Understanding HIPAA Compliance


HIPAA, or the Health Insurance Portability and Accountability Act, is the law that lays down the standards for the protection of confidential patient information. Whenever a company works with protected health information, or PHI, it must take all the necessary network, process and physical security measures as required by such law.

Parties that must be in compliance include all Covered Entities (CE), or all that provide healthcare treatments and handle related payments and operations; and Business Associates (BA), or all that access patient information as well as support healthcare treatments and related payments and operations. This includes not only the main contractors, but also their subcontractors and business associates of business associates.

HIPAA Privacy Rule covers the storage, access and sharing of medical and personal data of any person receiving medical treatment, while the HIPAA Security Rule particularly protects all electronically transmitted health data, also called Electronic Protected Health Information (ePHI).

If you host your data with a provider that is HIPAA compliant, that means they have specific technical, physical and administrative safeguards or defenses in place:


Physical safeguards include facility access and control restrictions. All entities that must be HIPAA compliant are required to have policies governing the use and access of electronic media and workstations, including moving, removal, disposal and reuse of ePHI.


Technical safeguards are access control measures through which only authorized individuals are given access to electronic protected health data. This includes the use of unique user IDs, automatic log off, emergency access procedure, and encryption/decryption. Logs must be implemented for the recording of all activity, both on software and hardware. This is particularly useful for determining the actual cause or source of any security breaches.

Technical policies must as well include integrity controls, which confirm that ePHI is intact or unaltered. IT disaster recovery and offsite backup are major requirements in ensuring the immediate resolution of electronic media issues, and the recovery of intact and accurate patient health information.  Watch https://www.youtube.com/watch?v=mEu6NGPA0Cg to know more about HIPPA.

Administrative – Network/Transmission

Network or transmission security protects ePHI against unauthorized access. This covers more data transmission methods, such as Internet, email, private network, etc. In 2009, The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in support of the HIPAA, increasing the penalties for health organizations that are not compliant with HIPAA Privacy and Security Rules. The supplemental act was crafted as a response to the rapid development of health technology and the expanded use, transmittal and storage of electronic health data.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s