What is HIPAA? The Scope, Purpose and How to Comply

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the federal law that created national standards for protecting sensitive patient health information from being disclosed without the patient’s knowledge or consent. Read more about this US regulation and find out how to comply.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was primarily about solving insurance coverage for individuals that are between jobs. Without this law, employees would have faced the risk of losing their insurance coverage for the period between jobs.

Another goal was to ensure that all data is properly secured and no unauthorized individuals can access healthcare data.

HIPAA applies in the United States and is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR).

Purpose of HIPAA

The HIPAA was created in order to modernize the flow of healthcare information and to make sure that Personally Identifiable Information gathered in healthcare and insurance companies are protected against fraud and theft, and cannot be disclosed without consent.

Patients’ healthcare information is treated more sensitively and can be quickly accessed by various healthcare providers. HIPAA regulations require that records are better secured and protected against leakage.

What is Protected Health Information?

Any company or individual that works with Protected Health Information (PHI) needs to be compliant with HIPAA. PHI is created when any health data is combined with personally identifiable information, such as the following:

The Scope of HIPAA

There are several entities that regularly work with Protected Health Information and therefore must follow The Health Insurance Portability and Accountability Act: 

• Healthcare providers 
• Health plans 
• Healthcare clearinghouses 
• Business associates 

HIPAA Rules

HIPAA Privacy Rule 

The Privacy Rule defines how, when and under what circumstances PHI can be used and disclosed. Without a patient’s prior consent, the use of information about the patient is limited. Patients and their representatives are allowed to obtain a copy of their health records and request corrections in case of errors.

HIPAA Security Rule 

The Security Rule sets standards to protect ePHI. The Security Rule must be followed by anyone who works with ePHI. Security Officers and Privacy Officers must perform risk assessments and audits to identify any threats to PHI integrity.

Breach Notification Rule 

The Department of Health and Human Services must be notified in case of a data breach, as must the affected individuals. If more than five hundred patients in a particular jurisdiction are affected, a press release must be issued in a news outlet covering the area.

Omnibus Rule 

The Omnibus Rule is a part of the HITECH Act (Health Information Technology for Economic and Clinical Health Act) that came into force in 2009 and was created to encourage the use of electronic health records by healthcare providers.

The Omnibus Rule prohibits the use of PHI for marketing or fundraising purposes without authorization.

Enforcement Rule 

The Enforcement Rule is about determining the appropriate fine when a breach occurs. A fine can be lower in case of negligence, however if the violation happens due to willful neglect it can be much higher. 

The Rights of Individuals

Within the HIPAA Privacy Rule, individuals have the legal right to see and receive copies of medical information.  

Individuals have the right to: 

• Access PHI 
• Amend PHI 
• Request restriction on who uses PHI and how it is disclosed
• Request confidential communications 
• Request accounting of disclosures 
• File a complaint 

Even though patients have the right to access their records, some types of information are excluded from the Right to Access. The following information is excluded:

Excluded information is the following: 

• Quality assessment or improvement records 
• Safety activity records
• Business and management records 
• Psychotherapy notes 
• Information compiled for use in civil, criminal, or administrative action or proceedings 

HIPAA Violations

A HIPAA violation occurs when a HIPAA entity or a business associate fails to comply with any of the HIPAA Rules. Penalties for HIPAA violations are issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. HIPAA uses four categories of penalties:

• Tier 1: Lack of Knowledge 

The entity was not aware of the violation; therefore, it could not have been avoided. The penalty per such violation is $120—$30,113.

• Tier 2: Reasonable Cause 

The entity should have been aware of the violation, however, could not have avoided it. The penalty per such violation is $1,205—$60,226. 

• Tier 3: Willful Neglect 

The entity willfully neglected HIPAA Rules, but tried to correct the violation. The penalty per such violation is $12,045—$60,226.

• Tier 4: Willful Neglect and not corrected 

The entity willfully neglected HIPAA Rules and didn’t make any attempt to correct the violation. The penalty per such violation is $60,226—$1,806,757. 

