Security compliance Measuring/certifying security programs HIPAA

How to become HIPAA compliant — and why you should

Is your business required to be HIPAA compliant? HIPAA violation fines could cost your business millions, so it’s essential to know. Plus, HIPAA compliance can actually help you increase your revenue.

If you want to know more about what HIPAA is, what the rules are, and who is required to be HIPAA compliant, this is the guide for you. 

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a collection of regulations in the United States governing the privacy and security of individuals’ protected health information (PHI).

One of the included regulations is the HIPAA privacy rule, which is one of three important HIPAA rules focused on how covered entities must ensure the confidentiality, integrity, and availability of PHI. PHI is simply any information used to identify someone’s health status or healthcare services, including things like names, addresses, test results, medical diagnoses, summary health information, and treatment plans.

The HIPAA Privacy Rule requires covered entities to have policies and procedures in place to ensure that PHI is used and disclosed only for permitted purposes and that individuals have the right to access and receive a copy of their PHI. 

For example, HIPAA compliance requires ongoing training for employees who handle PHI, regular risk assessments to identify vulnerabilities and potential breaches, and the implementation of policies and procedures to address security incidents and breaches. 

While that covers the basics of how HIPAA works, you might be curious whether or not it applies to your business, so let’s touch on that next before going over violations and how to seek HIPAA compliance.

Who needs to be HIPAA compliant?

HIPAA applies specifically to two types of parties:

  • Covered entities
  • Business associates

A covered entity is basically any healthcare provider, health insurance company, or billing service that sends electronic health information in connection with a HIPAA transaction. So, think hospitals, doctors' offices, and insurance companies. They all have to follow the rules of HIPAA, which means they're on the hook for any violations of privacy, security, or breach notification.

Business associates, on the other hand, are the helpers of covered entities. They're companies or people that work with covered entities, doing tasks like processing insurance claims or transcribing medical records, and need access to PHI to get their jobs done. Business associates also have to follow HIPAA regulations, but their responsibilities are a bit different. They only have to follow the security and breach notification rules, but they still have to respect patient privacy when handling PHI. 

For reference, here’s a useful list of things that cannot be shared under HIPAA:

  • Healthcare claims
  • Documentation of doctor's visits
  • Payment and remittance information
  • Coordination of healthcare benefits
  • Claim status
  • Health claims attachments
  • Enrollment information in a health plan
  • Eligibility information for  health plans
  • Injury reports
  • Personal information generated from premium payments
  • Details from electronic funds transfers (EFT)

You should also know that these rules aren’t without exceptions, like in the case of life-threatening emergencies. 

If you’re concerned about violations and how much they might cost, read on.

What are HIPAA violations and how much do they cost?

Once again, HIPAA violations occur when a covered entity or business associate fails to comply with one or more aspects of the HIPAA rules. Any mishandling, misuse, or improper care of PHI could potentially lead to a violation. Let’s take a look at a few examples in the case of covered entities:

  • A healthcare provider shares a patient's medical information with a friend or family member without the patient's consent.
  • A health insurance company discloses a patient's medical information to an unauthorized third party.
  • A doctor's office fails to secure medical records and they are stolen or lost. 

And, in the case of business associates, violations might look like this:

  • A medical equipment vendor discloses PHI to third-party marketers without patient consent.
  • A marketing company sends promotional materials to patients without their consent or knowledge.
  • A consulting firm fails to provide appropriate HIPAA training to employees who handle PHI.

With the right measures in place, these kinds of events can be avoided. Unfortunately, knowing what to do and implementing procedures are two different things. Sometimes covered entities or business associates fail to bridge the gap. 

To reflect different levels of severity, there are four tiers of violations:

  • Tier 1: This tier is for minor violations that are unintentional, meaning the offender didn't know they were doing something wrong. Penalties for Tier 1 violations can range from $100 to $50,000 per incident, which can add up quickly. Examples of Tier 1 violations include failing to provide a patient with a copy of their medical records or accidentally sharing PHI with the wrong person.
  • Tier 2: For Tier 2 violations, the offender should have known better but wasn't being intentionally sneaky. Penalties for Tier 2 violations can range from $1,000 to $50,000 per incident. Examples of Tier 2 violations include failing to encrypt sensitive data or failing to implement reasonable safeguards to protect PHI.
  • Tier 3: This tier is for when someone intentionally disclosed PHI but corrected the mistake within 30 days. Penalties for Tier 3 violations can range from $10,000 to $50,000 per incident. Examples of Tier 3 violations include accidentally posting PHI on a public website, but taking it down within 30 days.
  • Tier 4: The most severe of all, Tier 4 refers to when someone intentionally disclosed PHI and didn't take steps to fix the problem within 30 days. Penalties for Tier 4 violations can be up to $50,000 per incident, which can be a huge financial burden. Examples of Tier 4 violations include selling PHI or intentionally disclosing PHI to harm someone's reputation.

You might notice that the maximum penalty for each type of HIPAA violation is $50,000 per incident. We should note that the penalties for HIPAA violations can be assessed for each individual incident, meaning that a single breach of PHI can result in multiple violations and penalties. And, keep in mind that violations can also result in significant damage to your company's reputation, loss of business, and even criminal charges in extreme cases. 

So, now that you know more about HIPAA and the importance of getting compliant, let’s go over how you can build a strategy that will ensure that you get and stay HIPAA compliant.

How can you achieve and maintain HIPAA compliance?

Quick sidenote: if you’re in the process of researching HIPAA compliance, you may have come across information on HITRUST, a privately owned company that offers a framework to demonstrate HIPAA compliance. There seems to be a misconception that the only route to guaranteed HIPAA compliance is through HITRUST but this isn’t true.

HIPAA requirements are complicated but with the right system in place, you can unburden yourself and your business (or startup), while also cutting down on the cost and stress of pursuing compliance. 

Strike Graph is an all-in-one compliance and certification platform that allows you to design, operate, and measure — think certify — your security program in line with whichever frameworks are most beneficial to your business. 

If you’re pursuing HIPAA compliance, you’ll find the most common HIPAA controls ready to use out of the box as soon as you log in to the platform. Then, our risk assessment walks you through common pitfalls to ensure you’re 100% covered. Set up automatic evidence collection and you’ll soon be ready for our in-house assessment team to certify you as HIPAA compliant. 

What makes it even better is that once you’re HIPAA compliant, Strike Graph allows you to apply those controls across any other framework, including ISO 27001, SOC 2, PCI DSS, CPRA, and GDPR. It’s that combination of ease and flexibility that makes Strike Graph the best choice to build trust and spare you from violations, fines, and headaches.

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Learn how you can leverage Strike Graph for your cybersecurity needs