Why It’s Important To Be HIPAA Compliant

Written By Tibby Fielding

One way to help build trust between patients and healthcare professionals is through HIPAA compliance. Patients can feel more confident in their doctors which leads to better healthcare. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was created to protect the privacy of individuals’ health information. It also sets standards for the security of electronic health information. As technology has advanced, so have threats to the security of protected health information (PHI). Cybersecurity is a critical component of HIPAA compliance and is essential for protecting the privacy of individuals’ health information. HIPAA compliance focuses on the privacy of patient data but does not address the security of the data. Cybersecurity measures and IT professionals are necessary for protecting healthcare data from unauthorized access, malicious attacks, and data breaches. These security specialists can implement measures such as encryption, firewalls, and access controls to protect patient data. They also monitor the network for suspicious activity.

The penalties for HIPAA violations can be severe, especially when combined with a network security breach. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA and can impose penalties for violations ranging from $100 to $1.5 million per year. These penalties can be detrimental to healthcare providers. Combined with a security breach, millions of dollars in damages, and leaked sensitive data, healthcare providers face a growing threat to their security.

Rethinking Your Approach To Cyber Risk Management

Healthcare has changed to serve both on-site and remote patients. To safeguard data and practice system management for protected health information (PHI), a holistic and comprehensive approach to cybersecurity that meets HIPAA compliance and HIPAA Security Rule Standards is necessary. Consider the following practices when planning for cyber risk management.

Administrative Safeguards:

  • Implement access control measures such as multi-factor authentication, two-step verification, and monitoring user activity.
  • Regularly update passwords and secure user account privileges with appropriate clearances.
  • Secure networks and computers by installing a comprehensive security solution that includes firewalls, malware protection, antivirus software, and continual monitoring.
  • Conduct employee security training sessions to teach employees about the importance of healthcare data privacy and security best practices.
  • Perform regularly scheduled backups of your data, and have emergency plans in place.

Physical Safeguards:

  • Secure premises by installing locked doors, motion detectors, and security cameras.
  • Restrict access to workstations, utilize physical barriers around protected information, and operate with ID keycard access.
  • Technical Safeguards:

Access Control:

  • This involves verifying and authorizing user access to PHI. It can be accomplished with passwords, personal identification numbers, and biometric identification.
  • Automatic Logoff: Establish procedures that terminate an electronic session after a predetermined time of inactivity.
  • Audit Controls: Implement hardware, software, and procedural mechanisms to record and examine access and other activity.
  • Integrity Controls: Implement measures to ensure that PHI is authenticated and is not improperly altered or destroyed.
  • Transmission security: Regulate the controls for encryption, and provide safeguards against unauthorized access of PHI during transmission.

Do you need help advancing your existing risk management program into one that is more holistic and includes a whole-systems approach? Contact ADVYON today for a lasting partnership and see how we can help identify your organization’s risks and resolve them quickly and efficiently. ADVYON is more than just an IT company, we are great at assessing, identifying, and aligning business and technology solutions to complement our client’s strategic objectives, growth, project goals, culture, people, and processes.

How do I setup an authorized users message on Active Directory – HIPAA, NIST, FINRA

One common rule for setting up compliance is an unauthorized user rule on login.  Below is a video showing how to set up a title and message under an active directory.  It worked great for us!

How to set up a login warning message, via Group Policy (GPO) for Windows Computers | VIDEO TUTORIAL



HIPAA Patient Data Retention time for South Carolina, SC – How Long Should I Keep My Patient Files?

A common question for doctors, medical professionals, and IT staff who deal with patient data, medical files, or HIPAA related info is, “How long do I need to keep all of our patient records?”

HIPAA protects patients’ rights to access their personal files.  Patient Data and access to Patient Files in the state of South Carolina should be stored and accessible for a time period of 10 years for adults from the last treatment and 13 years from the last treatment for children.

According to hss.gov’s website,  HIPAA doesn’t designate a particular period of time for file retention. It does clearly state that a reasonable effort needs to be saved, stored, backed-up, and retrievable.  It also allows the states to make their own time retrieval policies.  According to healthit.gov’s website, in South Carolina, the retention time for Patient Data is 10/Years.  The website also shows other state laws in regard to their retention policies.

How do I become HIPAA compliant? (a checklist)

A little housekeeping before we answer the question. This article is not a definitive list of what is required for HIPAA compliance; you should assign a Privacy Officer to review each rule in its entirety. This article is intended to point you in the right direction.

So you have determined that you are handling protected health information (PHI) and that you need to be HIPAA compliant. What’s next? What steps need to be taken in order to become HIPAA compliant?

The simple answer is that Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI). But, it gets more complicated when you start to put together a to-do list.

There are 4 rules that you will need to dissect.

  1. HIPAA Privacy Rule
  2. HIPAA Security Rule
  3. HIPAA Enforcement Rule
  4. HIPAA Breach Notification Rule

As far as action items are concerned, you need to follow the HIPAA Privacy Rule and the HIPAA Security Rule. And, you need to provide notification following a breach of unsecured protected health information (the Breach Notification Rule).

If you’re a developer trying to understand the scope of the build, then you need to focus on the Technical and Physical Safeguards spelled out in the Security Rule; these two sections comprise the majority of your to-do list. Let’s start there.

HIPAA Security Rule

The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).

The Security Rule is made up of 3 parts.

  1. Technical Safeguards
  2. Physical Safeguards
  3. Administrative Safeguards

All 3 parts include implementation specifications. Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented. (see the HHS answer)

It is important to remember that an addressable implementation specification is not optional. When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.

Technical Safeguards

The Technical Safeguards focus on the technology that protects PHI and controls access to it. The standards of the Security Rule do not require you to use specific technologies. The Security standards were designed to be “technology neutral.”

