What Businesses Need to Follow to be Compliant with HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. This act is being incorporated to set the standard and protect sensitive patient data. If any company deals with protected health information (PHI), then it needs to ensure that all the required network, physical and other process security measures are there in place and are followed.

In this act, it will include anyone who provides treatment, payment and operations in healthcare which is covered entities (CE) and anyone with access to patient information and provides support in treatment, payment or operations namely the business associates (BA). Moreover, the subcontractors or business associates of business associates also need to be in compliance.

What does the Privacy Rule of HIPAA Address?

The Privacy Rule of HIPAA addresses the accessing, saving and sharing of medical and personal information of any individual and the Security Rule of HIPAA specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically. This data is also known as electronic protected health information (ePHI).

A HIPAA compliant hosting provider have a certain administrative, physical and technical safeguards in place with accordance to the U.S. Department of Health and Human Service and so if you are hosting your data with, then you will get all those.

Technical and Physical safeguards and services provided by HIPAA compliant host are

• The physical safeguards include access and control facility which is limited having authorized access in place. All the covered entities or the companies which needs to be HIPAA compliant must have policies about use and access to workstations and electronic media. Moreover, this will include the transfer, remove, dispose and re-use of electronic media and electronic protected health information (ePHI).
• The safeguards of technical is required to access control for allow only the authorized to access electronic protected health data. The access control feature includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
• Tracking logs or Audit reports need to be implemented for keeping records of activity on software and hardware. This is especially useful so that it is possible to pinpoint the source or cause of any security violations.
• The technical policies must include the integrity controls and the measures which are put in place to confirm that ePHI hasn’t been modified or corrupted. IT disaster offsite backup and recovery are the key features to ensure that any electronic media errors or failures can be quickly back to normal and patient health information are able to recover accurately and intact.
• The last technical safeguard required for HIPAA compliant hosts is network or transmission security in order to protect against unauthorized public access of ePHI. This includes all the concerns relating to transmission of data, whether it is email, Internet, or even over a private network, such as a private cloud.

In 2009, a supplemental act called The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed supporting the enforcement of HIPAA requirements and it raised the penalties of health organizations which will be imposed on violating HIPAA Privacy and Security Rules. This act was formed in accordance with the health technology development and increased use, storage and transmittal of electronic health information.

The Most Recent Updates from HIPAA

Quite a few updates and alterations are being planned to be incorporated into HIPAA. These updates could either become a part of the existing law or introduced as separate cybersecurity guidance. Some of these updates include:

1. Introduction of New Penalties in Case of HIPAA Violations

The new and updated penalties and fines for HIPAA violations were introduced in 2019. The official documentation regarding the update was published in the month of April 2019. The document included details about the penalties which now consist of a tiered structure. The initial penalty for tier 1 is a whopping $25,000.

2. Better Accountability and Stronger Enforcement of Violations

The year 2019 was a big one for HIPAA enforcement. The HIPAA Journal reported that more than $1.2 million was collected on an average as penalties from defaulters. Enforcement is certainly on a rise for HIPAA since 2018, and 2019 was not far behind. HHS OCR or the Health & Human Services Office for Civil Rights continued its stringent enforcement efforts in 2019 also. In the current COVID-19 scenario, however, the speed of enforcement might face a setback.

3. The Upcoming Permanent Audit Program

The permanent audit program is long overdue since the HHS spoke about it during the launch of Phase 2 of the HIPAA audit program. The organization had promised that it will be launched very soon. Somehow, the audit program has still not been launched and the structure is also not upgraded to a permanent structure.

4. Regulations and Additional Guidance Regarding Opioids

The overuse and addiction of opioids in the USA is nothing less than an “epidemic” or a “crisis”. HIPAA’s new legislation is expected to introduce solid measures regarding this issue and help fight against this controversial topic. These changes might include additional compliance measures, regulations, and guidance on opioid prevention.