HIPAA Compliance Overview
What is HIPAA compliance?
HIPAA is a United States regulation standard designed to protect the personal data collected as part of providing health care to individuals. The regulation provides a set of minimum data security requirements for organizations that handle protected health information (PHI).
HIPAA established important national standards for the privacy and security of protected health information. Since 2003, the enforcement activities associated with HIPAA has elevated the privacy practices of all entities subject to the federal regulation, enabling individuals to rest easy knowing that their information is safe with the businesses and institutions with which they share their PHI. View more information about HIPAA compliance through an essential e-Book guide.
7 Things CISOs Ought to Know About HIPAA Compliance
Who oversees / monitors / audits HIPAA compliance? Who oversees federal HIPAA compliance?
The question of who is “in charge” of HIPAA is more complicated than one might think. At the highest level, HIPAA is governed by the federal office of Health and Human Services (HHS).
- Who enforces HIPAA? The HIPAA Privacy and Security Rules are enforced by the Office for Civil Rights (OCR). View more information about who enforces private health information and security regulations under HIPAA.
- What is HITECH + how does it relate to HIPAA? The Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk.
- Who audits entities subject to HIPAA? HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. If you’re on the fence about whether your organization is subject to HIPAA compliance, view more information about periodic audits and reach out to Avertium for a consultation to become audit-ready.
- Related Resources:
What does HIPAA stand for?
HIPAA Compliance vs. HIPAA Compliance Certification - What's the difference?
In short, HIPAA compliance is about the rule and regulation, whereas HIPAA compliance certification relates to the process of training to become HIPAA compliant.
To ensure members of your organization are trained in HIPAA compliance, Avertium provides a HIPAA Certification Program that is equipped with a comprehensive, ongoing plan developed just for your organization. As an on going plan, we will keep you aligned and updated with HIPAA regulations, including the latest industry trends and best practices. View more information about HIPAA compliance through an essential e-Book guide.
Who is subject to HIPAA?
When it comes to HIPAA compliance, “who” and “when” leads to the same answer. It’s important to identify whether your organization is subject to HIPAA to assess becoming HIPAA compliant – If unsure, reach out to Avertium for a consultation.
- Who must be HIPAA compliant? When must you become HIPAA compliant? HIPAA regulation applies to organizations categorized as “covered entities” (health plans, health care clearinghouses, and health care providers) and “business associates” that handle protected health information (PHI). View more information about your rights as an individual under HIPAA.
Related Regulatory Resources:
Why is HIPAA Compliance important?
To understand why HIPAA compliance is important, one must understand why HIPAA regulations are put in place – to protect sensitive personal health information (PHI). Ensuring all records of PHI are protected can create a trusting connection with your clients. And HIPAA compliance sees to it that business associates and covered entities handling PHI are implementing those safeguards and security measures.
If you are unsure whether your organization identifies as business associates or covered entities handling PHI and is therefore protected by HIPAA, reach out to Avertium for a consultation.
How much do HIPAA violations cost?
The question of “how much” is dependent on a number of factors. Federal penalty fines vary across incidents and are determined by the Office for Civil Rights (OCR). Organizations failing to comply with HIPAA regulations, can be charged with an infringement cost between $100 and $50,000 with a maximum of $1.5 million per year for each incident. View more information about HIPAA violation costs by taking a look at the different penalty structures.
How to Achieve + Maintain HIPAA Compliance
How can I achieve HIPAA compliance?
The first step is to complete a HIPAA risk assessment. According to the US Department of Health and Human Services (HHS), the law requires a periodic risk analysis to be completed as the initial step in identifying and implementing security measures that comply with and carry out the standards and implementation specified in the Security Rule. Avertium’s experts recommend that these assessments be conducted annually.
Related Regulatory Resources:
- 2020 HIPAA Compliant Checklist
- Remote Workforce Cybersecurity Preparedness (+ HIPAA Compliant) – Web Series
How do I ensure HIPAA compliance?
A best practice to ensure your organization is compliant with HIPAA is by implementing encryptions throughout any network with access to electronic protected health information (ePHI) data. Encryption is For more comprehensive measures, reach out to Avertium for a consultation.
What does the Avertium HIPAA compliance readiness program look like?
- Kicking off is identifying any areas of risk within your organization and comparing it against HIPAA regulations through a comprehensive risk assessment.
