Tag Archives: hipaa compliance

HIPAA Security Rule Explained

hipaa security rule

The HIPAA Journal estimates that a large data breach ( > 50k records) can cost the organization around $6 million – and that’s before the Office of Civil Rights (OCR) drops their own hammer. Over the last few years, we’ve seen more reports of breaches, an increase of HIPAA investigations, and higher fines across the board – all stemming from violations of the HIPAA security rule.

hipaa security rule statistic

What is The HIPAA Security Rule?

The HIPAA Security Rule sets the minimum standards required for Covered Entities (CE) to manage electronic PHI (ePHI). To be considered HIPAA compliant, CEs need to address 3 key security zones: administrative, physical, and technical.

How Does the HIPAA Security Rule Protect Your Data?

hipaa security rule safeguards

Administrative Safeguards 

HIPAA rules require CEs to adhere to certain processes to ensure and verify their compliance with the HIPAA Security Rule:

  • Security Management Process: CEs must establish policies and procedures to prevent, detect, contain and correct security violations. Part of this process is to follow the procedures in the Risk Management Framework to assess overall risk in your current processes or when you implement new policies.
  • Assigned Security Responsibility: One designated security official must be responsible for the development and implementation of the HIPAA Security Rule.
  • Workforce Security: CEs must identify which employees require access to ePHI and make efforts to provide control over that access. To achieve this, implement a least privilege model and automatically enforce and manage permissions.
  • Information Access Management: Restrict access to ePHI via permissions after you have identified the who should have access in the step above.
  • Security Awareness and Training: In order to enforce these rules and security policies, organizations need to train their users on what the rules are and how to abide by them.
  • Security Incident Procedures: This standard provides guidance on how to create a policy to address data breaches: it’s good practice regardless – report breaches and security violations, and set up alerts and security analytics so that you can prevent breaches in the first place.
  • Contingency Plan: This is the “what happens next” standard. Create and follow a data backup plan, disaster recovery plan, and have an emergency mode operation plan in place, just in case things go sideways and you get breached. There’s also guidance in this standard for testing and revising these plans, as well as managing critical applications that store, maintain or transmit ePHI.
  • Evaluation: Establish a process to review and maintain the policies and procedures to stay up to date and current with the HIPAA Security Rule.
  • Business Associate Contracts and other Arrangements: While it’s ok to use other businesses to implement your overall HIPAA Security strategy, as with any 3rd party contractor, you must get assurances from them that they understand HIPAA and they won’t leak your ePHI.

Physical Safeguards 

This section of the HIPAA Security Rule sets standards for physical security: the “lock your doors” and “batten down the hatches” kind of guidance – along with what to do in case of natural disasters, naturally.

  • Facility Access Controls: Limit and audit physical access to the computers that store and process ePHI. Pro tip – put a lock on the server room door.
  • Workstation Use: Manage and secure computers (desktop, laptop, and tablets) that are used to access ePHI. Every computer with access to a CEs ePHI must adhere to this policy, including systems that are offsite (and offline).
  • Workstation Security: Implement physical safeguards for all computers that access ePHI: restrict access to computers that access ePHI, install remote wipe safeguards on laptops that grow legs.
  • Device and Media Controls: Once computers are covered, you still need safeguards on all the rest: devices and media like USB drives, tape backups, or removable storage. Establish a policy to inventory, allow the use of, and reuse or dispose of these devices as needed.

Technical Safeguards

Technical safeguards as the technology and procedures that CEs use to protect ePHI. The HIPAA Security Rule does not define what technology to use, but demands that CEs adhere to the standard and adequately protect ePHI from data breaches.

