The Ultimate Guide to HIPAA Compliance

February 16, 2015

With governments ramping up their efforts to clamp down on unscrupulously liberal data industry practices to combat the growing risks of identity theft and privacy violations, it is safe to say the digital information industry is not the Wild, Wild West anymore. Data governance in the healthcare industry is one of the areas that have […]

With governments ramping up their efforts to clamp down on unscrupulously liberal data industry practices to combat the growing risks of identity theft and privacy violations, it is safe to say the digital information industry is not the Wild, Wild West anymore.

Data governance in the healthcare industry is one of the areas that have witnessed a lot of scrutiny and revaluation of policies over the past few years as organizations scrambled to comply with HIPAA standards and ensure the security of protected health information (PHI).

But here’s a question – why does the federal Health Insurance Portability and Accountability Act still give nightmares to people despite being launched in 1996?

To understand this, you must first consider how the advent of advanced digital data storage and distribution platforms has raised the stakes for the healthcare industry to manage sensitive healthcare information, facilitate insurance cases, and control administrative costs like never before. Unfortunately, healthcare institutions have never faced such tremendous pressure in keeping up with technology before as well as dealing with complex unforgiving regulations at the same time.

ePHI is merely PHI that is stored or transmitted electronically (i.e. via email, text message, web site, database, online document storage, electronic FAX, etc

According to NIST guidelines, an individual or team in the organization must be tasked with the responsibility for ensuring HIPAA compliance and accepting the business risk.

Once a clear business owner is established, a cross-disciplinary group, including the technical, legal, and HR departments must work in tandem to ensure that the policies are appropriately defined appropriately and correctly implemented to fulfill the objectives of the data governance strategy.

According to the HHS, no authority can grant any kind of certification to prove your organization is HIPAA compliant. HIPAA compliance is an ever-evolving process for organizations instead of a one-time landmark event, which is why deploying a tool to aggregate compliance metrics for tracking your document storage and sharing policies can come in handy.

Given the vitality of protected health information (PHI) and HIPAA compliance, let us dig a little deeper and highlight the four key rules you will need to address:

  1. HIPAA Privacy Rule
  2. HIPAA Security Rule
  3. HIPAA Enforcement Rule
  4. HIPAA Breach Notification Rule

The general guidelines of the HIPAA Security Standard demonstrate a technology-neutral approach, which means that there are no biased leanings towards certain technological systems or cloud services as long as the data protection regulations are being addressed seriously. However, the HIPAA language does introduce two classes of policy standards for the consideration of data management teams:

  1. Required (R) - mandatory compliance standards
  2. Addressable (A) – should be implemented unless detailed risk assessments can prove that their implementation is not required or favorable to their business setting.

HIPAA Administrative Requirements

Addressable Required
Employee Oversight: (A) Employ procedures to permit, revoke access, and administer employees working with protected health information. Risk Analysis: (R) Execute a risk analysis program to evaluate the key areas of storage and utilization of PHI to identify vulnerable points in the system.
ePHI Access: (A) Implement procedures for providing employee access to PHI and document all services that grant access to ePHI. Risk Management: (R) Implement actions adequate enough to mitigate risks to a suitable level.
Security Reminders: (A) Occasionally provide security and privacy policy updates and reminders to employees. Sanction Policy: (R) Put into practice sanction policies for employees who violate compliance standards.
Protection against Malware: (A) Implement procedures to detect and safeguard against malware. Information Systems Activity Reviews: (R) Recurrently examine system activity and logs.
Login Monitoring: (A) Report all system logins and track any discrepancies observed. Officers: (R) Appoint HIPAA Security and Privacy Officers
Password Management: (A) Create secure and easily accessible protocols for password modification and recovery. Multiple Organizations: (R) Ensure unauthorized access by the third party or parent organizations is warded off.
Contingency Plans Updates and Analysis: (A) Establish periodic testing routines and regular examination of contingency plans. Response and Reporting: (R) Track and document all security-related actions.
Contingency Plans: (R) Create accessible PHI backups for easy restoration of stolen or lost data.
  Emergency Mode: (R) Establish contingency protocols to guarantee the unhindered workflow of critical business processes remains unaffected.
  Evaluations: (R) Carry out episodic evaluations to ensure your data governance is in compliance with all the latest laws and regulations.
  Business Associate Agreements: (R) Establish special Omnibus-compliant contracts with business partners who can access your facility’s PHI in order to guarantee their compliance.


HIPAA Physical Requirements

Addressable Required
Contingency Operations: (A) Implement procedures that provide facility access in support of the restoration of lost data as part of your organization’s disaster recovery and emergency plan. Workstations: (R) Apply policies to control the configuration of software on systems. You can also safeguard all workstations by restricting admission to authorized users.
Facility Security: (A) Implement policies and procedures to protect all ePHI stored on the facility. Devices and Media Disposal and Re-use: (R) Take measures for the secure disposal and reuse of all media and devices handling ePHI.
Access Control and Validation: (A) Initiate measures to control and validate individual authentication based on their designation as well as control access to testing software.
Media Movement: (A) Log all hardware movements related to ePHI storage.


HIPAA Technical Requirements

Addressable Required
Automatic Logoff: (A) Establish an automatic suspension point of electronic procedures after a fixed period of inactivity. Unique Tracking: (R) Allocate a unique name/number for the purpose of identifying user identity.
Encryption and Decryption: (A) Set up an electronic apparatus to encrypt and decrypt ePHI as and when necessary. Audit Controls: (R) Employ hardware and software tracking gateways to track and record all activity pertaining to the use of ePHI.
ePHI Integrity: (A) Apply policies to safeguard ePHI from unsanctioned revision or damage. Authentication: (R) Implement protocols to verify the authentication of all personnel seeking access to ePHI.
Transmission Security: (A) Execute technical security measures to prevent unlawful access to sensitive ePHI being transmitted over a network.

Read more about our HIPAA compliance here

Author: Prashant Bajpai

image courtesy: Stuart Miles/

By Team FileCloud