What Is HIPAA?

5 min. read

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted to safeguard sensitive patient health information (PHI). It sets standards for handling, storing, and transmitting PHI to ensure the privacy and security of medical records. HIPAA comprises two key rules: the Privacy Rule and the Security Rule.

The Privacy Rule establishes standards for protecting PHI, regulating how covered entities and their business associates use and disclose PHI. The Security Rule outlines the administrative, physical, and technical safeguards required to protect electronic PHI (ePHI) from unauthorized access or disclosure.

Compliance with HIPAA is mandatory for covered entities, including healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. Violations, whether intentional or unintentional, can result in fines and civil penalties.

Is Your Organization HIPAA Compliant?

As healthcare organizations embrace digital transformation, they must secure sensitive data — particularly electronic patient health information. In 2023, Palo Alto Network Unit 42® Attack Surface Threat Report revealed the prevalence of exposures across various industries. Despite HIPAA's requirements to protect sensitive data, 56% of healthcare organizations had publicly exposed cloud development environments.

These exposed environments, often misconfigured and vulnerable, provide attackers with opportunities to infiltrate the networks of organizations. Such unauthorized access can result in data breaches, unauthorized disclosures, and even medical device failures.

Download the Unit 42 Attack Surface Threat Report for full research results.

Understanding HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 to modernize the healthcare industry and protect patients, doctors, insurance companies, and other related parties. HIPAA has three main objectives:

  • Ensuring people maintain health insurance between jobs
  • Standardizing electronic billing practices
  • Providing rules for handling protected health information

Since its enactment, HIPAA has seen two major updates — HITECH in 2009 and the Omnibus Rule in 2013.

HITECH updated privacy requirements, introduced the breach notification rule, allowed proactive auditing of healthcare entities and their business associates, and updated enforcement activities such as fines and penalties for breaches.

The Omnibus Rule focused on enhancing privacy and breach notification requirements, improving patient rights, and redefining the breach process.

Lastly, HIPAA comprises three main rules that govern the use and disclosures of PHI, as well as securing electronic PHI and the reporting of breaches.

  • Privacy Rule
  • Security Rule
  • Breach Notification Rule

What Is Protected Health Information (PHI)?

Protected Health Information (PHI) refers to any individually identifiable health information, whether in electronic, oral, or physical form, that healthcare providers, health plans, or healthcare clearinghouses create, collect, transmit, or maintain.

PHI includes a wide range of data, such as medical records, billing information, test results, and medical images. It encompasses any information related to an individual's health status, provision of healthcare, or payment for healthcare services that can be linked to a specific person. In simplest terms, PHI consists of 18 data points that can individually or in combination reasonably identify a person. These data points might refer to personal or health-related information, as well as other types of identifiers.

The 18 Data Points of PHI

Personal Identifiers

  1. Names, including initials
  2. All geographic subdivisions smaller than a state
  3. All elements of dates, except the year, for dates directly related to an individual
  4. Telephone numbers
  5. Facsimile numbers
  6. Electronic mail addresses
  7. Social Security numbers

Health Identifiers

  1. Medical record numbers
  2. Health plan beneficiary numbers
  3. Account numbers
  4. Device identifiers and serial numbers

Miscellaneous Identifiers

  1. Certificate or license numbers
  2. Vehicle identifiers and serial numbers, including license plate numbers
  3. Web universal resource locators or URLs
  4. Internet protocol or IP address numbers
  5. Biometric identifiers, including fingerprints and voiceprints
  6. Full-face photographic images and comparable images
  7. Unique identifying numbers, characteristics, or codes, unless permitted by the Privacy Rule for reidentification

While the term PHI is specific to the U.S., many countries have similar concepts regarding the protection of sensitive health information. The terminology to describe this type of information may differ for each country, but the core idea of protecting individually identifiable health information remains consistent.

In the European Union, for example, the General Data Protection Regulation (GDPR) refers to this type of information as "personal data concerning health." In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) deals with the protection of "personal information," which includes health-related information.

Although the terms and regulatory frameworks vary, the underlying principle of safeguarding sensitive health information and ensuring the privacy and security of individuals' health data remains a common goal.

HIPAA: Breach Notification

Under HIPAA, a breach involves an impermissible use or disclosure under the Privacy Rule, compromising the security or privacy of protected health information (PHI). Unless the covered entity or business associate demonstrates a low probability of PHI compromise based on a risk assessment, any impermissible use or disclosure of PHI is presumed to be a breach.