  • Access Control: Authenticate users as necessary to access ePHI, establish and maintain a least privilege model, and have appropriate procedures in place to audit access control lists (ACL) on a regular schedule.
  • Audit Controls: Audit your ePHI to record and analyze activity in case of a data breach. CE’s need to be able to show the OCR exactly how a data breach occurred with a complete audit trail and reporting.
  • Integrity: To be HIPAA compliant, CEs needs to be able to prove that the ePHI they manage is protected from threats both inside and out, intentional or not. Whether the new intern deletes a record accidentally, or a nefarious hacker deletes it intentionally, you should be able to recover and restore that record.
  • Person or Entity Authentication: CEs must provide assurances that the person accessing ePHI is, in fact, who they say they are. These assurances can be a password, two-factor authentication, or retinal scan – whatever works as long as you have something implemented.
  • Transmission Security: When sending data to other business partners, you need to be able to prove that only authorized individuals accessed the ePHI. You can use encrypted email with a private key, HTTPS file transfer, or a VPN – as long as only the people that are authorized to use the ePHI, HIPPA doesn’t care how you set it up.

Ensuring Compliance: HIPAA Security Rule

HIPAA doesn’t spell out what specific software to install or how to implement the requirements in the HIPAA Security Rule.
Varonis provides a 30-day free risk assessment to help get started: we’ll outline problem areas, potential violations, and a plan on how to fix them – we’ve got a proven track record of thousands of customers, many of whom deal with ePHI and HIPAA regulations on a daily basis.

Check out our US Data Protection Compliance and Guidance – or get in touch to discuss how we can help you reach HIPAA compliance and improve your current compliance strategies.


HIPAA Privacy Rule Explained

hipaa privacy rule hero

It’s an unfortunate (but inevitable) fact of life: Laptops get stolen, and the consequences can be devastating. If those laptops have electronic protected health information (ePHI) on them, they fall under HIPAA regulations and the theft must be reported.

Even if the thief doesn’t look at the data, the company can’t prove it: everyone should take precautions to protect themselves against not just fallout from lost data, but from the potential fines that can accrue: install remote wipe capabilities, encrypt your drives, and don’t store ePHI on your local drive.

Hopefully, the next time a laptop grows legs, you will be better prepared to mitigate the damage.

What is The HIPAA Privacy Rule?

hipaa privacy rule explained

The HIPAA privacy rule explains how to use, manage, and protect personal health information (PHI or ePHI). Congress wrote the HIPAA Privacy Rule to protect patient data, and those rules apply to covered entities: the people that that transmit, store, manage, and access personal health information.

What Information Does the Privacy Rule Protect?

The HIPAA Privacy Rule defines PHI as individually “identifiable health information” stored or transmitted by a covered entity or their business associates, in any form or media (electronic, paper, or oral).

The law further defines “individually identifiable health information” as an individual’s past, present, and future health conditions, the details of the health care provided to an individual, and the payments or arrangement of payments made by an individual.
In the simplest terms: any and all data having to do with all doctor visits, ever, including (but not limited to):

  • Names
  • Birth, death or treatment dates, and any other dates relating to a patient’s illness or care
  • Contact information: telephone numbers, addresses, and more
  • Social Security numbers
  • Medical records numbers
  • Photographs
  • Finger and voice prints
  • Any other unique identifying number or account number

To Whom Does the HIPAA Privacy Rule Apply?

The HIPAA Privacy Rule protects individual PHI by governing the practices of the covered entities.

Covered entities are the people and organizations that hold and process PHI data for their customers – the ones required to report HIPAA violations and who are responsible to pay fines imposed by the Office of Civil Rights if and when a HIPAA violation occurs.

These organizations are considered Covered Entities under HIPAA:

Health Care Providers

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing homes
  • Pharmacies

Health Plan 

  • Health insurance companies
  • HMO’s
  • Company health plans
  • Government provided health care plans

Health Care Clearinghouse

  • These entities process healthcare data from another entity into a standard form.

What Happens if a HIPAA Data Breach Occurs?

According to the HIPAA breach notification rules, a covered entity is supposed to report data breaches to each individual affected within 60 days of discovery.

If the breach affects over 500 individuals, the covered entity must also report the breach to the Department of Health and Human Services within 60 days, which in turn opens an investigation with the Office of Civil Rights. On top of that, if the breach falls within that over 500 club, the covered entity is required by HIPPA rules to issue a press release to media outlets local to the affected individuals.

