
Essential Guide to Security Frameworks & 14 Examples
Read articleThe history of modern US healthcare can pretty much be broken into two parts: before HIPAA, and after HIPAA.
This landmark legislation changed the healthcare industry by modernizing how private patient data is collected, stored, accessed, and shared.
Now, more than 25 years after HIPAA was first signed into law, its statutes are more impactful than ever.
This article covers what HIPAA is, why it’s important, and what the law means for organizations handling PHI today.
The Health Insurance Portability and Accountability Act (HIPAA) is a milestone piece of legislation for the US healthcare industry.
Signed into law by President Bill Clinton in 1996, HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities.
Why was HIPAA created? It was passed to address two key issues:
HIPAA is now widely known for its impact on improving the privacy and security of patient health data.
Essential Guide to Security Frameworks & 14 Examples
Read articleHIPAA stands for Health Insurance Portability and Accountability Act, and it was designed to address specific flaws within the US health insurance system. Namely, the portability of insurance coverage and the accountability of healthcare organizations when it comes to protecting patient data.
Here are a few reasons why HIPAA is so important:
HIPAA legislation was introduced during a time of major transition between paper and electronic health records. It created ways to help healthcare providers manage that transition by streamlining administrative tasks, improving efficiency, and ensuring PHI is stored and shared securely.
These changes helped standardize processes, since all organizations covered by HIPAA must use the same code sets and identifiers. Transferring information between healthcare providers, insurance companies, and other entities is simpler and more secure.
PHI includes all kinds of sensitive information. It goes beyond names and addresses to include credit card information, social security numbers, and details around medical conditions and procedures.
Because of its potential for identity theft, PHI holds significant value.
Without HIPAA, there would be no legal requirement for healthcare organizations to protect this private data — and no penalties if they didn’t.
Now, healthcare organizations are legally required to put a series of strict security controls in place to protect personal health information. They must train their staff to protect patient data. And they must prove to an auditor that they are HIPAA compliant.
Before the HIPAA Privacy Rule, healthcare organizations did not have to release copies of a patient’s health information.
Now, a patient’s request to access their health records must be honored within 30 days. If a patient changes healthcare providers, they can request that their old provider share their complete records. Their new doctor can have access to their health history so they can provide better care.
In addition, covered entities cannot use private data for marketing, fundraising, or research purposes without express written permission from patients.
Covered entities that fail to protect PHI are subject to strict fines and, in some cases, criminal penalties.
The Department of Health and Human Services Office for Civil Rights enforces HIPAA and investigates any reported HIPAA violations. OCR also conducts periodic audits of covered entities and their business associates.
Violations are broken down into tiers, depending on the offending organization’s level of negligence and the steps they took to resolve the issue afterward. Fines range from $100-$1.5M, and the harshest criminal penalties can include up to 10 years in jail.
Advances in technology have dramatically improved the ability of healthcare organizations and their patients to access health information, resulting in better care.
But those improvements also introduce new risks. More than 40 million patient records were compromised in 2021 in data breaches reported to the federal government.
To achieve HIPAA compliance, healthcare organizations have to have certain safeguards in place to protect patient data against these types of breaches. The HIPAA Security Rule outlines a set of administrative, physical, and technical safeguards.
Administrative safeguards
These policies and procedures explain what the organization does to protect PHI. Examples include employee training, incident response plans, business associate contracts, and access management policies.
Physical safeguards
Who has access to your physical offices and electronic equipment? These safeguards are designed to protect physical assets from unauthorized access. Examples include access cards with photo ID, turning computer screens away from public view, and shredding documents.
Technical safeguards
These safeguards define what your organization must do when handling electronic protected health information (ePHI). For example, using data encryption, automatic logoff, and unique user identification.
HIPAA risk assessments
As part of the Security Rule, covered entities must complete a risk assessment. The HIPAA risk assessment process helps organizations understand their threat landscape, define their risk tolerance, and identify the probability and potential impact of each risk.
With this knowledge in hand, covered entities can build more effective strategies for mitigating risks and improving data security.
Why is HIPAA important to privacy and security? Because it establishes information security standards that all healthcare organizations must adhere to.
HIPAA compliance ensures covered entities understand and take steps to prevent the risks that could compromise patient data. It establishes key safeguards for keeping sensitive data safe. And it motivates organizations to maintain and improve their security posture or face significant penalties.
For healthcare organizations, HIPAA compliance results in a strong security posture, improved internal processes, and increased patient trust.
Secureframe makes achieving HIPAA compliance faster and easier by simplifying the process into a few key steps:
Learn more about how you can automate your HIPAA compliance today.