Building the Foundation for HIPAA Compliance

cybersecurty,compliance,SOC 2,Trust Services Criteria

The Health Insurance Portability and Accountability Act (HIPAA) was first signed into law in the U.S. in 1996 to establish policies and procedures for maintaining the security and privacy of individually identifiable health information, also known as protected health information or PHI. The law not only defines standards, but also outlines offenses and creates civil and criminal penalties for violations.

HIPAA has gone through many iterations over the years. In the early 2000s, the HIPAA Privacy Rule was added to ensure individuals’ health information is properly protected while allowing the flow of health information needed to provide high-quality healthcare and protect the public’s health and well-being.

In 2005, the U.S. Department of Health and Human Services (HHS) created the HIPAA Security Rule, which added regulations for protecting patients’ electronic PHI (ePHI) and preventing it from being disclosed without the patient’s consent.

Another update was issued in 2009, when the HITECH Act introduced breach notification requirements and increased civil penalties for HIPAA violations based on the nature and extent of the breach, as well as harm caused by the incident.

This blog explores the evolution of HIPAA, key security and privacy requirements, who must comply, and the steps organizations can take to strengthen compliance and reduce risk. Let’s dive in.

Who Must Comply with HIPAA?

HIPAA is not a voluntary framework or best practice—it is a federal law that applies to specific types of organizations and carries significant legal and financial consequences for noncompliance.

Organizations that process, store, and interact with PHI and ePHI must comply with HIPAA. This includes “covered entities” such as:

Healthcare providers and other health services organizations that transmit PHI to perform transactions like claims, determine benefit eligibility, and field referral authorization requests.
Health plans, such as insurance providers and other organizations that help individuals and groups pay for healthcare services.
Healthcare clearinghouses, or organizations that process other entities’ healthcare transactions for tasks like claims processing, billings, and data management.

HIPAA also applies to individuals and organizations outside of these covered entities (“business associates”) who use or disclose individually identifiable health data to perform or provide services.

Unlike frameworks such as SOC 2, which organizations may choose to adopt, HIPAA compliance is mandatory for organizations that meet these definitions. Failure to comply can result in substantial penalties enforced by the HHS Office for Civil Rights, including civil fines ranging from hundreds to millions of dollars, mandatory corrective action plans and ongoing audits, and potential legal liability.

Some organizations may also choose to maintain compliance with HIPAA even if not required by law in order to align with best practices and build trust with customers and stakeholders.

What is Required for Security Compliance?

According to HHS, the goal of the HIPAA Security Rule is to protect ePHI through administrative, physical, and technical safeguards:

Administrative: This includes controls related to risk analysis and risk management, termination procedures, access authorization, password management, data backup plans, and disaster recovery plans.
Physical: This includes controls related to facility access, workstation use and security, and device and media controls such as data backup and storage.
Technical: This includes controls related to unique user identification, emergency access procedures, encryption, and decryption.

While not all of these controls are required for every organization, they are each designed to ensure the confidentiality, integrity, and availability of all ePHI that an organization interacts with as well as protect against reasonably anticipated threats and unauthorized disclosures of ePHI.

What is Required for Privacy Compliance?

The HIPAA Privacy Rule encompasses several key elements designed to protect patient information. This includes the “Minimum Necessary” standard, which requires PHI to be disclosed only to the extent necessary to accomplish the intended purpose. Additionally, the rule mandates covered entities provide patients with a Notice of Privacy Practices, informing them of their rights and how their information will be used and disclosed.

Another critical element is the requirement for covered entities to obtain patient authorization before using or disclosing PHI for purposes not otherwise permitted by the rule. Patients also have the right to access their medical records, request corrections, and receive an accounting of disclosures of their PHI.

For patients, the HIPAA Privacy Rule provides significant protections for their personal health information. It ensures their medical records and other PHI are safeguarded against unauthorized access and misuse. Patients have the right to receive a copy of their health records and request that corrections be made to any inaccuracies.