There are 5 standards listed under the Technical Safeguards section.

  1. Access Control
  2. Audit Controls
  3. Integrity
  4. Authentication
  5. Transmission Security

When you break down the 5 standards there are 9 things that you need to implement.

  1. Access Control – Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
  2. Access Control – Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
  3. Access Control – Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  4. Access Control – Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
  5. Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
  6. Integrity – Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
  7. Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
  8. Transmission Security – Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
  9. Transmission Security – Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.

Security Standards: Technical Safeguards

HHS offers insight into the Security Rule and assistance with the implementation of the security standards.

HHS: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

Physical Safeguards

Physical Safeguards are a set of rules and guidelines that focus on the physical access to PHI.

TrueVault provides an in-depth analysis of the Physical Safeguards in a two-part blog post.

HIPAA Physical Safeguards Explained, Part 1

HIPAA Physical Safeguards Explained, Part 2

There are 4 standards in the Physical Safeguards section.

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls

When you break down the 4 standards there are 10 things that you need to implement.

  1. Facility Access Controls – Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
  2. Facility Access Controls – Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  3. Facility Access Controls – Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
  4. Facility Access Controls – Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
  5. Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
  6. Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
  7. Device and Media Controls – Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
  8. Device and Media Controls – Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
  9. Device and Media Controls – Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
  10. Device and Media Controls – Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.

Security Standards: Physical Safeguards

HHS: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf

Administrative Safeguards

The Administrative Safeguards are a collection of policies and procedures that govern the conduct of the workforce, and the security measures put in place to protect ePHI.

The administrative components are really important when implementing a HIPAA compliance program; you are required to assign a privacy officer, complete a risk assessment annually, implement employee training, review policies and procedures, and execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI).

There are 9 standards under the Administrative Safeguards section.

  1. Security Management Process
  2. Assigned Security Responsibility
  3. Workforce Security
  4. Information Access Management
  5. Security Awareness and Training
  6. Security Incident Procedures
  7. Contingency Plan
  8. Evaluation
  9. Business Associate Contracts and Other Arrangements

As with all the standards in this rule, compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions.

When you break down the 9 standards there are 18 things that you need to do.

  1. Security Management Process – Risk Analysis (required): Perform and document a risk analysis to see where PHI is being used and stored in order to determine all the ways that HIPAA could be violated.
  2. Security Management Process – Risk Management (required): Implement sufficient measures to reduce these risks to an appropriate level.
  3. Security Management Process – Sanction Policy (required): Implement sanction policies for employees who fail to comply.
  4. Security Management Process – Information Systems Activity Reviews (required): Regularly review system activity, logs, audit trails, etc.
  5. Assigned Security Responsibility – Officers (required): Designate HIPAA Security and Privacy Officers.
  6. Workforce Security – Employee Oversight (addressable): Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
  7. Information Access Management – Multiple Organizations (required): Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
  8. Information Access Management – ePHI Access (addressable): Implement procedures for granting access to ePHI that document access to ePHI or to services and systems that grant access to ePHI.
  9. Security Awareness and Training – Security Reminders (addressable): Periodically send updates and reminders about security and privacy policies to employees.
  10. Security Awareness and Training – Protection Against Malware (addressable): Have procedures for guarding against, detecting, and reporting malicious software.
  11. Security Awareness and Training – Login Monitoring (addressable): Institute monitoring of logins to systems and reporting of discrepancies.
  12. Security Awareness and Training – Password Management (addressable): Ensure that there are procedures for creating, changing, and protecting passwords.
  13. Security Incident Procedures – Response and Reporting (required): Identify, document, and respond to security incidents.
  14. Contingency Plan – Contingency Plans (required): Ensure that there are accessible backups of ePHI and that there are procedures for restore any lost data.
  15. Contingency Plan – Contingency Plans Updates and Analysis (addressable): Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.
  16. Contingency Plan – Emergency Mode (required): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.
  17. Evaluations (required): Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
  18. Business Associate Agreements (required): Have special contracts with business partners who will have access to your PHI in order to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access.

Security Standards: Administrative Safeguards

HHS: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

Business Associates are directly liable for uses and disclosures of PHI that are not covered under their BAA or the HIPAA Privacy Rule itself.

The Privacy Rule requires Business Associates to do the following:

  1. Do not allow any impermissible uses or disclosures of PHI.
  2. Provide breach notification to the Covered Entity.
  3. Provide either the individual or the Covered Entity access to PHI.
  4. Disclose PHI to the Secretary of HHS, if compelled to do so.
  5. Provide an accounting of disclosures.
  6. Comply with the requirements of the HIPAA Security Rule.

HHS, Privacy Rule:


HIPAA Enforcement Rule

The HIPAA Enforcement Rule spells out investigations, penalties, and procedures for hearings.

What’s the penalty for a HIPAA violation? Read True Vault’s blog on post the subject.

HHS, Enforcement Rule:


HIPAA Breach Notification Rule

The Breach Notification Rule requires most healthcare providers to notify patients when there is a breach of unsecured PHI. The Breach Notification Rule also requires the entities to promptly notify HHS if there is any breach of unsecured PHI, and notify the media and public if the breach affects more than 500 patients.

HHS, Breach Notification Rule:



When you boil it down, HIPAA is really asking you to do 4 things:

  1. Put safeguards in place to protect patient health information.
  2. Reasonably limit uses and sharing to the minimum necessary to accomplish your intended purpose.
  3. Have agreements in place with any service providers that perform covered functions or activities for you. These agreements (BAAs) are to ensure that these services providers (Business Associates) only use and disclose patient health information properly and safeguard it appropriately.
  4. Have procedures in place to limit who can access patient health information, and implement a training program for you and your employees about how to protect your patient health information.