The Health Insurance Portability and Accountability Act (HIPAA) is a key regulatory framework for securing sensitive patient data. It helps healthcare organizations improve their cybersecurity practices, streamline administrative processes, and support better coordinated patient care.

‍

HIPAA compliance requires adherence to the policies and procedures of the HIPAA compliance framework, which prescribes how to securely handle protected health information (PHI). Since its introduction, the regulation has adapted to new threats, making it essential to regularly update your security posture to maintain compliance.

‍

In this all-in-one HIPAA compliance guide, we walk through essential aspects of the regulation, including:

‍

• Objectives of HIPAA
• HIPAA compliance scope and applicability
• Key compliance rules
• Penalties for non-compliance
• Best practices for HIPAA compliance

‍

What are the main objectives of HIPAA?

Since it was passed in 1996, the main objectives of HIPAA have been to establish standards for securing PHI and to ensure employees can retain their insurance between jobs.

‍

According to HIPAA, PHI refers to any information related to an individual’s past, present, or future health (physical or mental), the healthcare received, or payment for that care, when that information can be used to identify the individual. This can include information such as name, contact information, discharge date, health beneficiary plan number, or other unique identifiers.

‍

Over time, the goals of HIPAA compliance in healthcare have expanded beyond securing private information. The framework has since introduced a series of standards that regulate how PHI may be used and disclosed, while also granting patients greater rights over the collection, access, amendment, and sharing of their data.

‍

“

I believe the complexity of HIPAA compliance is increasing due to the continued ransomware and sophisticated cyber threats. Since the pandemic, telehealth has increased, and the industry failed to implement new requirements to meet the change in landscape.”

‍

Jill Henriques

GRC Subject Matter Expert, GTM, Vanta

|

LinkedIn

‍

Who needs to be HIPAA compliant?

Under HIPAA, all entities and individuals that handle PHI must demonstrate compliance. Organizations that must comply with HIPAA are categorized as either covered entities or business associates. 

‍

According to HIPAA, covered entities are organizations that provide treatment, payment, or operations in healthcare, and include:

‍

• Healthcare providers
• Health plans
• Healthcare clearinghouses

‍

Until 2013, only covered entities had to demonstrate HIPAA compliance. However, the introduction of the HIPAA Omnibus Rule extended this obligation to business associates (BAs), which are third-party organizations that handle PHI on behalf of covered entities. These can be:

‍

• Cloud service providers
• Billing companies
• Financial services firms

‍

While there is no official HIPAA certification process, business associates may choose to undergo third-party training or audits to be considered HIPAA-certified and demonstrate good-faith efforts to clients and prospects.

‍

Covered entities are required to enter into a business associate agreement (BAA) before disclosing any PHI to a business associate. The BAA ensures that the business associate meets specific security standards and clearly defines the permitted uses and disclosures of PHI.

‍

Some of the key points a BAA must contain include:

‍

• An outline of the security measures the BA will implement to safeguard PHI
• Guidelines for permissible disclosures
• Assurance that the BA’s subcontractors also meet HIPAA requirements
• Breach notification procedures
• Agreement terms and termination clauses

‍

{{cta_withimage13="/cta-blocks"}}   | HIPAA compliance checklist

‍

What are the HIPAA rules?

HIPAA compliance rules are a set of standards added to the HIPAA framework thatoutline different aspects of PHI management and security.

‍

Although each rule focuses on different HIPAA compliance requirements, they share some essential principles, such as the Minimum Necessary Rule. This standard requires organizations to take reasonable steps to limit requests for use and disclosure of PHI to the minimum amount necessary to complete a specific task.

‍

To fully comply with HIPAA, you’ll need to be familiar with its rules. HIPAA compliance primarily rests on three core rules:

‍

1. The Privacy Rule
2. The Security Rule
3. The Breach Notification Rule

‍

Additionally, the Omnibus Rule and the Enforcement Rule clarify requirements and strengthen enforcement.

