HIPAA Compliance Summary

HIPAA is an acronym for the American Health Insurance Portability and Accountability Act of 1996.  It's a set of rules to be followed by the healthcare industry.  The rules exist to give patients peace of mind regarding their medical records by making sure that all medical billing, personal records, and patient account info meet a stringent security standard in regards to how the data is handled and secured (ePHI). The objective of the Security Rule is to protect the privacy of individuals’ health information without sacrificing technological progress within healthcare. The Security Rule consists of the following main categories:

  • Security Standards General Rule

  • Administrative Safeguards

  • Physical Safeguards

  • Technical Safeguards

  • Organizational Requirements

  • Polices & Procedures

  • Breach Notification

  • Privacy

You must comply with HIPAA Compliance requirements and HIPAA Privacy rules if your company electronically stores, processes or transmits medical records, medical claims, remittances, certifications, or other healthcare based Protected Health Information (PHI). You can see a summary

The information below is not meant to be comprehensive or definitive of what is required for a HIPAA compliance audit.  If you have questions or are going to embark on a formal HIPAA compliance effort, consult with a certified security professional, compliance officer, or privacy officer.

Security Standards General Rule

Does the organization have a written security program that is designed to protect PHI?  Protected health information (PHI or ePHI) is information, including demographic data, that relates to:

  • The individual's past, present or future physical or mental health or condition

  • the provision of health care to the individual, or

  • the past, present, or future payment for the provision of health care to the individual...

And that identifies the individual or for which, there is a reasonable basis to believe, can be used to identify the individual.  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Is the security approach flexible and has the organization implemented the policies and procedures for all of the HIPAA safeguards?

Administrative Safeguards

HHS.gov states, "The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” The Administrative Safeguards comprise over half of the HIPAA Security requirements. As with all the standards in this rule, compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to each covered entity.

Physical Safeguards

The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The standards are another line of defense (adding to the Security Rule’s administrative and technical safeguards) for protecting EPHI. When evaluating and implementing these standards, a covered entity must consider all physical access to EPHI. This may extend outside of an actual office, and could include workforce members’ homes or other physical locations where they access EPHI.  

You'll see questions related to topics like:

  • Facility Acccess

  • Contingency Operations

  • Facility Security Plan

  • Access Control and Validation Procedures

  • Visitor Security Controls

  • Physical Security Zones

  • Workstation Use and Security

  • Device and Media Controls including disposal

  • Media Re-Use

  • Other

technical safeguards

The Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”  The organization needs to use whatever security measures that allows for reasonable protection based on the standard.  However, "reasonable" is relative to the organization and is defined by the organization.  You'll see questions related to topics like:

  • Access Control

  • Unique User Identification

  • Emergency Access

  • Automatic Logoff

  • Encryption and Decryption

  • Audit controls

  • Change Management

  • Authentication

  • Secure SDLC

  • Vulnerability Management

  • Other

organizational requirements

The Business Associate Contracts and Other Arrangements standard found at § 164.308(b)(1) requires a covered entity to have contracts or other arrangements with business associates that will have access to the covered entity’s electronic protected health information (EPHI). The standard, at § 164.314(a)(1), provides the specific criteria required for written contracts or other arrangements between a covered entity and its business associates. The actual language used to address the requirements can be tailored to the needs of each organization, as long as the requirements are addressed.

Organizational requirements address things like:

  • Business Associate Contracts or Other Arrangements

  • Business Associate Contracts with SubContractors

  • Contracts with Group Health Plans

  • Other

Policies & Procedures

“Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.”

However, policy and procedure is not defined.  You'll be exposed to questions that address:

  • Broad Security Policy

  • Documentation

  • Policy Time Limits

  • Policy Availability

  • Policy Updates

  • Other

Breach Notification

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

A breach is defined as an unauthorized use or disclosure that compromises the security or privacy of the PHI.  The general rule states that "A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach."

The HIPAA Assessment questions will address:

  • Breaches treated as Discoverd

  • Timeliness of Notification

  • Content of Notification

  • Media Notification

  • Notification to the Secretary of Breaches

  • Notification by a Business Associate

  • Law Enforcement delays

  • Other


HHS.gov states "The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections."

HIPAA Assessment question will address:

  • Covered Entities: Permitted Uses and Disclosures

  • Business Entities: Permitted Uses and Disclosures

  • Business Entities: Required Uses and Disclosures

  • Other