HIPAA Compliant Logo
The Ultimate Guide to

The Health Insurance Portability and Accountability Act (HIPAA)

Introduction

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. HIPAA requires that covered entities (health plans, health care providers, and health care clearinghouses that transmit health information electronically) and business associates (persons who create, receive, maintain, or transmit protected health information on behalf of covered entities for HIPAA-regulated functions, or who provide services involving disclosure of protected health information) must comply with HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule requirements.

What is the Health Insurance Portability and Accountability Act (HIPAA)?

Doctor Smiling

HIPAA mandates that every covered entity and business associate with access to Protected Health Information (PHI) must have technical, physical, and administrative safeguards to protect the integrity of PHI. And, should a breach of PHI occur, organizations must follow a procedure to notify affected parties. HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

HIPAA compliance requires effort. Organizations must make significant investments, including identifying gaps in compliance by conducting self-audits, creating remediation plans to reverse compliance violations, developing policies and procedures, documenting all efforts they take to become HIPAA compliant, creating an incident management process and more.

Failure to comply with HIPAA has serious consequences. The breach of electronic PHI may result in substantial fines, criminal charges and civic action lawsuits. The Office for Civil Rights of the Department of Health and Human Services does not consider ignorance of HIPAA regulations a justifiable defense.

To be HIPAA compliant, covered entities must meet three core requirements:

1 The Privacy Rule

HIPAA protects the privacy of Protected Health Information (PHI) via the HIPAA Privacy Rule, which establishes standards for protecting medical records and other PHI and sets limits and conditions on using and disclosing PHI without patient authorization. This rule also gives patients the right to access copies of their health records and ask providers to make corrections to their PHI.

2 The Security Rule

The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.

3 Notification in Case of Breach of Unsecured Protected Health Information

If a HIPAA-compliant organization experiences a breach, they are required to notify certain parties — including individuals, the media, and the Secretary — depending on the type and size of the breach. 

OCR defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” Breaches include not just those caused by hackers or malware, but also by employees inappropriately disclosing information or leaving it where unauthorized users can see.

Learn More About HIPAA Compliance

A brief history of HIPAA

HIPAA mandates that every covered entity and business associate with access to Protected Health Information (PHI) must have technical, physical, and administrative safeguards to protect the integrity of PHI. And, should a breach of PHI occur, organizations must follow a procedure to notify affected parties. HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR)

Why was HIPAA created?

Doctor and patient

Before HIPAA, the health insurance industry was regulated by a mix of state and federal laws. Most commercial group health plans were governed by state laws, while the majority of employer-sponsored and individually purchased health plans were subject to the Employee Retirement Income Security Act of 1974 (ERISA) and the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA).

As a result, employees were at risk of losing health insurance benefits or being denied health insurance if they changed jobs. This scenario not only affected employees, but also made it difficult for employers to attract skilled workforces, especially in evolving industries like technology.

HIPAA was created to resolve this issue by increasing the portability of health insurance between jobs and prohibiting practices that denied or limited access to health care benefits, including increased premiums for employees with pre-existing conditions. Rather than applying to employer-sponsored and individually purchased health plans, HIPAA applies to all health insurance plans.

How do I become HIPAA compliant?

HIPAA compliance requires effort. Organizations must make significant investments, including identifying gaps in compliance by conducting self-audits, creating remediation plans to reverse compliance violations, developing policies and procedures, documenting all efforts they take to become HIPAA compliant, creating an incident management process and more.

Guide

To learn how to become HIPAA compliant, check out our in-depth guide

HIPAA Compliance: Why It Matters and How to Obtain It

Ready to see how Hyperproof can help with HIPAA compliance?

Get Started
Trusted By
Solventum
Mizuho
Avaneer Health
Carefirst
Confluent
RXNT

HIPAA: Frequently Asked Questions

HIPAA aims to simplify administration of health claims, thereby reducing fraud and system abuse in healthcare spending. By introducing stronger penalties for fraud and abuse, and by instructing the Secretary of Health and Human Services (HHS) to standardize transaction code sets, HIPAA creates a mechanism for better policing healthcare transactions. HIPAA also accounts for the increasing volume of patient medical and payment information transmitted electronically and includes standards to ensure the confidentiality, integrity, and availability of electronically-transmitted health data, which are addressed through HIPAA’s privacy and security provisions.

HIPAA applies to health plans, healthcare clearinghouses, and healthcare providers that transmit information electronically in connection with a transaction for which HHS has published standards.

Insurance companies that pay for medical care or equipment secondary to a primary insurance (i.e. auto insurance) are not covered by HIPAA. Also, healthcare professionals such as counselors and therapists are also not covered by HIPAA if they do not electronically transmit health information in connection with financial and administrative transactions. Financial institutions that process payments on behalf of health plans and healthcare providers may be considered HIPAA business associates if they handle protected health information.  School medical centers are not covered by HIPAA because students´ health records are considered to be part of their educational records under FERPA. However, exceptions to this exception exist if the medical center also provides treatments for members of the public.