One of the most significant threats to PHI security is the unauthorized disclosure to an unapproved individual. A breach occurs when this risk materializes, and someone accesses private health information they shouldn’t see. Breaches can be accidental or intentional, originating from employee carelessness, lack of education, or deliberate intrusion attempts. Regardless of the breach's nature, accidental and intentional breaches carry the same legal consequences.

The breach's consequences depend on the number of affected individuals and the incident's size. Smaller breaches require annual logging and reporting to the secretary, while larger breaches mandate reporting within 60 days of discovery. State laws may impose stricter reporting regulations, such as Texas' 60-minute reporting requirement. All breaches necessitate a risk assessment to identify exploited vulnerabilities and implement improved safeguards to prevent similar occurrences. The government reserves the right to investigate reported breaches, require remediation plans, and impose monetary penalties.

Everyone is responsible for reporting observed security and privacy incidents to their organization's appropriate authorities. Failing to report a breach may result in sanctions from both your organization and federal or state agencies. Adhere to your organization's reporting procedures and report all incidents, regardless of their size or perceived triviality.

Security and privacy breaches are a growing concern for organizations. However, with proper policies and procedures, breaches can be avoided. If a breach occurs, understanding the reporting responsibilities required by the Breach Notification Rule is crucial. Responding appropriately to a breach can save your organization unnecessary productivity loss and minimize monetary repercussions resulting from improper breach handling.

HIPAA Privacy Rule: The Standard of Minimum Necessary

Like the principle of least-privileged access, HIPAA’s minimum necessary standard aims to limit your access to protected health information (PHI) to only what’s needed to perform your job. The standard does not intend to hinder your ability to function within your organization or prohibit cross-training staff for multiple roles.

To comply with the minimum necessary standard, organizations, including covered entities and business associates, must identify the types of information employees have access to and the purpose of that access. For some organizations, establishing role-based access to PHI can pose challenges. Mapping job roles to levels of PHI access can simplify the process.

Adhering to the minimum necessary standard involves setting up technological and physical barriers to prevent unauthorized access or disclosure. Ensure that your IT team establishes role-based login permissions for systems containing PHI and implements robust monitoring protocols. These protocols should include periodic random reports for reviewing employee activity and automatic alerts to detect potential unauthorized access or cyberattacks.

Regardless of an organization's size, it’s required to establish and enforce minimum necessary access procedures. HIPAA is designed to be flexible, allowing organizations to modify implementation, but the rule must remain intact.

The Security Rule: Safeguarding Electronic Protected Health Information

Given the prevalence of cyberattacks, security in healthcare is of paramount importance. Healthcare data breaches come with significant financial implications, costing the health industry billions of dollars. As hackers continue to develop more sophisticated techniques, studies predict a substantial increase in the number of intentional attacks in the coming years. These threats highlight the need for healthcare organizations to implement staunch security measures to protect sensitive patient data.

Eighteen standards and 42 implementation specifications exist within the HIPAA Security Rule. Standards represent the safeguards that HIPAA requires, whereas implementation specifications detail the necessary policies and procedures to implement these standards.

The primary objective of the Security Rule is to safeguard individuals' health information privacy while enabling covered entities to adopt innovative technologies that enhance patient care quality and efficiency. Recognizing the diverse healthcare marketplace, the Security Rule offers flexibility and scalability, allowing covered entities to implement policies, procedures, and technologies tailored to their size and risks associated with consumers' ePHI.

Several implementation specifications are addressable, but this does not mean they are optional. Organizations must assess the appropriateness and reasonableness of each implementation specification. If deemed appropriate and reasonable, the specification must be implemented. If considered unreasonable or inappropriate, organizations must:

  • Document the assessment and rationale for deeming the implementation unsuitable.
  • Implement an alternative or modified version of the specification, if appropriate.
  • Schedule periodic reviews of the assessment to determine the ongoing appropriateness and reasonableness of the specification.

Certain addressable implementation specifications, such as encryption, may prove difficult for organizations to justify as unreasonable or inappropriate. With numerous affordable and accessible solutions available for many Security Rule safeguards, cost or ease of implementation shouldn’t hinder compliance.

