Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is a U.S. law designed to protect the privacy and security of individuals’ medical records and other personal health information (PHI). HIPAA establishes standards for the electronic exchange, privacy, and security of health information, aiming to ensure that sensitive patient data remains confidential and secure. The law is enforced by the U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR).

Who is HIPAA For?

HIPAA applies to a variety of entities in the healthcare sector, including:

  • Covered Entities
    Healthcare providers (such as doctors, clinics, and hospitals), health plans (including health insurance companies and government programs like Medicare and Medicaid), and healthcare clearinghouses.
  • Business Associates
    Companies or individuals who perform services for covered entities involving the use or disclosure of PHI, such as billing companies, data storage providers, and IT service providers.
  • Workforce Members
    Employees, volunteers, trainees, and other individuals whose conduct in the performance of work is under the direct control of a covered entity or business associate.

 

HIPAA Security vs. HIPAA Privacy

HIPAA encompasses both security and privacy rules, each addressing different aspects of protecting health information:

  • HIPAA Security Rule
    Focuses on protecting electronic personal health information (ePHI) by establishing standards for securing the creation, maintenance, and transmission of ePHI. It requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
  • HIPAA Privacy Rule
    Aims to protect all forms of PHI, whether electronic, paper, or oral. It sets standards for the use and disclosure of PHI and grants individuals rights over their health information, including rights to access and request corrections to their records.

 

HIPAA Security Controls

Administrative Safeguards

  • Security management processes to prevent, detect, contain, and correct security violations.
  • Assigned security responsibility for overseeing the development and implementation of the security policies.
  • Workforce security to ensure only authorized personnel have access to ePHI.
  • Information access management to implement policies and procedures for authorizing access to ePHI.
  • Security awareness and training programs for all workforce members.
  • Security incident procedures for responding to and reporting security incidents.
  • Contingency planning to ensure the availability of ePHI during emergencies.
  • Evaluation procedures to periodically assess the security measures.

Physical Safeguards

  • Facility access controls to limit physical access to electronic information systems and the facilities in which they are housed.
  • Workstation use policies to specify proper functions and physical attributes of workstations.
  • Workstation security measures to restrict access to authorized users.
  • Device and media controls to govern the receipt, removal, and disposal of hardware and electronic media containing ePHI.

Technical Safeguards

  • Access controls to allow only authorized persons to access ePHI.
  • Audit controls to record and examine activity in information systems containing ePHI.
  • Integrity controls to protect ePHI from improper alteration or destruction.
  • Person or entity authentication to verify that persons seeking access to ePHI are who they claim to be.
  • Transmission security measures to protect ePHI transmitted over electronic networks.

Organizational Requirements

  • Business Associate Contracts to ensure that business associates comply with HIPAA requirements.
  • Group Health Plan Requirements for group health plans to implement safeguards for ePHI.

Policies and Procedures

  • Documentation of policies and procedures implemented to comply with HIPAA standards.
  • Regular updates to policies and procedures to reflect changes in law, technology, and business practices.

Incident Response and Reporting

  • Procedures for identifying, responding to, and reporting security incidents.
  • Documentation and mitigation of incidents, including breach notifications when required.

 

HIPAA Privacy Controls

Privacy

  • Regulates how health information can be used and disclosed.
  • Requires patient consent for disclosures outside of treatment, payment, and healthcare operations.
  • Grants individuals rights to access, amend, and obtain an accounting of disclosures of their PHI.

Breach

  • Defines requirements for breach notifications in case of unauthorized disclosure of PHI.
  • Requires covered entities to notify affected individuals, the HHS, and, in some cases, the media.
  • Specifies timelines and content for breach notifications.

Our Services

vCISO and Fractional Security Analysts

vCISO and Fractional Security Analysts

Enhance security leadership and strategy with experienced professionals through one-time projects or continued engagements.
Gap and Risk Assessments

Gap and Risk Assessments

Identify vulnerabilities and gaps in your security posture with our comprehensive assessments designed to not disrupt your operations.

Framework Deployment Programs

Framework Deployment Programs

Establish security frameworks through a comprehensive year-long assessment and training program, either individually or with a cohort of your peers.

GRC Platform

Apptega GRC Platform

Make the most of Apptega’s powerful Governance, Risk, and Compliance (GRC) tool to effectively manage and maintain your security program utilizing its user-friendly interface.

Implementation Support

Implementation Support

Certified assistance in planning and implementing best practices and solutions to mature your security posture.

Meet the Team

Art Provost

Art Provost

Art, with 30 years of experience in Information Security across diverse roles, joined Filament in 2011 and holds multiple certifications, including CISSP, GSEC, GPEN, GWAPT, and CISM.

Tyler Malcom

Tyler Malcom

Tyler, who joined Filament in 2022, has a strong background in cyber defense and offensive operations from his time in the US Navy and holds CISSP and GSEC certifications.

Keri Kunkle

Keri Kunkle

Keri, who joined Filament in 2023, is a seasoned cybersecurity professional with experience in the US Marine Corps and Department of Defense, holding multiple certifications and advanced degrees in cybersecurity.

Expert Help is On the Way

Schedule a Free Discovery Call

Explore your organization’s future with a quick conversation with Filament Information Security services.

Contact us today to learn more about how we can help you achieve your security goals.