Skip to main content

HIPAA is explained: Health Insurance Portability and Accountability Act

In recent years, cyberattacks and ransomware attacks on health insurers and providers have led to a lot of health data leaks. Between 2009 and 2021, the HHS Office for Civil Rights was told about 4,419 healthcare data breaches that affected 500 or more records. Because of these breaches, 314 063 186 healthcare records have been lost, stolen, exposed, or shared without permission. That is equivalent to more than 94.63% of the US population in 2021. In 2018, there was an average of one healthcare data breach involving 500 or more records per day. After only four years, the rate has doubled. In 2021, on average, 1.95 healthcare data breaches involving 500 or more records were reported every day. This has brought more attention to the Health Insurance Portability and Accountability Act (HIPAA).

You will find detailed information on the following topics in this article.

  • What is HIPAA in a nutshell?

  • Why is HIPAA important for the health sector?

  • Who must comply with HIPAA?

  • How does HIPAA work?

  • How do you ensure HIPAA compliance?

  • What are examples of HIPAA violations?

  • How do you get HIPAA training?

  • What are the HIPAA Security Rule requirements?

  • Is a firewall required for HIPAA compliance?

  • What are the firewall best practices for HIPAA compliance?

What is HIPAA in a Nutshell?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy-Kassebaum Act) is a federal legislation that mandated the development of national standards to ensure the confidentiality of sensitive patient health information. HIPAA is established by the 104th United States Congress and signed into law on August 21, 1996, by President Bill Clinton. The US healthcare system's efficiency was to be increased by the HIPAA. To do this, best practices for preserving the security and privacy of healthcare data are standardized. The US Department of Health and Human Services (HHS) was mandated by HIPAA to develop new rules about this data. The Privacy Rule and the Security Rule are the two papers that the HHS has so far made public.

Requirements for handling any electronic personal health information (e-PHI) are outlined in the Privacy and Security Rules. Personal health information (PHI) is any health information that can be used to identify a person, such as a name, address, or health condition. Furthermore, HIPAA prohibits healthcare institutions from asking for Social Security numbers (SSNs) as part of data gathering.

HIPAA is crucial to data security in three ways:

  • by guaranteeing confidentiality and privacy

  • by enabling appropriate patient information access

  • by lowering healthcare fraud.

HIPAA, which is also known as Public Law 104-191, has two main goals. First, it makes sure that employees keep their health insurance even if they change jobs or quit. Second, it lowers healthcare costs in the long run by standardizing the electronic transmission of administrative and financial tasks. Other goals include preventing abuse, fraud, and waste in health care and insurance and making it easier for people to get services and insurance for long-term care.

The Health Information Technology for Economic and Clinical Health (HITECH) Act was also approved by the US Congress in 2009. This law establishes definitions for PHI-containing electronic health records (EHR) meaningful usage. Healthcare businesses are required by the HITECH Act to notify the government of any potential breaches. Congress passed the HIPAA Omnibus Rule in 2013 because people were becoming more aware of data breaches involving health information. This regulation outlines the necessary security measures. These rules are meant to strengthen the first safety measures in the HIPAA Privacy and Security Rules.

HIPAA establishes guidelines for all healthcare institutions (often referred to as "covered entities") that transmit or keep PHI data. Health plans, healthcare organizations, and people who offer healthcare services are all examples of covered entities. HIPAA knows that covered organizations sometimes need to share PHI with business partners who help them give healthcare services.

Since the HITECH Act and HIPAA Omnibus Rule were passed, business partners are now subject to the same HIPAA regulations as covered entities. So, organizations that are covered must get written confirmation from business partners that the right steps are being taken.

Why is HIPAA Important for the Health Sector?

If data privacy and security are not handled properly, the Office for Civil Rights can fine people for not following the rules. Significant financial fines are anticipated to be enforced for avoidable data breaches. Under the HITECH penalty structure, the OCR can fine violators up to $1.5 million, and both attorney generals and people whose data has been stolen can file lawsuits.

Due to how likely it is that cybercriminals will target healthcare organizations and how expensive it is to deal with data breaches, such as sending breach notification letters, offering credit monitoring services, and paying OCR fines, the cost of full compliance is much higher. But even though it costs a lot to invest in the technological, physical, and administrative measures needed to protect patient data at first, the improvements can lead to cost savings in the long run because they improve efficiency.

Workflows for employees have been streamlined, less time is spent playing "phone tag", and the workforce has become more productive in organizations that have already put HIPAA compliance measures in place. This has made it possible for healthcare organizations to invest the money they saved and give patients better care.

Who Must Comply with HIPAA?

The organizations that are subject to HIPAA rules are referred to as "covered entities". The covered entities of HIPAA are as follows:

  • Health Plans: Health Plans, include health insurance providers, HMOs, workplace insurance programs, and some public health insurance programs like Medicare and Medicaid.

  • Healthcare Providers: The majority of healthcare providers, including physicians, hospitals, clinics, psychologists, chiropractors, nursing homes, pharmacies, and dentists, do some of their business electronically.

  • Health Care Clearinghouses: Health Care Clearinghouses are organizations that convert nonstandard health data into a standard (such as a standard electronic format or data content) or vice versa.

Additionally, some HIPAA rules must be followed by business partners of covered businesses.

Often, contractors, subcontractors, and other outside parties who are not employees of a covered business will need to be able to see your health information so they can do work for the covered business. These organizations are referred to as "business associates" and include, for example:

  • Companies that handle your health care claims and assist in paying your physicians, so they can be reimbursed for the services they provide

  • Organizations that assist in managing health plans

  • People like using outside attorneys, accountants, and IT professionals

  • Organizations that preserve or obliterate medical records

Covered businesses are required to make agreements with their business partners that say how your health information will be used, shared, and kept safe. Similar contracts with subcontractors must be in place with business partners. In their contracts, business partners (including subcontractors) must follow the Security Rule's protection requirements as well as the Privacy Rule's clauses about how the information can be used and shared.

How HIPAA Works?

The Health Insurance Portability and Accountability Act (HIPAA) is a set of rules that governs businesses that deal with PHI (Protected Health Information). This helps keep sensitive information about people from getting out. Here, we'll delve a little further into the rules, beginning with the five key HIPAA clauses. 5 HIPAA rules are explained below:

  1. HIPAA PRIVACY RULE: HIPAA says that companies have to be careful with customer information and that they can't share it without permission from any person or group. Second, patients can decide if, and how, The physical security measures are intended to guarantee that businesses invest enough resources in safeguarding their data against physical theft and specify for what purposes their information is used. If one of these rules wasn't followed, it would be seen as a violation of the HIPAA privacy rule. According to this rule, every patient has the right to ask for changes to their file and to look at and get a copy of their medical records.
  2. HIPAA SECURITY RULE: Security regulations regulate how businesses keep their data from being accessed, whereas the privacy rule focuses on whether corporations exchange data. Three basic forms of safeguards - administrative, technological, and physical - are described in the security regulation. Firms must have the right people and processes in place to stay compliant. In the technological protections section, you can find a list of the IT tools you need to manage data access, such as data encryption and strong authentication.
  3. HIPAA TRANSACTION RULE: Data exchange is important for good healthcare, whether it's for a hospital to look at a new patient's medical history or for an insurance company to know that they have to pay for a certain treatment. However, these data exchanges might also be a source of patient data loss or oversharing. Because of this, any organization that takes part in these transactions is required to use certain codes to make sure that medical information and PHI are correct, kept private, and safe. An organization may violate HIPAA rules if it offers information that doesn't match the code it is using.
  4. HIPAA IDENTIFIERS RULE: To steal sensitive data, bad actors may pose as a healthcare company. Therefore, HIPAA mandates that every company identify itself using a unique number to verify that companies are only sharing PHI with other HIPAA-recognized entities. Depending on whether the entity in issue is a healthcare provider, insurance company, or employer, these IDs are configured differently, aiding in the protection of clients and companies against fraud.
  5. HIPAA ENFORCEMENT RULE: Regulators amended the HIPAA enforcement regulation in February 2015. The criminal and civil consequences for any violation of privacy and security regulations are increased by this rule, which also expands upon them. Additionally, it specifies that all business associate contracts must incorporate all new security criteria and some obligatory federal privacy and security breach reporting requirements.

The US has implemented HIPAA to safeguard critical medical data, but are there equivalent international "HIPAA" safeguards for citizens of other nations, such as Canada or Europe? Healthcare hosting compliance is a big concern for any company processing, storing, or transmitting healthcare data in the US, but there are various regulations when working with patient data from patients in Canada or Europe, like PHIPA (Personal Health Information Protection Act ) or GDPR (General Data Protection Regulation).

How Do You Ensure HIPAA Compliance?

The Health Insurance Portability and Accountability Act (HIPAA) must be followed by your company, whether you work in the healthcare or insurance industries. Here are five simple suggestions for preserving HIPAA compliance for those of you who are subject to the law:

  • Recognize important terminology: Many of the terms used in HIPAA have very clear definitions. To guarantee compliance, it's a good idea to completely educate oneself on their definitions. When someone uses the phrase "confidential handling of PHI", they're referring to using the proper administrative, technological, and physical security measures.
  • Make a copy of each patient record: Every HIPAA-covered organization, including medical practices, is required to make and keep retrievable, exact copies of its electronic PHI.
  • Keep in mind to maintain offsite backups of electronic PHI: HIPAA mandates that backups of electronic PHI be kept apart from the primary data repository. Also, electronic copies of PHI backups should be encrypted to meet HIPAA's recommendations for safety measures.
  • Verify that the company providing your backup solutions supports HIPAA compliance: Carbonite Pro and Carbonite Server plan to help you stay in compliance with HIPAA by taking the necessary administrative, technological, and physical steps to protect the security, integrity, and accessibility of PHI.
  • Sign a contract known as a "business associate" agreement with your backup provider: Covered organizations must form contracts with "business partners" in accordance with HIPAA. Business Associate Agreements are the name given to these contracts. A "business associate" is any person or organization that makes, receives, or keeps PHI on behalf of a "covered entity". Any supplier of backups falls under this.

What are Examples of HIPAA Violations?

Medical practices should always make sure they are HIPAA-compliant since fines for violations of the law can exceed $50,000 per instance and a $1.5 million yearly limit. But some HIPAA violations happen more often than others, and all of them should be seen as possible risks to your medical practice.

Due to the complexity and constant change of HIPAA standards, it can be hard to keep up with the latest changes and frequent violations. Your company may be less likely to have a breach if your team is well-trained on HIPAA compliance and knows the most common ways it is broken.

We made a list of the 10 most common HIPAA violations so that your practice can take the right steps to avoid them. The top 10 most frequent HIPAA infractions are shown here, along with some tips on how to prevent them.

  • Keeping Records that aren't Secure: During employee training, all staff members should be told to always keep documents with PHI in a safe place. PHI-containing physical documents must be kept secured in a desk, filing cabinet, or office. Digital data should be secured wherever feasible and require strong passwords to access them.
  • Data That Isn't Encrypted: It is easy to understand the risks of not encrypting PHI data. Encrypting the data is an extra safety measure in case of a device with PHI is lost or stolen. If a device with a password is accessed in another way, like by hacking, it adds an extra layer of security. It is strongly advised, even if it is not a required HIPAA requirement. The HIPAA rules in your State should also be familiar to you because several states have implemented legislation requiring the encryption of ePHI and PII.
  • Hacking: Although we'd like to believe it will never happen to us, medical ePHI is actually at risk from hackers. Medical practices should take all reasonable precautions to protect themselves from hacking since there are people out there who wish to utilize this information for illicit purposes. The best place to start is by making sure that any devices that contain ePHI have antivirus software installed and running. Additionally, using firewalls offers another level of security. Finally, another crucial step to take to prevent hacking is to create passwords that are distinct and difficult to remember and to change them regularly.
  • Device Theft or Loss: In June 2016, a case was settled about the theft of an iPhone with a lot of ePHI on it, like social security numbers, information about medical conditions and treatments, prescription drug information, and more. The iPhone also didn't have a password or encryption, so anyone who had the phone could see all the ePHI on it. The Catholic Health Care Services of the Archdiocese of Philadelphia is where the infraction took place (CHCS). The nursing care institution was fined $650,000 and 412 nursing home patients and family members were harmed by the data breach. Devices that have ePHI on them can be lost or stolen if they aren't kept in a safe place at all times. If the data on the device is not protected by a password or encryption, it is much worse if the device is lost or stolen.
  • Employee Training Gaps: It is very important that every employee who works with PHI gets full training on HIPAA standards and how to follow them. The HIPAA legislation mandates employee HIPAA training, so it is more than just a suggestion. All of your employees must go through thorough training on both the law and your firm's own rules and procedures.
  • Sharing PHI and Gossiping: Even if small talk at the water cooler or normal chitchat is funny, PHI should never be talked about. There is no justification for bringing up PHI in conversation with coworkers. It also carries a substantial fine. When employees of medical practices have access to PHI about a patient, they should be careful about telling other people about it. One should never talk about PHI without considering who could be listening. Talk about and discuss PHI only with authorized office staff, and only behind closed doors.
  • Employee Deception: Employee attempts to access PHI that they are not permitted to see are HIPAA violations, even if they are not necessarily made with malice in mind. Often, it is only out of curiosity, but it makes no difference; the penalty is the same. This particular HIPAA violation could have been avoided with thorough and clear training, rules about who can access what information, and a clear explanation of the penalties that will follow.
  • Inappropriate Record Disposal: One of the most important things to teach your team about HIPAA rules is how to properly throw away PHI documents. For example, all PHI-containing data, such as social security numbers, details of medical procedures, diagnoses, etc., should be shredded, burned, or completely erased from hard drives. Staff employees should be aware of this. It might fall into the wrong hands and constitute a major HIPAA violation if any of this information is left sitting about in a trash can, computer's recent files folder, etc. With the right employee training and enforcement by a compliance officer or other personnel, you can stop this from happening.
  • Information Released Without Authorization: Most of the time, this happens when people in the media reveal PHI about well-known people and public figures. It can also happen when medical staff accidentally tells family members about PHI since only dependents and people with a Power of Attorney are allowed to see PHI about family members.
  • PHI Disclosure to Third Parties: PHI should never be shared with anyone other than the patient, the doctor(s), and/or the person(s) paying for the procedure, medication, or other related services. It is a clear violation of HIPAA if you have access to PHI and discuss it with those who shouldn't have that access. Nevertheless, it does occur regularly. Again, you can prevent the bulk of data breaches brought on by this violation by teaching HIPAA requirements like this to every employee who has access to PHI.

Another example of third-party disclosure would be if a member of staff accidentally gave out information about the wrong patient. Even if this conduct may have been an accident, the repercussions would be the same as if it had been done on purpose.

What is not Considered a HIPAA Violation?

Many individuals believe that it is better to be safe than sorry when it comes to privacy and HIPAA violations. In the same way that nurses, technicians, and doctors often consider accidental disclosures to be privacy breaches, many privacy officers consider every illegal disclosure to be a breach. Nevertheless, all staff members should be aware of the three exceptions to a breach.

Not every improper disclosure of PHI constitutes a HIPAA violation. Three exceptions exist. The following disclosures of PHI constitutes are not considered a HIPAA violation:

  • the unintended acquisition, access, or use of PHI in good faith

  • accidental disclosure to an authorized individual within the same organization

  • the receiver's inability to keep the PHI

How are HIPAA Violations Uncovered?

HIPAA-covered organizations find a lot of HIPAA infractions through internal audits. Employees often report HIPAA violations and possible violations by coworkers, which makes it easy for supervisors to find out who has broken the law.

The HHS Office for Civil Rights is in charge of enforcing HIPAA regulations, and it looks into complaints of HIPAA breaches made by medical staff, patients, and health plan participants. OCR also looks into some small breaches and all covered entities that say they lost more than 500 records because of a breach. OCR also periodically analyzes business partners and entities covered by HIPAA.

When complaints are made about possible HIPAA violations or when reports of patient record breaches come in, breaches are often looked into. The state attorneys general also has the authority to look into breaches.

What Are the Penalties for Violations of HIPAA Rules?

Any person who breaches HIPAA rules faces civil penalties that start at $100 per infraction. If there have been several infractions of the same kind, the penalties may increase to $25,000. In instances where the violator knew or should have known that HIPAA rules were being breached, they are subject to these penalties. Civil penalties will not be given if the HIPAA rules were not broken on purpose and the violation was fixed within 30 days of the employee knowing about it. Criminal penalties are severe for HIPAA violations. The minimum fine for willful HIPAA Rules violations is $50,000. A person who violates HIPAA might be subject to $250,000 in penalties. Restitution of the victims can also be required. A criminal violation of the HIPAA Rules will almost certainly result in a prison sentence as well as a monetary fine.

There are different levels of punishment for HIPAA infractions for both business associates and covered businesses. Negligence-based criminal offenses can result in a maximum 1-year jail sentence. If you lie to get protected health information, you could go to jail for up to five years. A prison sentence of up to 10 years is imposed for intentionally breaking HIPAA rules with malice aforethought or for personal advantage. Aggravated identity theft carries a mandatory two-year prison sentence as well.

How Do You Get HIPAA Training?

The Privacy Rule states that "functions are affected by a major change in policies or procedures" and "new employees are required to complete HIPAA training within a reasonable length of time after joining the Covered Entity's workforce" - both times within a reasonable period of time. This suggests that training should start right away rather than wait until months later.

The security rule stipulates that frequent HIPAA training is necessary. This requirement is often met by covered entities having yearly training sessions. The purpose of annual training is to protect both the boss and the workers by making sure they are:

  • "refreshed" regarding HIPAA rules

  • aware of any potential policy modifications since their previous training

  • becoming informed about cybercrime and how to prevent it

Even though yearly training is enough to meet HIPAA's periodic requirements, it's not a bad idea to hold more training sessions throughout the year. These extra training sessions are shorter and give quick information to help employees follow HIPAA rules and be more aware of them.

Basic HIPAA training is given in a one-hour session, but training takes much longer depending on a person's position within an organization, how frequently they interface with patients and protected health information (PHI), and how much cybersecurity training is required.

HIPAA training sessions cost between $10 and $30 per employee. For larger groups, some businesses offer discounted group rates or pricing that is on the lower end ($15) per person.

It is possible to become certified under HIPAA on a budget or even for nothing. HIPAA certification is available to people, businesses, and organizations, and it is helpful for the majority of professionals in the healthcare and medical services industries.

Since so many people and organizations need to know about HIPAA rules, there are a number of certification programs available. Programs are frequently tailored for certain professions.

While training for businesses costs more, HIPAA certification courses are found online for as little as $20 or even for nothing.

What are the Requirements of the HIPAA Security Rule?

