Implementing Safeguards for HIPAA Compliance

HIPAA stands for the Health Insurance Portability and Accountability Act, passed in 1996, and protects patient data and rights to that data. Organizations that handle and manage protected health information must meet HIPAA compliance requirements. If they fail to do so, they could receive expensive fines from the Department of Health and Human Services (HHS)—the agency responsible for overseeing HIPPA.

2021 report from the US Department of Health and Human Services shows that there were 239 million cyberattacks attempted on healthcare organizations in 2020. Ransomware attacks affected 560 healthcare organizations with an average ransom payment of $154,100. Data breaches, even though separate attacks, are usually combined with ransomware attacks. In 2020, there were more than 630 data breaches in healthcare organizations and 29 million records affected.

The rise of cyberattacks in the healthcare industry means that organizations need to be prepared to recognize and react to threats and comply with new regulations that are passed.

HIPAA Security Rule

What exactly is HIPAA compliance? HIPAA compliance is the continuous responsibility of meeting and adhering to the standards and requirements to protect individually identifiable health information that an organization creates, receives, or transmits in electronic form.

According to HHS, a fundamental goal of the Security Rule is to protect the privacy of individuals’ electronic personal health information (ePHI)while allowing organizations to adopt new technologies to improve the quality and efficiency of patient care. It protects electronic health information by requiring companies to maintain appropriate technical, physical, and administrative safeguards.

Technical Safeguards

Technical safeguards cover the technology used to protect and access ePHI. Organizations have the flexibility to implement whatever makes the most sense for them except for the stipulation that ePHI must be encrypted to NIST standards once it leaves the organization’s servers.

  1. Access control
  2. Audit controls
  3. Integrity controls
  4. Transmission security

Physical Safeguards

Physical safeguards cover requirements for on-premise, data center, and cloud storage of ePHI.

  1. Facility access and control
  2. Workstation and Device Security

Administrative Safeguards

Administrative safeguards pertain to the policies and procedures that bring the Privacy Rule and the Security Rule together.

  1. Risk and security management process
  2. Security personnel
  3. Information access management
  4. Workforce training and management
  5. Evaluation

Improper safeguards can result in a HIPAA violation and a severe fine when the standards and requirements of the HIPAA Security Rule are not followed correctly. Companies may need to involve their IT Service Provider to implement appropriate security measures to avoid HIPAA violations.

Visual Edge IT can help you navigate HIPAA requirements and establish necessary compliance measures for your technology environment. We’ve put together a HIPAA Compliance Checklist to get you started.