- Following that is a gap analysis that dives into the identified risks and is then used to create an initial roadmap of recommendations for remediation efforts.
- Once the initial roadmap is clearly laid out, the next step is the process of implementation.
- Finally, Avertium crafts an ongoing compliance plan with quarterly check-points and consultations to help keep your organization aligned and updated with HIPAA regulations.
How long must HIPAA-related documents be retained?
According to HHS, covered entities must retain HIPAA related documents for a minimum of six years from the latest date of either its creation or the last known date it was in effect. HIPAA requirements preempt state laws if they require shorter periods of document retention.
Certifications + Regulations Related to HIPAA
What is HITRUST CSF? How does it relate to HIPAA compliance?
Before answering “what” it is, keep in mind that being HIPAA compliant does not mean that you’ve achieved HITRUST CSF, but being HITRUST CSF does ensure HIPAA compliance.
HITRUST Common Security Framework (HITRUST CSF) is a widely adopted security set of controls, providing organizations with security tailored to protect sensitive data in the health care industry. View more information about HITRUST VSF Version 9.4.
Avertium is one of the few HITRUST assessor firms with Certified CSF Practitioners (CCSFP). Learn more about Avertium’s HITRUST services.
- What is HITRUST? Answers to Your HITRUST CSF Questions
- HITRUST CSF Version 9.4 CMMC and NIST Mapping: What’s New
What is the SOC 2 certification? Is it HIPAA compliant?
Focusing on information and IT security in relation to health care industries, SOC 2 is not HIPAA compliant – it is, however, cross-referenced with regulations and frameworks such as HIPAA.
The scope of the certification and audit is to evaluate and manage your organization’s cyber risk management program which is dependent on the program’s ability to meet selected Trust Services Criteria (TSC).
How can Zero Trust Security benefit me?
The Zero Trust Security (ZTS) model is true to its name – a security framework that denies access until authentication and authorization steps are complete.
We want to ensure the security of Protected Health Information (PHI) from the proliferation of threats in the health care industry. And one requirement to stay HIPAA compliant is to implement identity access management security standards such as the multi-factor authentication (MFA) control and the ZTS model. View more information about a guidance on establishing Zero Trust and how it can improve your cybersecurity defenses – Published by NIST.
HIPAA Compliance Resources
Stay ahead of potential attackers. The evolution of technology — from security frameworks to regulations —impacts the ever-changing and evolving training process and implementation for HIPAA. Avertium has deep expertise in HIPAA compliance, MSS, AND a team of Certified HITRUST Assessors ready to help you bulk up your security posture.
As cybersecurity threats become more sophisticated, it’s important to maintain HIPAA compliance as a means of securing Protected Health Information data sets. By undergoing risk assessments and scans of your organization’s applications regularly, you can proactively identify gaps and vulnerabilities, and implement remediation efforts before a breach can occur.
- Does HIPAA Apply to Me?
- First HIPAA Risk Assessment? Here’s How to Be Prepared
- HIPAA Compliance Certification Program + Consultation
- Complying with HIPAA Encryption Standards; What You Need to Know
- How to Apply SOC 2 Type 2 Trust Services Criteria to Your Business
- SOC Audit Report Basics: The What, Why, Who and How
- Demystifying Zero Trust: What Is Zero Trust Security, and How Can It Bolster Your Environment?
- CDC’s Definition on HIPAA
- U.S. Department of HHS – Website
- HHS.gov – HIPAA Index
- Covered Entities and Business Associates
- HITECH Act
- HIPAA Enforcement
- HIPAA Privacy, Security, and Breach Notification Audit Program
- Your Rights Under HIPAA
- 2020 HIPAA Compliance Checklist
- Updated Audit Protocol as of July 2018
- Penalties for HIPAA Violations
Last updated: September, 2020
Table of Contents
Glossary of Related Terms / Acronyms
PHI – Protected Health Information
ePHI – Electronic Protected Health Information
HHS – Health and Human Services
OCR – Office for Civil Rights
HITECH – Health Information Technology for Economic and Clinical Health
HITRUST – Health Information Trust
CSF – Common Security Framework
SOC – Service Organization Control
TSC – Trust Services Criteria
MSSP – Managed Security Service Provider
ZTS – Zero Trust Security
NIST – National Institute of Standards and Technology