Sign In

compliance with
Strike Graph

Strike Graph’s risk-based methodology sets you up for a successful HIPAA compliance program. Our solution supports you with:

  • Risk driven automation to select the right controls 
  • A library of HIPAA-ready policy templates 
  • Expert guidance to ensure your readiness
  • Independent HIPAA Compliance Evaluation 

What is HIPAA Compliance?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a collection of medical privacy regulations for healthcare organizations handling sensitive personal health information (PHI). HIPAA sets the standard for security, privacy, and integrity of patient data. 

Entities required to comply with HIPAA are called covered entities and include hospitals, academic medical centers, physicians, and other healthcare providers. HIPAA defines covered entities as any organizations that collect, process, store, or share protected health information. Any business that enters into a business associate contract with a covered entity must also adhere to HIPAA.

Experts and software

What are the Benefits of HIPAA Compliance?

Even though HIPAA compliance is a requirement for a covered entity or associated business, there are benefits. As more organizations and institutions handling PHI move to computerized operations by developing and implementing solutions like electronic health records, computerized physician order entry systems, radiology, laboratory, and pharmacy systems, the benefits of HIPAA compliance are many. Technology solutions will offer increased efficiency, productivity, scalability, and mobility, but they also introduce security and privacy risks. Applying HIPAA best practices to these emerging risks will set organizations up for success.  

Patient Trust

Patient trust is a core component in the healthcare industry, where data breaches destroy relationships and threaten an organization's future. Healthcare organizations that fall victim to data breaches generally suffer irreparable harm to their reputation. A recent study reveals that potential users of health information technology are much more concerned with IT-related security and privacy. Meeting HIPAA compliance requirements strengthen patient trust by enhancing transparency, privacy, and security of healthcare information systems.  

Identify Risks 

A core and mandatory component of HIPAA compliance is a Risk Assessment or Risk Analysis. Understanding the unique security threats and vulnerabilities present in an organization encourages the application of the HIPAA Security Rule to protect PHI. For many small and medium sized organizations, the risk assessment exercise is an eye-opener, one that can lead to the implementation of necessary security measures and operational practices. In addition, organizations find that by applying a risk based approach to vendor selection, they can ensure that all parties subject to HIPAA are in compliance.

Data Handling Best Practices

Implementing and maintaining HIPAA security and privacy practices will not only pave the way for becoming HIPAA compliant, but will also ensure that your organization is handling sensitive data appropriately. An understanding of how data moves throughout the system will dictate the appropriate safeguards to ensure the confidentiality, integrity, and availability of electronic PHI. Rather than guessing what controls or safeguards need to be in place, the HIPAA protocols and protections offer some guidance. 

Culture of security and privacy 

Becoming HIPAA compliant is not just a checklist activity. Rather, the entire organization is called upon to embrace security and privacy best practices. This is accomplished through ongoing training, periodic HIPAA self-audits, clear policies and procedures, and collaboration.

Avoid fines, corrective actions and non-compliance

Failing to comply with HIPAA requirements can result in violations and considerable fines. In the case of a data breach that affects PHI, organizations can face criminal charges and civil action lawsuits. Regular internal compliance reviews can help protect an organization from complaints or audit findings from a State Attorney General. A proactive approach to HIPAA compliance can minimize potential findings as well as reduce unanticipated costs that may come from fixing the problem ad hoc and repairing a damaged reputation after a cyber incident.  


HIPAA Basics

Is your organization a HIPAA-covered entity?

HIPAA covered entities include organizations that collect, process, store, or share protected health information. HIPAA rules define covered entities as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any healthcare information connected to transactions that The U.S. Department of Health and Human Services (HHS) has adopted standards for. Entities required to comply with HIPAA include hospitals, academic medical centers, physicians, and other healthcare providers. Even if your business is not specifically a covered entity, you are subject to HIPAA rules if you enter into a business associate contract with a covered entity.

Risk = security-1
HIPAA Privacy Rule

The Privacy Rule sets national standards to protect patients' medical records and other personal health information. The HIPAA Privacy Rule applies to healthcare clearinghouses, health plans, and other healthcare providers that conduct transactions electronically. The rule requires reliable measures to protect the privacy of PHI.  The rule establishes authorized actions and the required disclosures that apply to such data. In addition, the HIPAA Privacy Rule gives individuals rights over their health information, including rights to access and review a copy of their records and request modifications.

Integrations where they matter-1
HIPAA Security Rule

The Security Standards for protecting ePHI are a national set of standards establishing the protective protocols for health information that covered entities hold or transfer. HHS states that "the Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards" that covered entities must implement to secure ePHI. The Office for Civil Rights (OCR) mandates the enforcement of both the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Becoming HIPAA Compliant

The U.S. Department of Health and Human Services explains that no "standard or implementation specification requires a covered entity to 'certify' compliance in HIPAA." However, covered entities are required to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity's security policies and procedures meet the security requirements. Covered entities can perform the assessment internally or contract with an external organization that provides certification services. It is essential to point out that HHS does not endorse or recognize private organizations' 'certifications' regarding HIPAA Security Rule.  

After establishing that the organization is a covered entity or a business associate to a covered entity, organizations can follow these steps to comply with HIPAA requirements:

  • Develop privacy and security policies for a covered entity
  • Develop an inhouse team of HIPAA experts with a designated Privacy Compliance Office as required by the HIPAA Security Rule  
  • Implement necessary security controls, including administrative, physical, and technical safeguards as recommended by the HIPAA Security Rule
  • Conduct regular risk assessment and self-audits to identify HIPAA compliance gaps
  • Obtain satisfactory assurances that business associates meet HIPAA requirements and can safeguard shared PHI
  • Develop a breach notification protocol
  • Document the process for future HIPAA audits and incident investigations

Staying HIPAA Compliant

Organizations can follow these steps to stay HIPAA compliant and avoid HIPAA violations or penalties:

  • Partnering with an expert who understands HIPAA requirements
  • Conducting an annual risk assessment
  • Performing frequent vulnerability assessments and penetration testing
  • Enhancing security posture by implementing assessment recommendations  
  • Continuous employee awareness on HIPAA compliance requirements
  • Regular reviews of business associate contracts for compliance
Automate evidence collection

HIPAA Glossary

The HIPAA Omnibus Rule
Also known as the 2013 Omnibus Rule, it is a collection of rules that strengthens the privacy and security protection for ePHI established under HIPAA.
Electronically protected health information (or ePHI) refers to any health, treatment, or billing data that could identify a patient. In particular, this information includes demographic data relating to a patient's past, present, or future physical or mental health or condition. Specific examples include patient names, date of birth, address, zip code, phone number, email address, IP addresses, social security number, license number, medical account, photos, and fingerprints.
The HIPAA Breach Enforcement Rule
This standard requires covered entities to notify affected individuals, HHS, and, sometimes, the media of a breach of unsecured PHI. HIPAA requires organizations to provide such notifications without unreasonable delays and no later than 60 days following the breach discovery.
The HIPAA Enforcement Rule
This HIPAA standard contains details relating to compliance and investigations, the civil monetary penalties for non-compliance with the HIPAA Administrative Simplification Rules, and procedures for hearings.
Business Associate
Any organization that has been contracted to perform services for a covered entity and that handles, transmits or processes PHI.

Learn how you can leverage Strike Graph for your cybersecurity needs