HIPAA authorization forms, serve as official documents permitting covered entities to use or disclose Protected Health Information (PHI) when authorization is specifically required by HIPAA regulations or when the covered entity chooses to obtain authorization for permitted uses and disclosures. These crucial forms provide comprehensive descriptions of how PHI may be specifically used or disclosed.

For instance, an authorization form might grant healthcare providers the authority to utilize PHI in various scenarios such as:

  • Any use or disclosure of psychotherapy notes, with limited exceptions such as use by the originator for treatment or for the covered entity’s own training programs
  • Authorization is required for any use or disclosure of protected health information for marketing purposes
  • Disclosures to an employer of pre-employment physical or lab test results
  • Sharing information with legal counsel as part of an injury lawsuit
  • Allowing a designated healthcare agent to access a patient’s PHI

In addition to these examples, the forms play an important role in regulating how PHI is shared and ensuring that any release of information aligns with patient preferences and complies with HIPAA regulations. Hyperproof offers sophisticated tools to help organizations manage these forms and maintain HIPAA compliance with ease.

Failure to comply with HIPAA has serious consequences. The breach of electronic PHI may result in substantial fines and criminal charges. The Office for Civil Rights of the Department of Health and Human Services does not consider ignorance of HIPAA regulations a justifiable defense.

Protected Health Information (PHI) is defined as any individually identifiable health information relating to an individual’s health, health care, or payment for health care. The HIPAA Privacy Rule lists 18 personal identifiers that must be removed from a designated record set before the set can no longer be subject to HIPAA standards:

  1. Names
  2. All geographic subdivisions smaller than a state (including street address, city, county, precinct, zip code), except for the initial three digits of a zip code under certain population conditions
  3. All elements of dates (except year) directly related to the individual, including birth date, admission date, discharge date, date of death, and all ages over 89
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers and serial numbers, including license plate details
  12. Device identifiers and serial numbers
  13. Website URLs
  14. Internet Protocol (IP) address numbers
  15. Biometric identifiers, including fingerprints and voice prints
  16. Full face photographic images and any comparable images
  17. Any other unique identifying number, characteristic, or code (except as permitted for re-identification purposes under certain conditions)

A PHI breach is an event where Protected Health Information (PHI) is used or disclosed in a way that could potentially compromise patient privacy and security, as outlined by HIPAA’s Breach Notification Rule. In such cases, healthcare entities are required to notify affected individuals promptly.

The rule sets forth that any impermissible use or exposure of PHI is presumed a breach unless it’s proven there’s a low likelihood the PHI has been compromised. This is determined through a 4-factor test, assessing:

  1. The nature and extent of the involved PHI, including the types of identifiers and the likelihood of re-identification
  2. The unauthorized individuals who accessed the PHI
  3. Confirmation if the PHI was actually acquired or viewed
  4. Measures taken to mitigate the risk

Breach notification without unreasonable delay and no later than 60 days to patients and the U.S. Department of Health & Human Services (HHS) is mandatory unless a “low probability” of risk is conclusively demonstrated. In clear-cut situations of compromise, entities can bypass the risk assessment and proceed with notifications to mitigate harm.

Note: If non-health data is maintained in a separate database that doesn’t contain PHI, it is not PHI, nor is it protected by the HIPAA Privacy Rule.

HIPAA violations typically occur from the following:

  • Inappropriate disclosures of PHI
  • Failure to report breaches within the required timeframe
  • Not adhering to the minimum necessary requirement
  • Lack of training for employees or human error
  • Failure to conduct regular risk assessments

Hyperproof Makes HIPAA Compliance Simple

HIPPA

Get started fast with an out-of-the-box HIPAA compliance framework with requirements and controls

Map controls to multiple regulatory standards

Reduce time to compliance for all regulations that matter to your business

Work with the productivity tools you already have

Reuse evidence across multiple frameworks and controls

Quickly collect evidence to document your efforts toward HIPAA compliance

Pinpoint and prioritize your critical workflows

Get a Demo

HIPAA Resources

HIPAA Compliance: Why It Matters and How to Obtain It

HIPAA Compliance: Why It Matters and How to Obtain It

A vector image showing a woman next to a badge with the HIPAA logo. This is the cover image for the blog, HIPAA Compliance: Why It Matters and How to Obtain It

Achieve HIPAA Compliance with Hyperproof

HIPAA Business Associate Agreement: What SaaS Companies Need to Know

HIPAA Business Associate Agreement: What SaaS Companies Need to Know

See All Resources

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader