The Health Insurance Portability and Accountability Act (HIPAA) was originally passed in 1996, and, while its primary purpose was to allow workers to carry forward insurance and healthcare rights between jobs, in time it became better known for its prerequisites concerning privacy and security of protected health information (PHI).
Over the years, HIPAA regulations have evolved to keep up with the changes in the healthcare industry. With the introduction of electronic health records (EHR) and healthcare providers’ own push for digitalization, including apps, email correspondence, and social media, as ways of communicating with patients and providers. As a result, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed, which expanded HIPAA’s privacy and security scope by increasing its legal liability and providing stricter enforcement of its requirements.
HIPAA is governed by three main rules:
- The Privacy Rule which details how PHI can be used and disclosed;
- The Security Rule which includes the necessary standards and safeguards needed to protect electronic PHI at rest and in transit;
- The Breach Notification Rule which requires organizations to notify patients and the proper authorities in case of a PHI data breach.
The Office for Civil Rights (OCR), U.S. Department of Health and Human Services (HHS), has been responsible for the enforcement of HIPAA since 2003, ensuring compliance with federal law.
Who does HIPAA apply to?
HIPAA compliance requirements extend to all healthcare organizations that handle protected health information. The general tendency regards PHI as the domain of hospitals and healthcare institutions. In today’s digital age, however, healthcare providers rarely operate independently: they often share information with business associates or require subcontractors to perform services that may require the disclosure of PHI.
HIPAA covers all these entities: the actual providers that offer treatment, payment, or operations in healthcare, and all the associates with access to patient information that support them in the discharge of these services. Subcontractors, as well as business partners’ own associates, must comply with HIPAA. These parties must enter into Business Associate Agreements (BAAs) to ensure full compliance with HIPAA regulations.
Additionally, under the HITECH Act, healthcare providers must notify their business associates and subcontractors that they must comply with HIPAA.
What does HIPAA protect?
Protected Health Information (PHI) that falls under the incidence of HIPAA refers to information related to an individual’s past, present, or future physical or mental health and the provision of healthcare to an individual. It also includes personal identifiers such as name, address, or Social Security Number that, by themselves or grouped with other identifiers, can reveal a person’s identity, medical history, or payments he has made.
The Privacy Rule
In force since 2003, the HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It applies to all healthcare and health plan providers, clearinghouses, and certain electronic healthcare transactions.
The Privacy Rule requires appropriate safeguards be put in place to protect the privacy of PHI and sets the conditions and limits for the use and disclosure of PHI without a patient’s authorization. Through it, patients or their representatives can ask for a copy of their records to examine and request corrections, if needed.
Organizations falling under the incidence of HIPAA are required to answer such patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to explain to patients how their data will be used or shared.
The Security Rule
Understanding the HIPAA Security Rule is vital for healthcare organizations to establish the security standards necessary to protect electronic PHI. The Security Rule specifically addresses the protection of individuals’ electronic protected health information (ePHI) that is created, received, used, or maintained by entities covered by HIPAA. It establishes a set of standards and safeguards to be put into place to ensure the confidentiality, integrity, and security of ePHI. Additionally, the HIPAA Security Rule mandates a thorough risk assessment to identify security risks and vulnerabilities to ePHI.
There are three types of safeguards under the Security Rule:
- Technical Safeguards that refer to the technology used to protect and access ePHI. Employing robust security measures, such as encryption and secure authentication, is crucial under the HIPAA Security Rule;
- Physical Safeguards that deal with physical access to ePHI regardless of its location. Workstations used to access ePHI must be secured against unauthorized access;
- Administrative Safeguards that include actions, policies, and procedures responsible for the enforcement of ePHI protection and the conduct of an organization’s workforce.
The Breach Notification Rule
Similar to the GDPR’s mandatory data breach notifications, the HIPAA Breach Notification Rule requires covered entities to notify patients in case of a data breach that includes their PHI as well as the OCR and the media if the breach affects more than five hundred patients.
Smaller breaches that affect fewer than 500 individuals must also be reported through the OCR’s website. Healthcare providers need to use HIPAA compliant methods to communicate breaches to impacted individuals without undue delay; no later than 60 days after the discovery of a breach. When patients are notified of the breach, they must be informed what they can do to protect themselves from potential harm, how the organization is investigating the incident, and how it will avoid other security incidents in the future.
Fines under HIPAA
Federal fines for noncompliance can be issued by the OCR or state attorneys general, and are separated into four tiers depending on the level of perceived negligence at the time of the HIPAA violation. Penalties for violations can be severe, especially in cases of willful neglect, and can range from as little as $100 to as much as $1.5 million per year for each violation.
How Endpoint Protector Can Help Achieve HIPAA Compliance
Ensuring HIPAA compliance can be complex, especially with the rise of cybersecurity threats like ransomware that specifically target the healthcare industry. Endpoint Protector by CoSoSys is an industry-leading DLP and Device Control solution that can help ensure compliance by blocking, monitoring, and encrypting sensitive data. Whether your care providers are working on-site or remotely, Endpoint Protector’s encryption and monitoring services ensure that patient data remains secure and HIPAA compliant, even beyond the confines of your network or when devices are offline.
Looking to stay compliant with HIPAA? Schedule your demo today.
Frequently Asked Questions
Data Loss Prevention (DLP) solutions help organizations to protect sensitive data such as Personally Identifiable Information (PII) or Intellectual Property (IP) from accidental exposure. Wherever data lives - in transit on the network, at rest in storage, or in use -, DLP tools can monitor it and substantially diminish the risk of data loss. By deploying a DLP solution, companies can also reduce insider threats and reach compliance with data protection regulations such as the GDPR, CCPA, PCI DSS, or HIPAA.
Organizations looking to deploy a DLP solution should first assess their needs and capabilities, as well as evaluate their data protection strategy, and then decide which approach fits better. When looking to choose between a dedicated DLP and integrated DLP solution, the following questions might help:
- What type of sensitive data is collected and stored by the company?
- Where does sensitive data reside and who has access to it?
- What operational resources does the company have in place?
- What channels (email, web, cloud apps etc.) need coverage?
No, Endpoint Protector is not an integrated DLP solution, it is a dedicated DLP software, known also as enterprise DLP. It is a security product specifically built and designed for data loss prevention, an essential tool in any comprehensive cybersecurity strategy. Our solution ensures enhanced data security, protects against insider threats and offers predefined compliance profiles for GDPR, PCI DSS, HIPAA, and more.
Endpoint Protector is an advanced endpoint Data Loss Prevention (DLP) solution that allows companies to monitor and control multiple data flows, including file transfers via the Internet (such as e-mail clients, web browsers or instant messaging applications) as well as transfers to the cloud (such as iCloud, Google Drive, Dropbox). The solution also provides data visibility on the endpoints, which is essential for compliance. Endpoint Protector offers flexibility and granular control, as well as multiple deployment options.
Explore More on Compliance
Interested in diving deeper into the world of Compliance? Check out these hand-picked resources to expand your knowledge:
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.