EHR Laws and Regulations

EHR stands for Electronic Health Records, a digital version of a patient’s paper chart containing medical history, diagnoses, lab and test results, treatment plans, and medications. The Security Rule was established to protect patients’ security of electronic health information under HIPAA. Healthcare practices should also implement an effective EHR Audit Checklist as HIPAA Federal laws and regulations require.

WFH Guidelines and HIPAA-Compliant VPN

All covered entities must abide by HIPAA rules, whether working from home or at the office. 

Although there are great advantages such as reduced costs and time saved traveling, there are drawbacks and potential risks if proper security measures are not in place. 

One way to prevent this concern is through a HIPAA-compliant VPN, which protects against outside threats and malicious actors and encrypts all sensitive PHI data.  

HIPAA Compliance and The Cloud

• AWS HIPAA compliance allows customers to build HIPAA-compliant apps that process, transmit, and store PHI. 
• Azure HIPAA compliance allows organizations to store, analyze, and interact with regulated health data while maintaining security, privacy, and compliance, all on the cloud. 
• Salesforce HIPAA compliance allows healthcare providers to send emails in a secure way.
• Google Workspace allows for HIPAA compliance on the Google Cloud platform.

What Is a HIPAA Scan?

HIPAA requires covered entities to perform regular security risk analyses. Vulnerability scans may take place to find known vulnerabilities in apps, networks, and firewalls. Vulnerability scans identify weaknesses and flaws in IT systems. 

Some of the most common flaws that you can find during a scan are:

Flaws in hardware: Outdated legacy hardware systems present major problems. Two such vulnerabilities are Meltdown and Spectre, which can wreak havoc on your hardware systems and create golden opportunities for anxious hackers. 

Flaws in software: These flaws can be found in bugs that have not been addressed properly and Cross-site scripting (XSS), commonly found in applications.

Additional vulnerabilities exist on operating systems such as old versions of Windows or via browsers such as Google Chrome or Mozilla.

Looking for a HIPAA Compliant Network Security Solution

HIPAA Compliance Checklist

There are a ton of rules and procedures which all healthcare organizations must follow, which can get overwhelming. That’s why we recommend implementing a HIPAA compliance checklist to help streamline the process.

The most common HIPAA guidelines include:

• Ensuring proper HIPAA training for all members of the staff 
• Appointing a HIPAA compliance privacy or security officer 
• Reviewing all third-party BAA (Business Associate Agreements) to make sure they meet HIPAA compliance standards
• Regularly reviewing policies and procedures with staff to make sure everyone remains up-to-date

The HIPAA technology checklist consists of:

• Access Control – where centrally controlled individual credentials for every user are implemented.
• Integrity Controls – where policies and procedures are put in place to ensure that ePHI stays unaltered and safe from harm. 
• Network Security – where all devices must be able to encrypt messages sent beyond internal firewalled servers and be able to decrypt them once received.
• Audit Controls – where ePHI must be recorded and examined in information systems.
• To expand your knowledge on the topic, read the following HIPAA books.

HIPAA Compliant Teleconferencing

There are certain HIPAA-compliant web conferencing tools such as Zoom and GoToMeeting. These video tools are especially important during COVID-19 when most health meetings must take place online.

Sensitive information can easily leak into the wrong hands with a click of a button, causing a major breach and costing healthcare organizations over $13.2 billion in 2020 alone.

Is Zoom HIPAA Compliant?

Zoom is, in fact, HIPAA compliant. The Zoom business associate agreement protects personal health information (PHI) in accordance with HIPAA guidelines.

Also, Zoom privacy features allow you to control who gets admitted to the session and encrypt all recordings. The platform is trusted by millions of healthcare professionals worldwide.

Is GoToMeeting HIPAA Compliant?

Yes, GoToMeeting is HIPAA compliant. The GoToMeeting Business Associate Agreement (BAA) is a legal contract that mandates that GoToMeeting contains the essential safeguards that secure all PHI transmitted through their platform.

The BAA also mentions that every signing party has its own responsibility with regard to maintaining its own compliance.

HIPAA Certification

There are many great and reliable websites that can guide you on how to get HIPAA certified. A HIPAA certification on a resume demonstrates that a covered entity or business associate, such as a medical device company or pharma sales rep, fully complies with all HIPAA rules and regulations.

A HIPAA-compliant certification should be updated as often as possible to avoid hefty fines and provide your employees with proper training. 

HIPAA Compliant Website

If you are working with any sort of data related to a patient through your website, such as a PHI email, your organization must follow stringent HIPAA website laws.

There are no official rules that govern HIPAA cloud storage services concerning PHI. Cloud service providers like Dropbox do not have any HIPAA or HITECH certifications.

That means you are responsible for taking appropriate security measures with protected healthcare information. 

Regardless of your organization’s size, it is absolutely crucial to have a VPN for HIPAA compliance in place. A VPN will help encrypt all ePHI and minimize the chance of a breach by granting limited privilege access to employees and third-party providers. And that is HIPAA in a nutshell.

How Perimeter 81 Helps with HIPAA Compliance

Perimeter 81 offers the most secure HIPAA-compliant VPN for healthcare professionals, which meets the highest HIPAA encryption compliance requirements and HIPAA security software standards. 

Curious to see if your organization meets our HIPAA Compliance Checklist? Find out how Perimeter 81 secures healthcare organizations and maintains the highest levels of HIPAA compliance for remote employees with Zero Trust.

The Power of Perimeter 81 for HIPAA Compliance

Encrypt Transmitted Data: Perimeter 81 helps encrypt all sensitive information, such as electronic protected health information or ePHI, making the data unreadable and indecipherable.

Secure Remote Access: Perimeter 81 leverages always-on encryption and 2FA of all traffic, as well as traffic firewalling and device posture checks to ensure that stored and transmitted data remains private.

Centralized Cloud Platform: Grant employees and business associates limited access via the least access privilege. Ensure that PHI remains confidential by establishing user roles, significantly minimizing the potential of a data breach.