Ensuring all standards and implementation specifications are appropriately addressed helps organizations minimize the risk of becoming the next security breach victim.

OCR Audit Protocol

The healthcare industry, despite being heavily regulated, has witnessed some vital regulations go unmonitored for over a decade. Prior to HITECH, HIPAA functioned as a reactive compliance program rather than a proactive one, leading to a lack of enforcement.

To address this, the Office for Civil Rights (OCR) began conducting audits in 2012, with a focus on correcting compliance efforts rather than punishing noncompliance. Their goal is to identify weaknesses in compliance and improve the industry's implementation of privacy and security safeguards to protect health information.

Phase 2 of the audits, initiated in early 2016, doubled the number of audits conducted and expanded their scope to include business associates. This phase consists of three stages:

  • Stage 1: Desk audits of covered entities, conducted electronically rather than in person
  • Stage 2: Desk audits of business associates, requiring covered entities to disclose their business associate relationships
  • Stage 3: In-person audits, offering a more comprehensive assessment than the previous two stages for a selected number of audited entities

Organizations should proactively establish and maintain their HIPAA compliance, rather than waiting for an audit notification. By initiating the process early and diligently documenting all compliance efforts, organizations can be well-prepared for audits and demonstrate their commitment to safeguarding sensitive health information.

Maintaining HIPAA compliance and safeguarding sensitive health information is a critical responsibility for a security leader in an organization that builds apps. It is essential to focus on several key areas to effectively manage information security efforts.

HIPAA for Big Tech and Startups

Understanding the regulatory landscape is vital to providing the foundation for creating and implementing security policies and procedures in accordance with HIPAA. And maintaining HIPAA compliance couldn’t be more important than is for those developing applications, managing cloud infrastructure, and providing data security services for healthcare organizations.

Addressing HIPAA compliance challenges in the tech sector requires a comprehensive understanding of regulatory requirements, secure application development, cloud infrastructure security, risk management, collaboration, and communication with stakeholders.

Staying informed about HIPAA regulations such as the Privacy and Security Rules and the Breach Notification Rule is essential for building compliant products and services. This knowledge helps meet the healthcare industry's strict security standards and ensures that applications adhere to HIPAA requirements.

When developing applications and software solutions, security and compliance must remain at the forefront of consideration. Incorporating features like encryption, access controls, and audit logging, as well as conducting regular security assessments and vulnerability testing, can help identify potential risks.

Designing and managing cloud infrastructure for handling electronic protected health information (ePHI) requires implementing data encryption both in transit and at rest. Additionally, role-based access control (RBAC) and a resilient, highly available architecture help maintain data integrity and withstand potential threats.

Conducting regular risk assessments, another vital aspect to consider, helps identify potential vulnerabilities in tech solutions and infrastructure, allowing for the development and implementation of mitigation strategies. The risk assessment process enables the prioritization of security initiatives and the efficient allocation of resources.

Collaboration and communication with stakeholders, such as healthcare organizations, cloud service providers, and security experts, ensure a comprehensive understanding of HIPAA requirements and industry best practices. Maintaining open lines of communication with clients and providing regular updates on security posture, compliance status, and potential risks can contribute to building trust and transparency.

Finally, promoting a culture of security awareness within the tech organization to help employees understand the importance of HIPAA compliance, empowering them to make informed decisions when developing and deploying tech solutions for healthcare clients.

HIPAA Compliance Tips for DevOps and AppSec Practitioners

As healthcare organizations increasingly adopt cloud-based solutions and develop applications to manage and store electronic protected health information (ePHI), it’s essential for cloud architects, application developers, and security engineers to ensure HIPAA compliance in their work.

Cloud Architects

Cloud architects must design secure and compliant cloud infrastructure for handling ePHI. Key considerations include:

  • Choosing a cloud service provider (CSP) with a proven track record in HIPAA compliance
  • Ensuring that data encryption is implemented both in transit and at rest
  • Implementing role-based access control (RBAC) to restrict access to sensitive data
  • Designing a resilient and highly available architecture that can withstand potential threats and maintain data integrity
  • Regularly reviewing and updating the cloud infrastructure to address emerging security risks and compliance requirements

Application Developers

Application developers must create applications that adhere to HIPAA's Privacy and Security Rules. Important aspects to consider are:

