The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a collection of medical privacy regulations for healthcare organizations handling sensitive personal health information (PHI). HIPAA sets the standard for security, privacy, and integrity of patient data. 

Entities required to comply with HIPAA are called covered entities and include hospitals, academic medical centers, physicians, and other healthcare providers. HIPAA defines covered entities as any organizations that collect, process, store, or share protected health information. Any business that enters into a business associate contract with a covered entity must also adhere to HIPAA.

Even though HIPAA compliance is a requirement for a covered entity or associated business, there are benefits. As more organizations and institutions handling PHI move to computerized operations by developing and implementing solutions like electronic health records, computerized physician order entry systems, radiology, laboratory, and pharmacy systems, the benefits of HIPAA compliance are many. Technology solutions will offer increased efficiency, productivity, scalability, and mobility, but they also introduce security and privacy risks. Applying HIPAA best practices to these emerging risks will set organizations up for success.  

Patient Trust

Patient trust is a core component in the healthcare industry, where data breaches destroy relationships and threaten an organization's future. Healthcare organizations that fall victim to data breaches generally suffer irreparable harm to their reputation. A recent study reveals that potential users of health information technology are much more concerned with IT-related security and privacy. Meeting HIPAA compliance requirements strengthen patient trust by enhancing transparency, privacy, and security of healthcare information systems.  

Identify Risks 

A core and mandatory component of HIPAA compliance is a Risk Assessment or Risk Analysis. Understanding the unique security threats and vulnerabilities present in an organization encourages the application of the HIPAA Security Rule to protect PHI. For many small and medium sized organizations, the risk assessment exercise is an eye-opener, one that can lead to the implementation of necessary security measures and operational practices. In addition, organizations find that by applying a risk based approach to vendor selection, they can ensure that all parties subject to HIPAA are in compliance.

Data Handling Best Practices

Implementing and maintaining HIPAA security and privacy practices will not only pave the way for becoming HIPAA compliant, but will also ensure that your organization is handling sensitive data appropriately. An understanding of how data moves throughout the system will dictate the appropriate safeguards to ensure the confidentiality, integrity, and availability of electronic PHI. Rather than guessing what controls or safeguards need to be in place, the HIPAA protocols and protections offer some guidance. 

Culture of security and privacy 

Becoming HIPAA compliant is not just a checklist activity. Rather, the entire organization is called upon to embrace security and privacy best practices. This is accomplished through ongoing training, periodic HIPAA self-audits, clear policies and procedures, and collaboration.

Avoid fines, corrective actions and non-compliance

Failing to comply with HIPAA requirements can result in violations and considerable fines. In the case of a data breach that affects PHI, organizations can face criminal charges and civil action lawsuits. Regular internal compliance reviews can help protect an organization from complaints or audit findings from a State Attorney General. A proactive approach to HIPAA compliance can minimize potential findings as well as reduce unanticipated costs that may come from fixing the problem ad hoc and repairing a damaged reputation after a cyber incident.  

The U.S. Department of Health and Human Services explains that no "standard or implementation specification requires a covered entity to 'certify' compliance in HIPAA." However, covered entities are required to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity's security policies and procedures meet the security requirements. Covered entities can perform the assessment internally or contract with an external organization that provides certification services. It is essential to point out that HHS does not endorse or recognize private organizations' 'certifications' regarding HIPAA Security Rule.  

After establishing that the organization is a covered entity or a business associate to a covered entity, organizations can follow these steps to comply with HIPAA requirements:

• Develop privacy and security policies for a covered entity
• Develop an inhouse team of HIPAA experts with a designated Privacy Compliance Office as required by the HIPAA Security Rule  
• Implement necessary security controls, including administrative, physical, and technical safeguards as recommended by the HIPAA Security Rule
• Conduct regular risk assessment and self-audits to identify HIPAA compliance gaps
• Obtain satisfactory assurances that business associates meet HIPAA requirements and can safeguard shared PHI
• Develop a breach notification protocol
• Document the process for future HIPAA audits and incident investigations

Organizations can follow these steps to stay HIPAA compliant and avoid HIPAA violations or penalties:

• Partnering with an expert who understands HIPAA requirements
• Conducting an annual risk assessment
• Performing frequent vulnerability assessments and penetration testing
• Enhancing security posture by implementing assessment recommendations  
• Continuous employee awareness on HIPAA compliance requirements
• Regular reviews of business associate contracts for compliance