The HIPAA Security Rule (SR) deals with electronic Protected Health Information (ePHI), which is effectively a subset of what the HIPAA Privacy Rule covers, whereas the HIPAA Privacy Rule deals with Protected Health Information (PHI) in general. The HIPAA Security Rule only takes up around 8 pages of actual regulatory text, which is good news. The HIPAA Security Rule is rather technical in nature, which is terrible news. This healthcare cybersecurity regulation effectively codifies a number of information technology best practices and standards.

The U.S. Department of Health and Human Services (HHS) states, "The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity". Covered entities consist of all providers, health plans, and healthcare clearinghouses that transmit any HHS information in electronic form. HIPAA Security Rule has three components:

  • Administrative Requirements: Administrative requirements include activities and rules developed throughout the company to secure electronic health information and control employee behavior. Typically, this involves understanding which personnel has access to certain data. It is suggested that firms conduct yearly data security audits and have a strategy in place for repairing damaged IT systems. Additionally, training is a standard prerequisite in this field.
  • Physical Requirements: Physical Security Requirements are intended to prevent theft or loss of equipment containing patient information. These breaches may entail stolen gadgets, as well as simple activities such as a hostile actor peeking over the shoulder of a healthcare professional while they are at their PC. The needs for this component include educating staff, maintaining IT administration over devices, and implementing additional hardware security measures.
  • Technical Requirements: Technical Security Requirements are rules implemented to prevent data breaches on networks and devices. These controls include encrypting sensitive data, monitoring and alerting to protect networks, phishing training for staff, password regulations, and other safeguards for access to vital resources.

Do you need a firewall to be HIPAA compliant?

Firewall controls, which are network security solutions, watch and control both the traffic coming into and going out of a network. Data that travels via a network at a specific moment in time is called network traffic. Thanks to outbound firewall restrictions, employee PCs in healthcare firms may only access websites that are necessary for them to do their tasks.

According to the HIPAA Security Rule, rules for HIPAA firewall controls can be made, ensuring that each employee's computer is set up with the proper level of network access. For example, a healthcare worker (like a doctor or nurse) might need wide access to the Internet, while a receptionist might only need limited access, for example, to do research. Firewall control roles are set for every job title to guarantee that each person is given the proper access depending on his or her function. For example, rules are made for the firewall so that the healthcare professional can get better access while the receptionist gets less.

Only those people who are permitted to access ePHI and who have a need for such access are able to do so thanks to HIPAA firewall restrictions. An identity-based authentication is a form of authentication used by firewalls to guarantee that only personnel who are allowed to access ePHI may do so. A system that confirms a person's identification. For the person to be authenticated, they must give information that only they know, like a PIN, code, or token.

In order to keep your firm secure and compliant with HIPAA regulations, HIPAA firewall controls are a crucial element. Your firm may be subject to costly healthcare breaches and HIPAA fines if HIPAA firewall protections are not implemented.

What are the Firewall Best Practices for HIPAA Compliance?

Do you know which firewalls to employ in order to comply with HIPAA? Is your network secure? How is logging going for your company? You're not the only one who doesn't know the answers to these queries.

Next-Generation Firewalls (NGFW) are a good option. With these firewalls, passing a HIPAA audit will be much easier for you. Inspectors from the Office of Civil Rights (OCR) at the Health and Human Services (HHS) make sure that patient health information (PHI) is stored, sent, and thrown away safely. A firewall controls access to any location where PHI is stored. In order to protect PHI data, the NGFW can authenticate access to apps that healthcare organizations use to provide care. The application layer of the OSI is layer 7, or layer 7 in networking jargon. The NGFW is smart enough to protect PHI data in medical specialists' programs.

The NGFW should block peer-to-peer communications and file transfers between computers that are not part of the same set of applications or storage media. The NGFW will stop employees from trying to take PHI data out of one application and put it in another.

Some of the best NGFWs used in healthcare are as follows:

  1. Zenarmor
  2. Cisco ASA
  3. Checkpoint
  4. Fortinet FortiGate
  5. Sophos XG
  6. Palo Alto
Last updated on by Zenarmor