A guide to HIPAA compliance

What is HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US legislation that describes how the healthcare industry should handle patient data. Below you can learn more about HIPAA, its rules of compliance, and ways to keep your data safe.

What is HIPAA compliance?

In simple terms, HIPAA covers the handling of protected health information (PHI). PHI is individually identifiable health information and any information connected to it, such as:

  • names;
  • phone numbers, addresses, and emails;
  • account numbers;
  • Social Security numbers;
  • URLs, IP addresses;
  • photos and biometric data.

The HIPAA compliance rules are divided into 5 directives and apply to health plans, health clearinghouses, healthcare institutions, and their business partners.

Here's where it gets tricky. Not everyone who processes health data must be compliant with HIPAA — it applies only to HIPAA covered entities and their business associates. We'll use an example to illustrate the intricacies of HIPAA compliance.

A hospital (a covered entity) uses a third-party app (a business associate) that handles patient data. Both the hospital and the app developer must be HIPAA compliant.

However, a third-party developer that’s not in a business relationship with a healthcare provider does not have to comply with the HIPAA rules, even if they collect and store data that is considered PHI. For example, a developer of a heart rate monitor app we use for exercise does not have to comply with HIPAA.

The HIPAA compliance checklist

HIPAA compliance can be implemented by following a set of technical, physical, and administrative rules. However, it is important to note that HIPAA has undergone several significant amendments since its implementation. That's why only a legal professional can answer you definitively what steps you should take to protect your company and your clients.

Legally, we can’t do that. But we can show you what most healthcare providers and their partners should focus on to be HIPAA compliant:

  1. Device access control. Access both to workstations and mobile devices must be monitored and protected.
  2. Data access control. Access to stored data must be restricted, secured, and logged.
  3. Risk management. The covered entity must regularly assess risks to the stored data and implement safeguards to protect it, including policies on dealing with non-compliance within the organization.
  4. Emergency plan. The company must prepare a response plan in case of a cyberattack or other incident.
  5. Data encryption. Any PHI transferred over the network must be encrypted.
  6. Third-party access prevention. At no point can a third party access protected data.
  7. Logging local security incidents. Any internal incidents like data exposure must be documented.

If you are dealing with European customer data, the 6 guiding principles of the GDPR will help you stay on track.

The HIPAA Privacy Rule

HIPAA is a complex document that spans over five titles. Title II often gets the most attention, as it deals with the systems healthcare institutions must put in place to be HIPAA compliant as well as fines for non-compliance. Title II includes the Security Rule, which we’ve already covered in the HIPAA checklist. It also includes the Standards for Privacy of Individually Identifiable Health Information or, simply, the HIPAA Privacy Rule.

The HIPAA Privacy Rule describes how companies must protect their users’ privacy and the rights users have over their data. The key here is that the organization must collect the minimum amount of PHI necessary. The Privacy Rule emphasizes that users should consent before any data collection or disclosure of PHI occurs. The user should also be able to receive their data upon request as well as ask for corrections or deletion of the data.

The Privacy Rule underlines that an organization must receive consent from the user before sharing their data with third parties. The only exceptions are treatments, payments, and health-related operations. But the organization should never disclose more than the necessary amount of data for that particular case.

What are the HIPAA violations?

A HIPAA violation is failure to comply with the security and privacy practices listed in the Code of Federal Regulations. The list of potential violations is too long to fit on this page, but here are the most common ones:

  • Unauthorized access to PHI (including data breaches and thefts).
  • Failure to log access to PHI.
  • Failure to dispose of PHI properly.
  • Disclosure of PHI via letters, emails, texts, or any other digital form online.
  • Failure to comply with the user's request to access their data.
  • Disclosure of PHI to third parties before they become a business associate.
  • Failure to encrypt data.
  • Failure to train staff.
  • Failure to notify authorities within 60 days of the discovery of a data breach.

Depending on a case, failure to comply with the HIPAA requirements carries fines up to $1.5 million for a violation category per year and a jail sentence of up to 10 years. While non-compliance can be costly, it's important to note that consistent effort to prevent HIPAA violations and even the willingness to fix non-compliance issues after they have been discovered can significantly diminish the penalties.

What is the key to success when it comes to HIPAA compliance?

We must acknowledge that regardless of the cybersecurity measures we take, we cannot be 100% secure from hacks and breaches.

However, we can prioritize data security and privacy, minimize data collection, and be aware of our vulnerabilities. To have successful HIPAA compliance, follow these rules whenever possible:

  • Have a dedicated person responsible for overseeing HIPAA compliance.
  • Regularly check whether your business associates comply with HIPAA.
  • Encrypt your data. Today, using advanced-level encryption couldn't be easier. Encryption software is great for backups, but with NordLocker, the data you share is also secured with end-to-end encryption.
  • Implement cybersecurity training and testing in the company.
  • Encourage people in your organization to speak out if they notice anything suspicious.
  • Use password managers in your organization to create strong passwords and share access securely.
  • Make sure that no account or device relies on a default password.
  • Delete old accounts regularly.
  • Use a VPN to safely connect to the internet. VPN encrypts your traffic, thus preventing your data from being exposed.
  • Follow the amendments to HIPAA and make the necessary adjustments.

While HIPAA has a lot of layers, the principles are not hard to understand. Everything comes down to securing your data and managing who can access it. That’s what NordLocker helps you do. Drag data to encrypt it, sync it securely via the cloud, and stay in control of who can access it.