What is HIPAA compliance? A healthcare privacy guide for organizations

The Health Insurance Portability and Accountability Act (HIPAA) defines how healthcare services and their business associates in the United States handle sensitive data about their clients. 

Regulated by the Department of Health and Human Services (HSS), it is a collection of closely aligned regulations aimed at ensuring the privacy and confidentiality of personal medical data.

This article is part of our series focusing on the privacy and security aspects of the US’s most comprehensive federal data protection law.

Read our past articles about HIPAA

HIPAA compliance explained

HIPAA compliance is the ongoing and active process by which covered entities and business associates secure and protect protected health information (PHI).

Protected health information (PHI)

The purpose of HIPAA is to protect protected health information. PHI is any information that can be used to identify an individual, plus all medical records and related data. It includes:

• Patient’s name, contact details, profession, social security number, billing, and insurance details
• Any other personally identifiable information, such as photographs, fingerprints, and emergency contacts
• Medical history and ongoing treatments
• Family medical histories
• Information collected through conversations between the patient and a healthcare provider

The Security Rule(new window) is an update to HIPAA that regulates how electronic protected health information (EPHI) — PHI that is stored and accessed in electronic form — must be protected.

Entities that must be HIPAA compliant

As a rule, any person or entity that has access to patients’ medical data must be HIPAA compliant. These entities are defined by HIPAA as:

• Covered entities(new window) — any person or organization that has access to PHI. This includes healthcare providers, doctors, healthcare staff, pharmacies, healthcare clearinghouses, insurance companies, dentists, clinics, and nursing homes.
• Business associates(new window) — any person or organization that performs a service or other activity for a covered entity that gives it access to PHI. This includes email providers, cloud storage providers, physical storage providers, billing and finance companies, lawyers, accountants, third-party consultants, and Electronic Health Record (EHR) platforms.

In short, any business or any individual acting in a professional capacity that has any contact with the healthcare industry must be HIPAA compliant.

HIPAA rules

HIPAA contains multiple regulations, but the key rules everyone should be aware of are:

HIPAA Privacy Rule

The HIPAA Privacy Rule(new window) and the HIPAA Security Rule (see below) together provide the foundations of HIPAA. The Privacy Rule only applies to covered entities (not business associates). It defines in detail what data constitutes PHI and explains how and when covered entities can access it.

The Privacy Rule also explains patients’ rights to access their own PHI, and the circumstances under which such access can be denied.

HIPAA Security Rule

The HIPAA Security Rule(new window) applies to both covered entities and business associates and  defines the physical, electronic, and administrative protections that must be in place for storing, handling, and transmitting PHI in electronic form (EPHI).

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule(new window) requires covered entities to notify individuals within 60 days if their PHI has been improperly accessed and stipulates other actions that must be performed in such an event.

• Minor breaches — all breaches, no matter how big, must be reported to the Office for Civil Rights (OCR)(new window) within 60 days.
• Meaningful Breaches — any breach that affects over 500 individuals must be reported to the OCR within 60 days. Local law enforcement agencies must also be contacted immediately, and a press release must be prepared in order to alert potential victims about the situation.

HIPAA Omnibus Rule

An important update to HIPAA, the Omnibus Rule(new window) clarifies and updates the previous rules. Most importantly, it greatly expands the definition of business associates who must be HIPAA compliant to almost all entities that have any contact whatsoever with PHI. This includes subcontractors, storage consultants, and storage providers. 

The Omnibus Rule rule also prohibits covered entities and business associates from exploiting PHI for marketing or other commercial purposes.

HIPAA Enforcement Rule

As its name suggests, the HIPAA Enforcement Rule explains how companies should handle HIPAA violations, be they the result of incompetence, negligence, or malicious actions by a third party. All violations must be reported to the OCR.

HIPAA violations

HIPAA violations are investigated by the HSS Office for Civil Rights (OCR), which has the power to levy fines against offenders. We discuss HIPAA violations(new window) in detail in a separate article.

Why HIPAA compliance is important 

For patients

• HIPAA provides a raft of safeguards that protect the privacy and security of patients’ data. Without it, there would be no legal requirements for healthcare entities to provide such protections and no negative consequences for privacy breaches.
• It specifies rules about who has access to patient’s data, how that data is stored, and who it can be shared with.
• HIPAA also ensures that patients have a degree of control over their own medical data. It allows them to access their own medical records and have a say in who their data is shared with.
• Importantly, HIPAA allows patients to correct mistakes in their medical records that could have big consequences on their insurance payments. 

For healthcare providers

• With fines of up to $1.5 million, non-compliance can be expensive.
• HIPAA compliance is critical to the reputation of any healthcare-related service, and HIPAA violations are likely to have a large negative impact on customers’ and potential customers’ confidence in the service.
• Patients are less likely to withhold personal and sensitive information that might affect accurate diagnosis when they are confident that their data is secure.
• PHI can be easily and securely transferred between HIPAA-compliant entities. This is in sharp contrast to the situation before HIPAA, when healthcare providers were under no obligation to share patients’ records.
• Because all HIPAA-compliant entities work to the same security standards, different healthcare services can work together with greater efficiency.

Recent updates to HIPAA legislation

It has been seven years since any major updates were made to HIPAA Rules, and many now feel that some changes are long overdue. After a very slow 2019, hopes were high that some movement might be achieved in 2020, but the COVID-19 pandemic has placed such plans on a backburner.

The most important new developments in the health sector are due not to HIPAA, but to the 

Coronavirus Aid, Relief, and Economic Security (CARES) Act(new window), which is designed to ensure all Americans have access to the care they need during the pandemic.

The CARES Act also introduces new rules on the sharing substance abuse disorder (SUD) records for patients, while still complying with HIPAA.

A number of major updates to HIPAA were expected in 2020. These included improvements to how HIPAA violations are enforced, an updated penalty structure for violations, and new legislation aimed at tackling the opioid abuse epidemic currently plaguing America (notably, aligning HIPAA with the 42 CFR Part 2(new window) regulations that protect SUD records). 

The HSS was also debating the implementation of a permanent audit structure, and the OCR is considering changing the Privacy Rule to make sharing PHI between healthcare providers mandatory, rather than simply allowed.

No updates to HIPAA legislation have been made in response to COVID-19, but the OCR has announced three Notices of Enforcement Discretion that relax how it will enforce HIPAA violations during the pandemic:

Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency(new window)

Remote consultations over the internet that avoid in-person contact have become a vital means of providing healthcare during the pandemic. Unfortunately, many of the video-conferencing and other remote networking platforms used to provide such care fall short of the levels of security usually expected for HIPAA compliance.

This Notification of Enforcement Discretion addresses the problem by stating that “OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.”

Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities(new window)

This announcement states that the OCR will waive violations of “of certain provisions of the HIPAA Privacy Rule” relating to public health and health oversight activities by business associates acting in good faith. 

COVID-19 Community-Based Testing Sites(new window)

This notice waives HIPAA violations for covered entities and business associates at  COVID-19 drive-through testing sites.

FAQ

---

Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).