What is HIPAA compliance?

HIPAA compliance means meeting the requirements of the of 1996—the US law that sets standards for the proper and lawful use and disclosure of protected health information (PHI).

The Department of Health and Human Services regulates HIPAA, and its . When you hear HIPAA invoked, it’s usually about the Privacy Rule, which covers PHI rights. Other , such as the Security Rule and the Breach Notification Rule, set further safety standards for health information and .

Regulatory requirements evolve over time, so treat this guide as general information, not legal advice—check current HHS guidance for specifics.

What is PHI?

Protected health information is any information that identifies a client or in a facility. Social security numbers and medical records are examples.

PHI becomes when it’s stored, accessed, or transmitted electronically. HIPAA’s security standards regulate ePHI as well.

[Embed: 6TueKHksjkxyaEqMFm9BCQ]

Who is HIPAA applicable to?

HIPAA’s privacy rules and standards apply differently to covered entities, business associates, and hybrid entities.

Covered entities

HIPAA rules define covered entities as health plans, healthcare providers that transmit health information electronically, and healthcare clearinghouses.

can be people, institutions, or organizations. Researchers can also fall under the rules, such as those running clinical trials.

Healthcare is defined as supplies, services, and care related to a person’s health—counseling, preventative care, rehab, procedures, therapeutic care, and diagnostic care. It also includes the sale and disbursement of drugs, durable medical equipment, devices, and other prescribed items.

Business associates

A business associate assists or acts on behalf of the covered entity. It may be a person or another entity.

Business associates may be used to de-identify PHI, carry out data aggregation, or prepare data sets.

They must have a written contract or another arrangement with the covered entity. With this in place, the covered entity can disclose PHI to the business associate as long as the associate safeguards the information.

A covered entity can’t authorize the business associate to use or disclose the information in a way that violates the .

Hybrid entities

Hybrid entities are single organizations that perform both covered and non-covered functions—for example, a university that runs a medical clinic.

HIPAA security rule checklist

This checklist incorporates the guidelines set out by HIPAA’s Security and Privacy Rules.

General rules

All covered entities must keep reasonable administrative, physical, and technical safeguards for all protected health information. Specifically, HIPAA states that they must:

“Ensure the confidentiality, integrity, and availability of all they create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of the information;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by their workforce.”

Here’s what those terms mean:

Confidentiality means not disclosing ePHI or making it available to anyone unauthorized to see it.
Integrity means not destroying or altering ePHI in an unauthorized way.
Availability means ePHI is on-demand and usable for anyone authorized to access it.

Administrative safeguards

The administrative safeguards deal with

Security personnel—officers responsible for overseeing the covered entity’s policies and procedures
Security management processes—the measures implemented that can reasonably lower the risks and vulnerabilities of ePHI
Information access management—the policies and procedures for ePHI access that comply with the
Workforce training and management—workers who deal with ePHI must be trained in policy and procedure, and procedures are needed to deal with workers who violate policies
Evaluation—completed regularly to ensure all policies and procedures meet the requirements set out by the Security Rule

Physical safeguards

Physical safeguards involve controlling access to the covered entity’s facility and implementing workstation, device, and electronic media security. Access to the facility must be limited so that only authorized individuals can view and use workstations.

Technical safeguards

The technical safeguards below oversee access, audit, and integrity control and the transmission security of ePHI.

Access control—technical policies that safeguard ePHI from unauthorized access
Audit control—the hardware or software implemented to keep ePHI contained, with mechanisms that examine its access and activity
Integrity control—ensures ePHI isn’t destroyed or altered electronically
Transmission security—measures that keep ePHI from being transmitted over unsecured networks by unauthorized parties

Organizational requirements

Organizational requirements break down into two groups:

Covered entity responsibility—if the entity knows of any practice carried out by the business associate that violates their Privacy Rule obligation, the entity must take measures to end it.
Business associate contract—the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 regulates the business associate’s contract and obligations. The act gives the Department of Health and Human Services (HHS) authority to set up programs that improve healthcare safety, quality, and efficiency by promoting health IT.

HIPAA security requirements

Documentation, policies, and procedures must be reasonable and comply with the Security Rule. The covered entity must retain them for a set period after their creation or last effective date of use—six years under the current rule.

The covered entity should review these periodically and update them for any environmental or organizational change that affects ePHI.