Implement physical, administrative, and technical protections for sensitive patient data — or Protected Health Information (PHI).
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA, which went into effect in 1996, requires companies that handle sensitive patient data — defined under the regulation as “protected health information” (PHI) — to maintain specific security measures to protect patient data.
HIPAA aims to modernize the flow of healthcare data, protect it from fraud and theft, and address limitations on insurance coverage.
HIPAA violations are issued by the Department of Health and Human Services’ Office for Civil Rights (OCR), as well as state attorneys general.
Challenges to HIPAA Compliance
HIPPA requires organizations in healthcare and affiliated companies to have physical, network, and process security measures in place to safeguard PHI.
Among other requirements, this mandates that organizations: secure records, encrypt data, protect against breaches and malicious attacks, secure against loss or theft of devices, train employees on sound security practices, limit the sharing of PHI with third parties, dispose of records when appropriate, and more.
HIPAA regulations frequently change to adapt to new technologies and conditions.
HIPAA regulates health care providers, health plans and insurers, health care clearinghouses, and businesses associated with health organizations.
These “covered entities” include anyone in health care providing treatment or payment services, or support for those services — and anyone who has access to patient information, including affiliated or subcontracted entities.
A Broad Definition of PHI
HIPAA defines and monitors PHI collected and processed by covered entities.
PHI is any medical information — past, current, or future — that can identify an individual; or that is created, used, or disclosed in the process of providing health care services.
This includes physical/mental health-related records — physical, electronic (ePHI) or even verbal.
HIPAA Privacy Rule
The Privacy Rule under HIPPA gives individuals rights over their health information — including the right to examine and obtain copies of their health records and request corrections to innacurate data.
It also requires that covered health care organizations take reasonable steps to ensure patient confidentiality, keep track of PHI disclosures, notify individuals of use of their PHI, and more.
HIPAA Security Rule
The HIPAA Security Rule covers three areas — and mandates that covered entities use best practices to safeguard data in areas of:
Organizations need to enact policies around transferring, retaining, remediating, disposing of, and sharing PHI and ePHI — as well as securing access.
Penalties for HIPAA Noncompliance
Penalties for HIPAA violations are organized into tiers according to culpability level — from negligence to willful neglect — and fines from $100 per violation to $50,000 per violation.
Entities in violation may face fines, criminal penalties, and requirements to prove an action plan to bring their policies and procedures up to compliance standards.
The Health Information Technology for Economic and Clinical Health (HITECH) Act raises penalties for health organizations that violate HIPAA — and adjusts fines annually.
How BigID Helps with HIPAA Compliance
Identify All Your Sensitive Data
See a clear, complete view of all your sensitive information and PHI across the enterprise — not just the data you know about — to protect it.
Identify high-risk protected health information and where it resides, flag data flows and access patterns, and continuously monitor access activity.
Classify HIPAA Data
Automatically classify, categorize, and protect HIPAA data with advanced ML and NLP for fewer false positives
Maintain detailed records of information systems, stay on top of audits, and be able to report on HIPAA compliance.
BigID for HIPAA Compliance
Discover all sensitive and regulated data that’s monitored by the HIPAA — wherever it’s stored across the organization.
Take an ML-based approach to automatically classify and tag high-risk data that is monitored by the HIPAA.
Reduce risk on your most sensitive data with risk scores that incorporate data parameters like data type, location, residency, and more.
Leverage data retention policies and business rules, define custom policies, and apply them consistently across all data types and data sources.