What is HIPAA? All the Compliance Information You Need to Know

The Health Insurance Portability and Accountability Act (HIPAA) is an acronym that gets thrown around a lot but is rarely understood fully. One of the most common ways this American law is referred to is in cyber security because that’s what many of the consequences outlined in it refer to, but it’s only one of 5 sections.

Titles 1, 3, 4, and 5 broadly affect the world of healthcare but are self-contained to that industry, which means they often get discussed much less. These sections create specific guidelines and protections for employees who lose healthcare coverage after losing their jobs, create health insurance reform and introduce tax-related provisions for medical care.

While these were important, Title 2 of this law sent shockwaves worldwide and created an entirely new information security industry subset. Ironically named “Administrative Simplification,” it introduced robust national guidelines for electronic transmission of healthcare data and for the respect for privacy regarding that information.

This law gets so much attention because of the strict penalties and fines it can impose on corporate players found in an infraction and hackers who try to steal this type of information. This article will shed light on this law’s various cyber security dispositions and ways to get yourself up to HIPAA compliance.

What Are the Main Purposes Of HIPAA?

The only relevant portion of the law to cybersecurity, HIPAA’s Title 2, is divided into five subsections that each cover an element of protection of patient information.

National Provider Identifier Standard

Every healthcare entity, whether a hospital or an individual, must have a 10-digit identifier. This consideration allows for easier traceability and eliminates confusion when sending information.

Transactions and Code Sets Standard

This subsection codifies the security standards that must be present in any healthcare communication. It doesn’t enforce a specific communication type but refers to specific encryption levels, for example.

HIPAA Privacy Rule

As the name entails, this is where the specific guidelines regarding patient privacy are described.

HIPAA Security Rule

This set of rules encompasses specific information security requirements for all electronic information transmissions

HIPAA Enforcement Rule

The fines and penalties and investigation guidelines in the event of an infraction.

What Are Common HIPAA Violations?

Becoming HIPAA compliant can be so costly, strict, and grueling that many technology providers handling data refuse to interact with potential healthcare clients. The few companies that decided to do it often have a near-monopoly in specific fields and will market themselves as versions of popular tools such as “The HIPAA compliant Google Drive.”

Another reason is that every HIPAA breach is tied to a hefty government fine (the average fine in 2019 was $1.2 million) and can even go to jail for more severe infringements. This reality can make running a HIPAA-compliant business a rather stressful affair.

Here are the most common HIPAA violations:

1. Unsecured Records

This scenario can arise from poor employee data handling or an institution’s incorrect security measures. All physical documents must be kept in a locked cabinet, and digital data must always be encrypted.

2. Hacking

It’s a well-known fact that healthcare institutions are common and prime targets for cyber attacks. The goal of these attacks is often to steal medical information because it is so extensive it can be later sold at a high price.

3. 3^rd party disclosure

While most healthcare employees are cautious about disclosing sensitive information, certain technology providers might have shortcomings. Whether through phishing attacks or full-blown hacks, these situations highlight the need for robust employee cyber security awareness training.

In most cases, more than one player is held liable by the provisions of this law. For example, in the event of a hack, the law is used to prosecute the criminals who led the attacks but will also award fines to the healthcare provider who was hacked for improper security measures.

How To Become HIPAA Compliant?

The process for HIPAA compliance is long, has specific guidelines, and must be done through a certified evaluator to be valid. However, most HIPAA compliance guidelines are just good cyber security practices that most businesses should have in place.

Encrypt your data

Encrypting all business information for some organizations can now be as simple as selecting the right technology purveyor and enabling specific protocols. This type of protection is often enough to completely neuter a cyber attack by rendering the information accessed by the hackers useless.

While de-encrypting data is possible, it’s often so long and challenging that most hackers will give up and move on.

Backup your data

Having a comprehensive data backup policy is essential in our day and age. To cover most situations, the backups should also be done in several ways, both digital and on physical external servers controlled by you. Ransomware attacks often rely on a company’s lack of backups to extort businesses into paying. If you have backups, you can revert to an older version and quarantine the affected network until you can remove the virus.

Have a detailed data transmission policy

Whether you work in healthcare or not, most data breaches happen because employees aren’t adequately trained on standard data transmission best practices. Simple measures like phishing and fraud detection training can improve cyber security significantly.

HIPAA Compliance Is a Process

There’s a good reason for HIPAA being such a strict law. Improperly handling medical information can have catastrophic impacts on a person’s life. However, when you look closely at what is outlined in this famous law, the directives don’t seem that intense after all.

Many companies could quickly become HIPAA compliant by passing the certification test. The requirements for healthcare professionals may seem like overkill for some organizations, but the truth is that they’re quickly becoming the bare minimum.

Healthcare institutions treat their data this way because they understand the dangerous nature, but their way of doing things should become the standard for everyone.