‍

‍

1. The Privacy Rule

The goal of the Privacy Rule is to establish individuals’ rights over their PHI, explain how they can access it, and set clear guidelines for its use and disclosure. A key component of the Privacy Rule is the distinction between permitted and authorized uses and disclosures of PHI:

‍

• Permitted uses and disclosures allow healthcare providers and other covered entities to share PHI without the patient’s authorization for treatment, payment, and healthcare operations. For example, a hospital may use a patient’s PHI to review the effectiveness of a particular treatment.
• Authorized uses and disclosures are related to purposes other than treatment and require explicit permission from the patient. For example, if an organization wants to share PHI with a third party for marketing purposes, it must first obtain written permission from the patient.

‍

To comply with the Privacy Rule, you’ll need to evaluate your organizational environment and then implement appropriate administrative requirements, such as:

‍

• Privacy policies and procedures: Develop and implement written policies and procedures that are consistent with the Privacy Rule
• Workforce training and management: Organize regular training sessions to ensure staff members are familiar with procedures
• Data safeguards: Implement reasonable administrative, technical, and physical safeguards to minimize the risk of unintentional PHI disclosure or use

‍

2. The Security Rule

Like the Privacy Rule, the Security Rule sets standards for using, handling, and disclosing patient information. However, its primary focus is electronic PHI (ePHI) and the specific safeguards that covered entities must implement to ensure its safety, integrity, and availability.

‍

As part of HIPAA Security Rule compliance, organizations need to implement administrative, physical, and technical safeguards. Some examples include:

‍

‍

While all safeguards are required for compliance with the Security Rule, HIPAA allows some flexibility by differentiating between required and addressable specifications:

‍

• Required specifications must be implemented exactly as outlined in the Security Rule.
• Addressable specifications must be evaluated to determine whether they are reasonable and appropriate for the organization's size, complexity, and risk profile. If they are not, the covered entity must implement an alternative solution that achieves the same security objective or document a valid justification for not implementing it.

‍

To ensure that these specifications are adequately implemented, organizations should conduct regular risk assessments to confirm PHI protection from creation to transmission, storage, and deletion.

‍

In addition to safeguards for ePHI, the Security Rule also introduces organizational requirements such as the need for a BAA and the specific responsibilities of business associates.

‍

3. The Breach Notification Rule

The Breach Notification Rule outlines PHI breach criteria and notification timelines. According to the Rule, a breach is an impermissible use or disclosure under the Privacy Rule that impacts the security and privacy of affected PHI.

‍

If the covered entity can demonstrate a low chance of compromise, the incident isn’t considered a breach. To prove this, the entity must conduct a risk assessment and consider:

‍

1. The nature and extent of the affected PHI, including identifiers and odds of re-identification
2. Who used or received the PHI
3. If the information was obtained or seen
4. How much risk was mitigated

‍

If a breach is confirmed, the covered entity must issue a notification within 60 days of discovery. There are three types of notification, depending on the scope of the breach:

‍

1. Individual notices: Affected individuals must be notified via first-class mail or email. If contact information for 10 or more individuals is outdated, the entity must also post a notice on its website or inform the local media.
2. Media notice: If more than 500 affected individuals live in the same state or jurisdiction, the covered entity must notify the relevant media in that area.
3. Notice to the HHS Secretary: In addition to individual and media notices, the covered entity must also inform the HHS Secretary by submitting a breach report form.

‍

One requirement organizations often overlook is the need to document a detailed breach notification process. An inability to demonstrate how timelines and procedures are met can complicate audits and lead to fines.

‍

{{cta_withimage39="/cta-blocks"}} | The Healthcare compliance checklist

‍

The penalties for HIPAA non-compliance

As HIPAA is a mandatory security framework, organizations that violate its requirements may face penalties for non-compliance. These may include corrective measures, fines, or criminal charges, depending on the severity of the violation.

‍

The primary enforcing body for HIPAA non-compliance is the HHS Office for Civil Rights (OCR), which investigates potential violations and issues corrective measures following complaints, audits, or breaches.

