What is HIPAA compliance and do I need it?

HIPAA is one of the most misunderstood regulations in healthcare. Let’s demystify it.

What Is HIPAA?

HIPAA = Health Insurance Portability and Accountability Act (1996)

The part most people care about: The Privacy and Security Rules that protect patient health information.

Protected Health Information (PHI) includes:

• Names combined with health information
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Dates (birth, admission, discharge, death)
• Phone numbers, email addresses
• Any information that could identify a patient

Do I Need to Be HIPAA Compliant?

You’re a “Covered Entity” if you are:

• Healthcare providers who transmit health information electronically

  • Doctors, clinics, hospitals
  • Dentists, chiropractors, physical therapists
  • Psychologists, psychiatrists
  • Nursing homes, home health agencies
  • Pharmacies

• Health plans

  • Health insurance companies
  • HMOs
  • Company health plans

• Healthcare clearinghouses

  • Entities that process health information

You’re a “Business Associate” if you:

• Handle PHI on behalf of a covered entity
• Examples: IT providers, billing companies, cloud services, shredding companies, consultants

If you’re a business associate, you have HIPAA obligations too.

You’re Probably NOT Covered if:

• You don’t handle any patient health information
• You’re a pure technology company with no healthcare clients
• You’re a general contractor working with healthcare facilities (unless you access PHI)

The Three HIPAA Rules

1. Privacy Rule

What it covers: Who can access PHI and for what purposes

Key requirements:

• Minimum necessary standard (only access what’s needed)
• Patient rights to access their records
• Notice of privacy practices
• Training on privacy policies

2. Security Rule

What it covers: Technical, physical, and administrative safeguards for electronic PHI (ePHI)

Three categories:

Administrative Safeguards:

• Risk analysis and management
• Workforce training
• Incident response procedures
• Business associate agreements
• Policies and procedures

Physical Safeguards:

• Facility access controls
• Workstation security
• Device and media controls

Technical Safeguards:

• Access controls
• Audit controls
• Integrity controls
• Transmission security

3. Breach Notification Rule

What it covers: What to do when PHI is compromised

Requirements:

• Notify affected individuals within 60 days
• Notify HHS (and media if 500+ individuals affected)
• Document all breaches

HIPAA IT Requirements (The Technical Stuff)

Here’s what HIPAA actually requires from a technology perspective:

Access Controls (Required)

Unique user identification: Every user has their own login

Emergency access procedure: How to access systems in emergencies

Automatic logoff: Sessions timeout after inactivity

Encryption: Not technically “required,” but so strongly recommended that it’s effectively required

Audit Controls (Required)

Activity logging: Record who accessed what and when

Log review: Regularly review access logs for suspicious activity

Retention: Keep audit logs for 6+ years

Integrity Controls (Required)

Data integrity: Ensure ePHI isn’t improperly altered or destroyed

Mechanism to authenticate ePHI: Verify data hasn’t been tampered with

Transmission Security (Required)

Integrity controls: Protect ePHI during transmission

Encryption: Encrypt ePHI in transit (again, effectively required)

Backup and Disaster Recovery (Required)

Data backup plan: Regular, tested backups

Disaster recovery plan: How to restore access after an emergency

Emergency mode operation: How to operate during emergencies

Common HIPAA IT Gaps

When we assess healthcare organizations, we commonly find:

1. No Formal Risk Assessment

HIPAA requires documented risk analysis. Many organizations skip this or do it informally.

Fix: Conduct annual security risk assessments with documented findings and remediation plans.

2. Inadequate Access Controls

• Shared logins
• Excessive permissions
• No MFA
• Passwords that never expire

Fix: Individual accounts, least-privilege access, MFA on all systems with ePHI.

3. Missing or Untested Backups

“We have backups” but they’ve never been tested, or they don’t include all ePHI.

Fix: 3-2-1 backup rule with documented monthly restore tests.

4. No Audit Logging

Systems don’t log access, or logs exist but no one reviews them.

Fix: Enable logging on all systems with ePHI, implement log review procedures.

5. Unencrypted Devices

Laptops, USB drives, or phones with ePHI that aren’t encrypted.

Fix: Full-disk encryption on all devices, prohibit ePHI on unmanaged devices.

6. Outdated Business Associate Agreements

Working with vendors who access PHI without proper BAAs.

Fix: Inventory all business associates, ensure current BAAs are in place.

7. Insufficient Training

Annual compliance training that doesn’t cover security awareness.

Fix: Regular security awareness training including phishing simulations.

HIPAA Penalties

HIPAA violations are tiered based on knowledge and willfulness:

Tier	Description	Penalty Per Violation	Annual Maximum
1	Didn’t know	$100 - $50,000	$25,000
2	Reasonable cause	$1,000 - $50,000	$100,000
3	Willful neglect (corrected)	$10,000 - $50,000	$250,000
4	Willful neglect (not corrected)	$50,000+	$1,500,000

Criminal penalties for knowing disclosure: Up to $250,000 and 10 years imprisonment.

Recent enforcement: HHS has increased enforcement significantly. Small practices are being fined, not just large organizations.

Getting Started with HIPAA Compliance

Step 1: Security Risk Assessment

Required by HIPAA and the foundation of your compliance program.

• Identify where ePHI exists
• Identify threats and vulnerabilities
• Assess current controls
• Determine risk levels
• Document findings and remediation plan

HHS provides a free tool: Security Risk Assessment Tool (SRA)

Step 2: Policies and Procedures

Document your security and privacy practices:

• Acceptable use policy
• Access control policy
• Incident response plan
• Breach notification procedures
• Business associate management
• Training requirements

Step 3: Technical Safeguards

Implement or verify:

• MFA on all systems with ePHI
• Encryption (at rest and in transit)
• Access logging and monitoring
• Backup with tested recovery
• Endpoint protection
• Email security

Step 4: Training

• All workforce members handling PHI
• Annual minimum, more frequent recommended
• Document completion

Step 5: Ongoing Compliance

• Annual risk assessments
• Regular policy reviews
• Continuous security monitoring
• Business associate management
• Incident response when needed

HIPAA and Your IT Provider

If you’re a covered entity using an IT provider (MSP):

They’re a Business Associate

Your IT provider accesses your systems, which may contain ePHI. They need:

• Signed Business Associate Agreement (BAA)
• Their own HIPAA compliance program
• Security practices that meet HIPAA standards

Questions to Ask Your IT Provider

1. Will you sign a BAA?
2. What’s your HIPAA compliance program?
3. How do you train your staff on HIPAA?
4. What security certifications do you have?
5. How do you secure access to our systems?
6. What happens if there’s a breach?

Red Flags

• Won’t sign a BAA
• Says they’re not a business associate
• Can’t explain their HIPAA program
• Has no documentation

The Bottom Line

HIPAA compliance isn’t optional for healthcare organizations and their business associates. It requires:

• Documented risk assessments
• Policies and procedures
• Technical safeguards
• Ongoing training
• Business associate management

The penalties for non-compliance are significant, and enforcement is increasing.

But beyond penalties: Proper HIPAA compliance protects patients and protects your organization from the devastating impact of a breach.

---

Need help with HIPAA compliance? centrexIT has been supporting healthcare organizations with HIPAA-compliant IT since 2002. Contact us for a compliance assessment.