What Is HIPAA Compliance?

If your business handles patient information, you likely need to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Failing to do so puts you at risk of large financial penalties and civil lawsuits. 

In this guide, we step you through this key federal law—including who it applies to and its main rules—and offer practical tips for ensuring your business is HIPAA compliant.

What Is a HIPAA-Compliant Business?

To be HIPAA compliant, your business must follow the rules and requirements of HIPAA. These include ensuring the confidentiality and integrity of protected health information (PHI), following standards for storing and sharing PHI, conducting risk assessments, training employees, and introducing measures to protect against data breaches.

Let’s look at HIPAA more closely:

What is HIPAA?

HIPAA is a federal law that sets strict rules for how individuals and businesses in the US healthcare and health insurance industries handle patients’ protected health information. 

Protected health information (PHI) is any “individually identifiable health information” (i.e., information that could be used to identify someone) stored or sent by an organization covered by HIPAA. It includes paper, electronic, and oral information. 

Examples of PHI include medical records or test results that contain identifying information such as:

• Names
• Dates of birth
• Phone numbers
• Emails
• Social security numbers
• Fingerprints
• IP addresses
• Driver’s licenses
• License plate numbers
• Insurance policy number
• Insurance claims history

HIPAA requires covered individuals and businesses to protect patients’ PHI through administrative, physical, and technical safeguards. 

The law tries to balance protecting individuals’ privacy and the need to easily share their medical information in certain circumstances to provide effective healthcare services. 

The Department of Health and Human Services (HHS) administers HIPAA, while HHS’s Office for Civil Rights (OCR) enforces HIPAA’s Privacy and Security Rules.

Why Is HIPAA Compliance Important?

Ensuring compliance with HIPAA is essential to protecting patient privacy and confidentiality. Personal health information can be highly sensitive, and patients have a right to keep it private. 

HIPAA ensures the security of patients’ medical information. HIPAA-compliant businesses reassure patients of their commitment to privacy and confidentiality, building patient trust. 

Ensuring your business is HIPAA compliant also helps protect your business from data security breaches. Healthcare businesses are often targeted by criminals wanting access to patient information for fraudulent reasons. Not only is this bad for the individuals whose details are compromised, but it can also harm your business’s reputation. 

Most significantly, non-compliance puts businesses at risk of HIPAA violations. Businesses that do not follow HIPAA regulations can face civil fines and even criminal charges in the most severe cases. 

The OCR is responsible for issuing civil HIPAA penalties. The amount of these varies depending on the level of negligence that led to the violation. Minimum and maximum penalties are set out in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and adjusted yearly based on inflation. 

The current minimum and maximum fines for HIPAA violations are:

• Tier 1 (reasonable efforts): $137-$68,928
• Tier 2 (lack of oversight): $1,379-$68,928
• Tier 3 (neglect – addressed within 30 days): $13,785-$68,928
• Tier 4 (neglect – not addressed within 30 days): $68,928

The OCR can impose multiple fines, up to an annual limit of $2,067,813 per category. 

In the most serious cases, criminal charges can lead to fines and jail time. HIPAA violations may also result in civil lawsuits and large compensation payouts, making them a costly exercise for your business. 

Which Businesses Does HIPAA Apply To?

HIPAA applies to two types of businesses: covered entities and business associates. 

Covered entities

Covered entities are:

• Healthcare providers (such as doctors, dentists, and pharmacists) who electronically send health information for specific purposes, including claims and benefit eligibility inquiries. 
• Health plans, including health insurers, Medicare insurers, and employer-sponsored health plans with 50 or more participants. 
• Healthcare clearinghouses, which are businesses that standardize information, such as billing and medical claims, and transfer it between healthcare providers and health insurers.

Business associates

According to the CDC, a business associate is “a person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity.”

Business associates are third parties who handle PHI while delivering services to covered entities. Examples include companies that provide medical billing, IT, or transcription services to a covered entity.

Business associates can also include subcontractors who work with business associates and access PHI. 

Key HIPAA rules

Here are several key rules published by the HHS under HIPAA. 

HIPAA Privacy Rule

The Privacy Rule is a set of standards governing how covered entities can use and share PHI. It addresses certain obligations on businesses, including:

• Informing patients of their rights.
• Designing and implementing plans and procedures to protect patients’ information.
• Providing employee training on patient privacy rights and procedures.
• Appointing someone in the organization to oversee privacy procedures.

The Privacy Rule also sets out:

• The necessary steps covered entities must take to protect PHI.
• Who can access PHI, and when and how can it be shared.
• The limited circumstances in which covered entities can share PHI without patient consent.
• Patients’ rights to access and make corrections to their PHI.
• The requirement for covered entities to include specific protections in their contracts with business associates.

The Privacy Rule mainly applies to covered entities. However, where a covered party contracts with a business associate and PHI is involved, the Privacy Rule also places obligations on the business associate. 

HIPAA Security Rule

While the Privacy Rule applies to PHI generally, the Security Rule applies to electronic protected health information (e-PHI)—any individually identifiable health information created, sent, stored, or received electronically. 

