What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes national standards for protecting the privacy and security of individually identifiable health information, known as Protected Health Information (PHI). HIPAA compliance is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

HIPAA consists of several rules that together define the requirements for handling PHI:

• Privacy Rule (45 CFR Part 164, Subpart E): Establishes standards for the use and disclosure of PHI. Defines patient rights regarding their health information, including the right to access, amend, and receive an accounting of disclosures.
• Security Rule (45 CFR Part 164, Subpart C): Requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). Contains 54 implementation specifications organized into 18 standards.
• Breach Notification Rule (45 CFR Part 164, Subpart D): Requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI.
• Omnibus Rule (2013): Extended HIPAA requirements directly to business associates and their subcontractors, strengthened breach notification requirements, and increased penalties for non-compliance.

Who Must Comply with HIPAA?

HIPAA applies to two categories of organizations:

• Covered Entities: Health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. This includes hospitals, physician practices, dental offices, pharmacies, health insurance companies, and any provider that files electronic claims.
• Business Associates: Organizations that perform functions or activities involving PHI on behalf of covered entities. This includes IT service providers, cloud hosting companies, billing services, EHR vendors, medical transcription services, document shredding companies, and consultants who access PHI.

The Raleigh-Durham area is home to major healthcare systems including UNC Health, WakeMed, and Duke Health, along with thousands of physician practices, dental offices, behavioral health providers, and healthcare technology companies. All of these organizations -- and their IT service providers -- must comply with HIPAA.

HIPAA Security Rule Requirements

The Security Rule is the primary technical component of HIPAA and the area where most organizations need the greatest assistance. It requires three categories of safeguards:

Administrative Safeguards (Section 164.308)

• Security management process including risk analysis and risk management
• Assigned security responsibility (designating a Security Officer)
• Workforce security including authorization and supervision procedures
• Information access management
• Security awareness and training for all workforce members
• Security incident procedures for reporting and responding to incidents
• Contingency planning including data backup, disaster recovery, and emergency operations
• Evaluation through periodic technical and non-technical assessments
• Business associate contracts and other arrangements

Physical Safeguards (Section 164.310)

• Facility access controls including contingency operations and access control procedures
• Workstation use and security policies
• Device and media controls for disposal, re-use, and movement of ePHI-containing equipment

Technical Safeguards (Section 164.312)

• Access control including unique user identification, emergency access procedures, automatic logoff, and encryption
• Audit controls to record and examine system activity
• Integrity controls to protect ePHI from improper alteration or destruction
• Person or entity authentication
• Transmission security including encryption of ePHI in transit

Penalties for HIPAA Non-Compliance

• Tier 1 -- Lack of Knowledge: $100 to $50,000 per violation, up to $25,000 per year for identical violations
• Tier 2 -- Reasonable Cause: $1,000 to $50,000 per violation, up to $100,000 per year
• Tier 3 -- Willful Neglect (Corrected): $10,000 to $50,000 per violation, up to $250,000 per year
• Tier 4 -- Willful Neglect (Not Corrected): $50,000 per violation, up to $1.5 million per year

Beyond financial penalties, HIPAA breaches result in mandatory notification to affected patients, public disclosure on the HHS "Wall of Shame" for breaches affecting 500 or more individuals, potential criminal prosecution, class action lawsuits, and severe reputational damage.

How PTG Helps with HIPAA Compliance

HIPAA Risk Analysis: The Foundation of Compliance

The HIPAA Security Rule requires all covered entities and business associates to conduct an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information" (45 CFR 164.308(a)(1)(ii)(A)).

A proper HIPAA risk analysis is not a checklist exercise. It requires:

• Identifying all systems that create, receive, maintain, or transmit ePHI
• Identifying threats (natural, human, and environmental) to those systems
• Identifying vulnerabilities that could be exploited by those threats
• Assessing the likelihood and impact of each threat-vulnerability combination
• Determining the current level of risk and documenting risk management decisions
• Documenting the entire analysis and maintaining it as a living document

The HHS Office for Civil Rights has consistently cited inadequate risk analysis as the most common HIPAA violation in enforcement actions. PTG conducts thorough risk analyses that satisfy OCR requirements and serve as the foundation for your entire HIPAA compliance program.