  • Developing secure APIs for handling ePHI and incorporating encryption and authentication mechanisms
  • Implementing access controls and audit logging to monitor and track data access
  • Ensuring data storage complies with encryption requirements and is securely segmented
  • Conducting regular security and vulnerability assessments to identify potential risks and mitigate them
  • Integrating security and compliance best practices into the development lifecycle and staying updated on changes in regulations

Security Engineers

Security engineers play a vital role in safeguarding ePHI and maintaining HIPAA compliance. Responsibilities include:

  • Developing, implementing, and managing security policies and procedures according to HIPAA guidelines
  • Configuring and monitoring security tools, such as intrusion detection systems (IDS), firewalls, and antivirus software
  • Conducting regular risk assessments to identify potential vulnerabilities and implementing appropriate countermeasures
  • Collaborating with cloud architects and application developers to ensure security is integrated throughout the infrastructure and application development processes
  • Providing training and raising awareness on security and compliance best practices within the organization

By working together, organizations can effectively address the unique challenges of HIPAA compliance in cloud environments and application development, ensuring the protection of sensitive health information and mitigating the risk of data breaches.

HIPAA FAQs

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, is a significant update to the Health Insurance Portability and Accountability Act (HIPAA). HITECH aims to enhance privacy requirements, introduce the breach notification rule, and promote the adoption of electronic health records (EHRs) and health information exchange (HIE) technology. It also allows for proactive auditing of healthcare entities and their business associates while updating enforcement activities, such as fines and penalties for breaches. The HITECH Act encourages healthcare organizations to adopt modern technology to improve patient care and streamline operations while maintaining rigorous privacy and security standards.
The Omnibus Rule, introduced in 2013, is a substantial amendment to HIPAA regulations, focusing on enhancing privacy and breach notification requirements, improving patient rights, and redefining the breach process. The rule expands HIPAA's scope to include business associates and their subcontractors, making them directly accountable for compliance. The Omnibus Rule also strengthens patient rights, allowing them to request electronic copies of their health records and prohibiting the use of their information for marketing purposes without explicit consent. Additionally, the rule revises the breach notification process by shifting the focus from potential harm to an evaluation of the probability that protected health information (PHI) has been compromised, ensuring that organizations promptly report and address any potential breaches.
Electronic Protected Health Information, or ePHI, refers to any individually identifiable health information that is created, stored, transmitted, or maintained in an electronic format by a covered entity or a business associate under HIPAA.
A covered entity (CE) is an organization or individual subject to HIPAA regulations, which are responsible for protecting the privacy and security of protected health information (PHI). Covered entities typically include healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically in connection with certain standard transactions, such as claims processing, benefits coordination, and enrollment. CEs are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI) and comply with HIPAA Privacy and Security Rules.
In HIPAA, a business associate (BA) is a third-party vendor, contractor, or consultant that will receive, create, access, transmit, or store protected health information on behalf of a healthcare organization. The BA performs functions or activities for the covered entity that involves the use or disclosure of PHI or confidential information.
Required in the HIPAA framework refers to required procedures, which are mandatory, and covered entities and business associates must document and implement them without exceptions. All standards within the HIPAA framework are required.
While not optional, addressable specifications allow organizations to assess whether a specific implementation is appropriate and reasonable for their unique circumstances. If deemed unreasonable or inappropriate, the organization must adopt and implement a reasonable alternative that achieves the same safeguard objective while maintaining compliance with HIPAA regulations.
A designated record set is a collection of records maintained by or for a covered entity under HIPAA, comprising medical and billing records about individuals, as well as enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan. The primary purpose of a designated record set is to comply with the Privacy Rule requirements for uses, disclosures, patient right of access, and amendment. Designated record sets are not intended for external requests for disclosures.
A legal record set refers to the officially declared record of healthcare services provided to an individual by a healthcare provider. This business record is generated at or for a healthcare organization and is the document released on receiving a request. The legal record set's definition is crucial for disclosing PHI consistently and accurately, ensuring that only the information defined within the legal record set is disclosed when required.
A limited data set is a partially deidentified record in which the 18 identifying data points of PHI have been removed before disclosure. Limited data sets can be used without a patient's permission if certain conditions are met, such as for research, public health initiatives, or healthcare operations. Although not completely deidentified, limited data sets are still protected by the Privacy Rule. When used by a third party that typically requires authorization, a data use agreement or business associate agreement must be executed before disclosure.