Covered entities and business associates must abide by the Security Rule. The rule requires they take necessary steps to protect e-PHI by introducing security measures, including administrative, technical, and physical safeguards. 

The Security Rule is designed to address the unique risks associated with electronic information and records. For example, it addresses:

• What covered entities and business associates must do if there’s a potential breach of e-PHI.
• Conducting risk analyses of potential risks to the security of e-PHI.
• Conducting evaluations to ensure policies and procedures meet the necessary security standards.
• Appointing a security official to oversee these policies and procedures.
• A requirement to ensure their workforce complies.

Breach Notification Rule

A breach occurs when someone accesses, uses, or shares unsecured PHI in a way that isn’t allowed under HIPAA. For example, breaches include an unauthorized employee accessing PHI or a cyberattack on a healthcare organization. 

If a covered entity identifies a breach of PHI, they must notify the affected individuals within 60 days. Businesses can do this by sending a letter to the individuals’ last known addresses. 

If the business does not have up-to-date contact information for 10 or more affected individuals, it must add a breach notice to its website via a link on its homepage for 90 days. 

If the breach affects more than 500 individuals, the covered entity must notify HHS and a prominent media outlet in their relevant state within 60 days. If less than 500 individuals are affected, the covered entity can report the breach to HHS within 60 days of the end of the calendar year. 

Under the Breach Notification Rule, business associates must notify the relevant covered entity of any unsecured PHI breaches within 60 days. 

Tips for staying HIPAA compliant

Compliance with HIPAA is only possible with a good understanding of the relevant laws. However, HIPAA provisions are complex, and state laws may also apply to your business. Understanding the interaction between these and HIPAA is essential. 

Additionally, the exact steps you need to take to ensure your business complies with its HIPAA obligations depend on its size and nature. 

For these reasons, speaking to a lawyer or HIPAA expert is important to understand your obligations and how your business can achieve compliance. 

The HIPAA Journal is a good starting point for learning about HIPAA generally. This website provides various resources on HIPAA-related topics, including a helpful compliance checklist. 

HIPAA regulations are regularly updated. Staying on top of these developments ensures your business remains compliant. 

You could appoint someone in your organization to follow this by routinely checking the HHS website and subscribing to industry publications. For example, the HIPAA Journal has a newsletter for HIPAA updates and proposed new rules. 

Risk assessments are mandatory under the Security Rule but apply only to e-PHI. By conducting broader, more regular risk assessments, you can proactively identify any areas you need to address before a HIPAA violation occurs.

HHS’s HIPAA audit protocol provides useful guidance for conducting these risk assessments.

HIPAA compliance is an all-of-organization effort. Support your employees in understanding their responsibilities by introducing HIPAA during onboarding and continuing with regular training sessions.  

You can conduct these sessions in person or via online training courses. Various companies offer HIPAA training programs, or you can create your own. Tailoring the training content according to roles and responsibilities ensures employees understand how HIPAA rules apply to their specific job functions.

Using HIPAA-compliant software to securely store, manage, and send e-PHI can help you comply with your HIPAA obligations. 

Connecteam’s all-in-one employee app is fully HIPAA-compliant. You can use it to create and manage HIPAA training for your employees, securely share encrypted patient documents, and communicate with your employees in real-time—all while knowing the privacy and security of patients’ e-PHI are safe. 

Seamlessly manage HIPAA compliance using Connecteam

HIPAA compliance must be a priority when starting or running a healthcare business. Fully understanding your HIPAA obligations is essential to reducing the risk of violations and their consequences. Regular audits, employee training, and the right software further help support compliance. 

With HIPAA-compliant software such as Connecteam, you can ensure your document management and communication systems meet HIPAA standards. This not only helps protect patient information but also reduces the risk of violations and fosters patient trust. 

Learn more about how Connecteam can help your healthcare business.

FAQs

What is an example of HIPAA compliance?

Examples of HIPAA compliance include: 

• Restricting access to patient information to specific users. 
• Encrypting electronic PHI. 
• Developing clear policies and procedures for handling, storing, and sharing PHI. 
• Conducting regular risk assessments to identify potential threats to the security of PHI. 
• Training employees to understand their HIPAA obligations. 

How do I know if I am HIPAA compliant?

The best way to know if your business is HIPAA compliant is to understand your obligations under HIPAA and then review your policies, procedures, and practices to ensure they meet the required standards. If they don’t, take the necessary steps to address any gaps.  

Disclaimer

The information on this website about HIPAA compliance is intended to be a summary for informational purposes only. However, laws and regulations regularly change and may vary depending on individual circumstances. While we have made every effort to ensure the information provided is up-to-date and reliable, we cannot guarantee its completeness,  accuracy, or applicability to your specific situation. Therefore, we strongly recommend that readers seek guidance from their legal department or a qualified attorney to ensure compliance with applicable laws and regulations. Please note that we cannot be held liable for any actions taken or not taken based on the information presented on this website.