Healthcare Technology Featured Article

May 08, 2015

Keeping Up With HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal legislation that created national standards to protect the privacy of patients' medical records (including electronic records) and other personal health information. The legislation makes organizations and individuals who collect and manage personal healthcare data legally responsible and accountable for its security.  The U.S. Government has filed thousands of legal proceedings as a result of HIPAA.

This article will give a short history of HIPAA, describe its requirements and provide some best practices for compliance with this important legislation. 

Beginnings and Requirements

HIPAA is federal legislation that created national standards to protect the privacy of patients’ medical records and other personal health information. The legislation applies to the “covered entities” of health care providers, health plans, health clearinghouses and business associates with any of these.  Consequences of negligence and misuse of private information can include civil and criminal penalties.

As a result of HIPAA, the Department of Health and Human Services created regulations for the handling of Protected Health Information (PHI), including in electronic or digital forms (ePHI). HIPAA has two main sets of requirements related to privacy and security.

The HIPAA Privacy Rule govern the saving, accessing and sharing of health-related and other personal information, either oral or written. This rule defines the guidelines to safeguard the confidentiality of PHI. Standards for identifying and authenticating people and organizations requesting PHI are outlined in this rule.

The HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically. This rule primarily focuses on the technological measures used to enforce policy on information-handling to keep ePHI out of the wrong hands. Failing to comply with these rules can result in penalties for not only organizations but for the responsible individuals. See Table 1 for a summary of violations and their potential penalties.

Table 1: HIPAA Violations and Penalties
(source :

Keeping Compliant

Any entity that deals with protected health information must make sure that all the required physical (actual data center server access), network and process security (audits, policies and staff training) measures are established and continuously observed.  While the legislation is clear on the privacy, security, and accessibility requirements for organizations, over 91,000 violations were recorded between April 2003 and January 2013.  These resulted in 22,000 enforcement actions (which included settlements and fines) with 521 referred to the US Department of Justice for criminal investigation

HIPAA Compliant Best Practices

  1. Review and evolve your policies and procedures. HIPAA is not a “set and forget” proposition; compliance must be a living, changing process that is regularly audited for effectiveness and legality. A lot has changed since 1996, and organization’s policies must reflect those changes.
  2. Accessibility rights are as important as rights to privacy. HIPAA gives patients certain control over their healthcare information, including the right to access it on demand and the right to revoke authorization to store their data. Organizations must act quickly when patients ask for their PHI.
  3. If you store your data with a third party hosting provider, make sure that they are HIPAA compliant. The Security Rule hands down many stringent administrative, physical and technical requirements for such providers. Make sure that a full-scale risk assessment of the provider is performed on a regular basis and ensure a process in place for monitoring compliance. Apply common sense to your technology platforms. Shut down computer programs and servers containing patient information when not in use, and don’t share passwords among staff members. The US Department of Health and Human Services has found that storing patients’ information in a HIPAA compliant cloud server can be safer than using a localized server or paper documents, so consider this option for increased security.

A HIPAA violation can be as small as a health care worker discussing a patient’s private health information in the elevator, and as big as $1.2 million fine for not erasing PHI from photocopier hard drives before returning them to the leasing agent.  More than ever, common sense and sound corporate governance must be applied to the technologies and processes that manage confidential data.  Protecting that data will protect clients and the organization as well.

Edited by Stefania Viscusi

FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]