The Most Common HIPAA Risks

verified_user 

Keeping unsecured records 

Employees leave sensitive documents at their desks or don’t use passwords to access digital data. Make sure that the workspace is secured, and passwords are used at your company.

no_encryption 

Unencrypted data 

Encryption of your data is not mandatory by HIPAA, but it is highly recommended. Even if data is leaked, when it is encrypted it can’t be accessed without authorization.

phishing 

Hacking or phishing campaigns 

Keep your anti-virus software up to date, regularly change passwords and use a DLP solution to protect your data against leakage.

laptop_mac 

Loss or Theft of Devices 

Valuable devices can be lost in the blink of an eye. Encrypt your data, so even if a device is lost, no one unauthorized can access it.

group 

Sharing PHI 

Always keep in mind that people like to talk. Very often employees don’t even realize that they have been sharing sensitive information with each other. Educate them about sensitive data handling, and make sure that only authorized individuals can access the data. 

school 

Lack of employee training 

Employees might not even realize that they have been working with PHI and the violation can be harmful to both the company and patients. Educate them regularly and make sure they understand what PHI and HIPAA are, as well as the consequences of violation.

login 

Unauthorized Access 

Employees who are not authorized to process sensitive information can still access it and go through the documents. Set the proper security policies and make sure your employees are aware of them.

Insider Threats in the Healthcare

As you can see above, violations often stem from mistakes made by employees, whether they lose a device, click on a phishing campaign, or just talk with their colleagues about patients. HIPAA violations can happen easily. Insider threats can be either unintentional or malicious. However, 56% of insider threat incidents are caused by negligent employees.

And according to Ponemon Institute, the average total cost of a data breach for healthcare companies jumped 29% to $9.23 million. Health and pharmaceuticals are among the industries with the highest annual insider threat costs, at over $10M per year (Ponemon Institute, 2022). 

Read more about insider threats here.

How to Secure Data For HIPAA Compliance?

1. Encrypt your data 
2. Adopt security policies and define authorized employees to access your PHI 
3. Use a DLP solution to protect your data against insider threats and to enforce security policies. 
4. Educate your employees on a regular basis 
5. Secure your workplace, adopt policies on how to work with sensitive documents 

How Safetica Secures Your Data For HIPAA Compliance?

1. Safetica encrypts your data and keeps it protected in case of device loss or theft. 
2. Safetica is a DLP solution that protects your data against insider threats. Define which operations can be risky and block them or make Safetica notify you and your employees about potential risks.
   
3. With Safetica it is easy to adopt security policies and define authorized employees that can work with PHI. You can set your security policies and monitor whether your company’s sensitive data is being misused, and only allow authorized individuals to access it.
   
4. Educate your employees on a regular basis. Safetica notifies your employees in the event of risky operations, so they are more aware of data security.
   
5. Secure your workplace, and adopt policies on how to work with sensitive documents. Safetica performs security audits and provides you with regular reports that allow you to adjust your security policies.
   

Customer Stories:
How Safetica Helps in Healthcare

Gyncentrum Clinic protects their clients’ sensitive data with Safetica. Read more here.

Our staff, both administrative and medical, has access to our patients’ sensitive data on a daily basis. These are personal and medical information, examination results and psychological evaluations. Thanks to Safetica, I can, as the person responsible for data protection in the clinic, decide who has access, how data is processed and whether it can be shared with third parties or not. Employees’ activities are reported, and patients’ data protected.

Says Paweł Czerwiński, Owner of Gyncentrum.

Top 3 HIPAA Violations

#1 Tricare 

Number of records leaked: 5 million 

Tricare is a healthcare program for active-duty troops, their family members, and military retirees. In September 2011, the company experienced a data breach. Backup tapes of electronic health records were stolen from the car of the person who was responsible for transporting these records.

Types of data exposed:  

• Social security numbers 
• Names 
• Addresses 
• Phone numbers 
• Personal health data 
• Clinical notes 
• Lab tests 
• Prescription information 

---

#2 Community Health Systems Data Breach 

Number of records leaked: 4.5 million 

In 2014, malware software was deployed and sensitive patient data was stolen. Patients who received treatment from the company in the previous 5 years were impacted.

Types of data exposed: 

• Names 
• Birth dates 
• Social security numbers 
• Phone numbers 
• Addresses 

---

#3 UCLA Health Data Breach 

Number of records leaked: 4.5 million 

In October 2014, UCLA experienced a cyberattack in which sensitive patient information was stolen.

Types of data exposed: 

• Names 
• Birth dates 
• Social security numbers 
• Medicaid 
• Health plan identification numbers 
• Medical data