HIPPA

Don’t put at risk your clients and health organization! We can help you to follow the HIPPA regulations

A DEFINITION OF HIPAA COMPLIANCE

Abstract Technology background.Security concept with padlock icon

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

HIPAA Enforcement

HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. Since 2003, OCR’s enforcement activities have obtained significant results that have improved the privacy practices of covered entities.  The corrective actions obtained by OCR from covered entities have resulted in systemic change that has improved the privacy protection of health information for all individuals they serve.

HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005. OCR became responsible for enforcing the Security Rule on July 27, 2009.


Enforcement data

How can we help you with the HIPPA regulations

  • Risk Assessment
  • Incident Response
  • Web App Testing
  • PCI-DSS compliance
  • Compliance With HIPPA Standards
  • Policies and Procedures
  • Penetration Testing
  • Training staff for Cybersecurity
  • Insider Threat and APT Assessment
  • CISO Services remotely and onsite
  • Part-time Privacy Officer Services
  • Social Engineering Testing
  • Physical Security Testing

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Specifically, covered entities must:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by their workforce.4

When a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:

  • Its size, complexity, and capabilities,
  • Its technical, hardware, and software infrastructure,
  • The costs of security measures, and  
  • The likelihood and possible impact of potential risks to e-PHI.6

Risk Analysis and Management

A risk analysis process includes, but is not limited to, the following activities:

  • Evaluate the likelihood and impact of potential risks to e-PHI;
  • Implement appropriate security measures to address the risks identified in the risk analysis;
  • Document the chosen security measures and, where required, the rationale for adopting those measures; and
  • Maintain continuous, reasonable, and appropriate security protections.1

Administrative Safeguards

  • Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. 
  • Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.1
  • Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).
  • Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
  • Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
Physical Safeguards
  • Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.21
  • Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.2 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
Technical Safeguards
  • Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.2
  • Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
  • Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Required and Addressable Implementation Specifications
  • Covered entities are required to comply with every Security Rule “Standard.” However, the Security Rule categorizes certain implementation specifications within those standards as “addressable,” while others are “required.” The “required” implementation specifications must be implemented. The “addressable” designation does not mean that an implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.2
Organizational Requirements
  • Covered Entity Responsibilities. If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI. 
  • Business Associate Contracts. HHS developed regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009.
Policies and Procedures and Documentation Requirements
  • A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
  • Updates. A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).3
State Law
  • Preemption. In general, State laws that are contrary to the HIPAA regulations are preempted by the federal requirements, which means that the federal requirements will apply.3 “Contrary” means that it would be impossible for a covered entity to comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.
Enforcement and Penalties for Noncompliance
  • Compliance. The Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews.