HIPAA

What is HIPAA compliance?

The Health Insurance Portability and Transparency Act of 1996 (HIPAA), is a collection of regulations that ensure the lawful use and disclosure of protected health information (PHI). The Department of Health and Human Services (HHS) controls HIPAA compliance, which is implemented by the Office for Civil Rights (OCR).

Any demographic information that can be used to identify a patient or customer of a HIPAA-covered agency is considered Protected Health Information (PHI). Names, addresses, phone numbers, Social Security numbers, medical records, financial documents, and full facial images are only a few examples of PHI.

There are two types of entities are required to comply with the HIPAA regulation:

  1. Covered Entities: Any organization that collects, produces, or transmits PHI electronically is considered a covered entity under HIPAA regulations. Covered companies in the healthcare sector include healthcare suppliers, healthcare clearinghouses, and health insurance providers.
  2. Business Associates: A business associate is identified by HIPAA regulations as any organization that comes into contact with PHI in any way while conducting work on behalf of a covered entity. Because of the broad range of service providers that can manage, transmit, or process PHI, there are numerous examples of business associates. Billing companies, practice management agencies, third-party contractors, EHR systems, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, lawyers, accountants, and many more are examples of business associates impacted by HIPAA regulations.

What are the requirements for HIPAA Compliance?

The HIPAA standards and rules are as follows:

  • National Provider Identifier Standard
    A unique 10-digit national provider identification number, or NPI, is required for each healthcare agency, including individuals, employers, health plans, and healthcare providers.
  • Transactions and Code Set Standard
    To request and process insurance claims, healthcare facilities must use a structured electronic data interchange (EDI) mechanism.
  • HIPAA Privacy Rule
    The Privacy Rule governs the use and disclosure of protected health information (PHI), as well as the requirements that must be followed so that consumers can recognize and monitor how their personally identifiable health information is used by a company.
  • HIPAA Security Rule
    The Security Rule specifies the security requirements that must be in place to secure electronically protected health information (ePHI), which refers to health information or documents that are stored or transmitted electronically. Technical, physical, and administrative protections are all established as part of this phase.
  • HIPAA Enforcement Rule
    The Enforcement Rule specifies how HIPAA will be implemented and what will happen if violations are found.
  • HIPAA Breach Notification Rule
    In the case of a data breach involving PHI or ePHI, protected organizations and business associates must comply with the HIPAA Breach Notification Rule. HHS OCR expects all organizations to disclose all breaches, regardless of scale.
  • HIPAA Omnibus Rule
    The HIPAA Omnibus Rule is a HIPAA addition that was enacted to extend HIPAA to business partners as well as covered organizations. The HIPAA Omnibus Rule specifies the standards for business associates to be HIPAA compliant, as well as the regulations regulating Business Associate Agreements (BAAs). Before ANY PHI or ePHI may be transferred or exchanged, a covered entity and a business associate–or between two business associates–must sign a Business Associate Agreement.

Why should you be HIPAA compliant?

A healthcare provider that is HIPAA-compliant has adequate safeguards in place to protect patient records. Patients are more likely to select a HIPAA compliant organization as their go-to healthcare provider as compliance makes the organization more trustworthy,

Noncompliance might lead to hefty financial fines that are determined by federal HIPAA auditors. Depending on the extent of alleged neglect, fines vary from $100 to $50,000 per incident. Fines can be astronomical if auditors find that the company under investigation failed to make a “good faith attempt” to comply with HIPAA.

How to achieve compliance?

HIPAA regulation outlines a set of national standards that all covered entities and business associates must address.

  • Self-Audits – HIPAA mandates that covered entities and business associates perform periodic audits of their organizations to identify administrative, technological, and physical deficiencies in HIPAA Privacy and Security standards enforcement. A Security Risk Assessment is not enough  to be compliant under HIPAA – it is just one of the critical audits that HIPAA-covered organizations must conduct year after year to ensure compliance.
  • Remediation Plans – Following the completion of these self-audits, protected companies and business associates must execute remediation measures to correct any enforcement breaches. These plans must be fully recorded and provide calendar dates for when the holes will be filled.
  • Policies, Procedures, Employee Training – The HIPAA Rules require covered organizations and business associates to establish Policies and Procedures that comply with HIPAA regulatory requirements. To account for changes in the organization, these policies and procedures must be revised on a regular basis.
  • Documentation – The HIPAA Rules require covered entities and business associates to develop policies and procedures that conform to HIPAA’s regulatory requirements. These policies and procedures must be updated on a regular basis to account for changes in the company.
  • Business Associate Management – To ensure PHI is treated safely and mitigate liability, covered organizations and business associates must document all third-party vendors with whom they share PHI in some way and sign Business Associate Agreements. BAAs must be checked on an annual basis to account for changes in the design of the organization’s vendor relationships. Before any PHI can be exchanged, BAAs must be completed.
  • Incident Management – If a protected company or business partner experiences a data breach, they must follow the HIPAA Breach Notification Rule to log the incident and warn patients that their information has been compromised.


The HIPAA framework has been integrated into the Centraleyes platform to help organizations that hold PHI and e-PHI comply with data privacy and protection standards for safeguarding medical data. The platform maps the controls of this framework back to the extensive control inventory of other frameworks and standards such as the NIST frameworks. The Centraleyes platform saves time and resources, generates more accurate, measurable data and brings you peace of mind when working towards HIPAA compliance.

Read more:

https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996

https://www.centraleyes.com/standards-nist-csf

Related Content

DOD CMMC

What is the DOD CMMC Standard? The Department of Defense (DoD) created the DOD CMMC certification…

FFIEC

What is the FFIEC Compliance Framework? The Federal Financial Institutions Inspection Council (FFIEC) is a structured…

NIST 800-82

What is the NIST SP 800-82 Framework? The National Institute of Standards and Technology (NIST) Special…