‍

If an OCR investigation determines that a covered entity has violated HIPAA, it usually results in non-punitive corrective measures, such as:

‍

• Voluntary compliance
• Corrective action
• Resolution agreements

‍

If the violation is more severe, deliberate, or not addressed in a timely and satisfactory manner, the OCR can also resort to:

‍

1. Civil penalties
2. Criminal charges

‍

1. Financial penalties

HIPAA categorizes penalties into four tiers, based on the degree of the violation and the corrective actions taken. Each tier carries a corresponding range of fines with an annual cap, as explained in the table below:

‍

‍

Note: The table above shows the official penalty tiers, but in April 2019, OCR issued a Notice of Enforcement Discretion that reduced the annual caps for the first three tiers to align more closely with HITECH Act language. So, organizations could face significantly lower annual penalties, adjusted for inflation.

‍

If a covered entity can demonstrate that the breach was unavoidable, the HHS Office for Civil Rights (OCR) may waive a civil money penalty (“CMP”), as noted in OCR’s settlement agreements allowing submission of mitigating factors or defenses.

‍

2. Criminal charges

Criminal charges only happen when it can be reasonably proven that the covered entity or business associate knowingly violated HIPAA guidelines. In this situation, the primary enforcing body is the Department of Justice (DoJ).

‍

Similar to financial penalties, criminal charges are also divided into tiers depending on the severity and intent behind the violation, with escalating corrective measures:

‍

‍

In addition to potential criminal penalties, including imprisonment, the offending entity may also face substantial fines based on the specifics of the case. If the entity financially benefited from the breach, it will be required to return the full amount gained as part of the enforcement action.

‍

{{cta_withimage13="/cta-blocks"}}   | HIPAA compliance checklist

‍

How do you become HIPAA compliant? Best practices

Achieving and maintaining HIPAA compliance can be a challenge if you don’t have the proper procedures and oversight in place. Consider the following practices to streamline your HIPAA compliance workflows:

‍

1. Perform regular risk assessments: Assess risk around PHI and other assets at predetermined intervals or when a breach has occurred to address any vulnerabilities before they escalate. 
2. Implement comprehensive training programs: Regular stakeholder training should focus on policies and procedures, and emphasize the outcomes of a breach to ensure team-wide understanding of consequences.
3. Maintain demonstrable data security measures: Implement comprehensive security measures such as encryption and audit logging, but balance them with maintaining critical documentation, such as policies and process documents, to avoid gaps during audits.
4. Establish an incident response plan: Create and maintain a detailed incident response plan so you can respond to breaches within the required timelines.
5. Practice continuous monitoring: Establishing ongoing visibility into your compliance status is a key to success for HIPAA compliance. The idea is to address gaps or new HIPAA requirements early, minimizing the risk of non-compliance.
6. Maintain thorough documentation: You must retain all of your HIPAA-relevant documentation for a minimum of six years. This includes access logs, breach reports, staff training logs, and risk assessments.

‍

The breadth and complexity of HIPAA requirements can be overwhelming for smaller security, compliance, and IT teams. Leverage an automated HIPAA compliance solution to define and streamline your compliance process.

‍

Leverage Vanta to achieve HIPAA compliance efficiently

Vanta is a leading trust management platform that supports HIPAA compliance through built-in resources, prescriptive guidance, and automation across controls, documentation, and policies. 

‍

Vanta helps organizations achieve compliance faster while reducing manual effort and saving valuable time and resources. Depending on your tech stack, you can automate up to 85% of the required workflows. The platform offers a dedicated HIPAA product with a range of helpful features, including:

‍

• Ready-to-use document templates
• Policy templates and a built-in editor
• A unified dashboard to streamline tracking
• Automated evidence collection through 375+ integrations
• Built-in guidance and training solutions

‍

If your organization has already achieved compliance with other industry-leading frameworks such as SOC 2, HITRUST, and ISO 27001, you can leverage those existing controls to speed up HIPAA compliance through cross-mapping.

‍

Schedule a tailored demo to explore how Vanta’s features can streamline HIPAA compliance for your team.

‍

{{cta_simple18="/cta-blocks"}}  | HIPAA product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

‍

‍