The rule also empowers patients by giving them control over how their information is used and disclosed. They can specify restrictions on certain uses and disclosures and have the right to be informed about privacy practices and their rights under the rule. This transparency and control help build trust between patients and healthcare providers.

Organizations subject to the HIPAA Privacy Rule must adopt comprehensive compliance strategies to ensure adherence to regulations. This includes conducting regular risk assessments to identify potential vulnerabilities and implementing corrective actions to address any gaps. Training staff on HIPAA compliance and the importance of protecting PHI is also crucial.

Additionally, organizations should develop and enforce policies and procedures that align with HIPAA standards. This includes establishing protocols for responding to data breaches and ensuring that business associate agreements are in place to safeguard PHI when shared with third-party service providers. Regular audits and monitoring can help your organization avoid HIPAA violations, maintain compliance, and mitigate risks associated with handling PHI.

How Can Organizations Validate HIPAA Compliance?

Unlike compliance frameworks such as HITRUST CSF and ISO/IEC 27001, there is no formal certification available or required to prove HIPAA compliance.

However, there are other options for organizations that want to provide assurance to customers that they adhere to the strict security standards outlined by HIPAA. One way is to obtain a report on HIPAA compliance provided by a third-party auditing firm, like BARR Advisory. BARR’s attest services team can assess your cybersecurity program against HIPAA requirements and provide a formal report on their conclusions.

Organizations can also pursue compliance with other frameworks that weave elements of HIPAA into their requirements. This includes HITRUST, an internationally accepted standard for security compliance that was designed with HIPAA in mind.

Another option is SOC 2. Many common trust services criteria used in SOC 2 reporting align with HIPAA Security Rule requirements. For organizations also interested in pursuing a SOC 2 report, BARR’s attest services team can assess whether controls related to access management, risk management, and asset management are designed to meet HIPAA regulations.

Navigating the Journey to HIPAA Compliance

Before you embark on a journey to assess your organization’s HIPAA compliance, BARR can perform a HIPAA readiness assessment to help identify existing gaps in your security program and provide recommendations for remediation. They can assist with tasks such as:

Understanding Your Scope
Start by determining whether your organization handles PHI and how that data flows through your environment. This includes identifying where data is stored, how it’s transmitted, and whether it’s shared with third parties. Understanding your role as a covered entity or business associate is critical to defining your compliance obligations.
Conducting Risk Assessments
Conducting regular risk assessments is a required element of HIPAA compliance. Organizations must take steps to identify potential vulnerabilities, evaluate risks, and document their findings. It’s also important to outline policies that define how identified risks are addressed and mitigated.
Implementing Strong Policies and Procedures
Effective HIPAA compliance requires more than intent—it requires documentation. Organizations should clearly define who has access to PHI and why, what security measures are in place, and how incidents are detected and handled.
Training Your Team
Even the most robust security program can fail without employee awareness. HIPAA training is mandatory and should be ongoing, ensuring staff understand their responsibilities and company procedures. Training should also be documented to demonstrate compliance and accountability.
Strengthening Access Controls
Limiting access to PHI is essential. Organizations must establish clear authorization protocols and authentication requirements to ensure only the right individuals can access sensitive data. It’s also important to outline how misuse or unauthorized access will be detected and addressed.
Managing Vendor Risk
Third-party vendors are a common source of HIPAA violations. A strong vendor management program should include thorough risk assessments, clear documentation of data access and usage, and contractual safeguards to prevent unauthorized disclosures. Understanding how vendors interact with your data helps reduce the likelihood and impact of a breach.
Preparing for Breaches Before They Happen
No organization is immune to a data breach. That’s why having a documented and tested incident response plan is critical. Your plan should define steps to contain and remediate the breach as well as the roles of each team member in executing the plan. Testing these processes regularly ensures your organization can respond quickly and effectively when an incident occurs.