Not only is a PHI data breach potentially bad for the bottom line, but it’s also government mandated bad press.

HIPAA compliance isn’t just the law, it’s good business practice. Protecting an individual’s personal data and preventing data breaches affects both the bottom line (no fines) and company image (no bad press).

The Varonis Data Security Platform provides the foundation for a HIPAA compliant data security strategy – sign up for a free email course on HIPAA compliance, or get started with a demo to see the state of your HIPAA security.

HIPAA Compliance: Guide and Checklist

running track

There are currently 14,930,463 individual records in the United States with an open HIPAA data breach investigation. That’s up to 14 million humans that have had their Protected Health Information (PHI) exposed by hacking, IT incident, theft, loss, or unauthorized access/disclosure.

hipaa compliant visualization

That’s just the unresolved case list. If we add the numbers from the resolved breach notifications, we end up with 162,599,642 records – over half of the current US population.

And that’s why we need HIPAA in the first place.

What is HIPAA Compliance?

The US Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to set standards for how US citizens’ PHI records are stored, secured, and used. Nowadays – along with the Health Information Technology for Economic and Clinical Health Act (HITECH) – this legislation governs how anyone with access to your PHI needs to manage and protect that data.

HIPAA doesn’t explicitly define PHI other than information that can “reasonably” be linked to an individual – it could include anything from your birth date to social security number to medical ID or more.

What is the HIPAA Enforcement Rule?

The HIPAA Enforcement Rule explains how companies need to handle HIPAA violations – and the process isn’t just a slap on the wrist.

Individuals or companies report HIPAA violations to the Office for Civil Rights (OCR), and the OCR is responsible for investigating and reviewing those violations. If the OCR finds the violators negligent, the violators must fix what caused the breach in the first place and deal with the affected individuals data to the satisfaction of the OCR. If the OCR does not find their response satisfactory or if they find the data breach egregious, the OCR will fine the violators based on the number of records involved.

In 2018 alone there have already been two different settlements costing the violators $3.5 million and $100,000, the latter of which came after the business had already shut down due to HIPAA violations. You can read all about these settlements and more – it’s public record!

What is The HIPAA Privacy Rule?

The HIPAA Privacy Rule is the nuts and bolts of the legislation: it explains how and when healthcare professionals, lawyers, or anyone who accesses your PHI can or can not use that data.

For example: If I want to allow my PHI to be available to my girlfriend, the law requires a signed HIPAA PHI Release form in order for the Doctor’s office to share my information with her. Those are the kinds of scenarios covered in the Privacy Rule.

What is The HIPAA Security Rule?

The HIPAA Security Rule sets the standards on the how Covered Entities (the humans who are governed by HIPAA) must protect PHI data. These standards include things like ‘lock the door to the server room’ and ‘only allow access to read PHI data to people who need to see it.’

That makes it paramount to protect person information that qualifies as PHI – whether online, on paper, or verbally.

What is The HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule says you have 60 days to notify an individual of improper access to their PHI. It’s important to remember that even if ePHI is encrypted by a ransomware attack, it’s considered a breach – and therefore falls under the HIPAA breach notification rule.

If there are more than 500 PHI records impacted, you must notify the Department of Health and Human Services (which in turn gets the OCR involved) – and you’re required to issue a press release about the breach.

If you are in the unfortunate (but not uncommon) situation of reporting a HIPAA violation, here is the information you must initially provide OCR:

  • What PHI was available and how that data was made available? What personal identifiers were available during the breach?
  • Who was the unauthorized person who saw or had access to the data?
  • Did anyone actually view or acquire the ePHI?
  • What have you done to fix the issue or mitigate the damage?

There is good news: if you don’t break that 500 record limit in a single event, you can report all of your smaller violations to HHS in a single batch once per year per the Breach Notification Rules.

HIPAA Standard Transactions

A HIPAA Standard Transaction is an exchange of PHI data between two entities. For example, your doctor sends your prescription to the pharmacy, which in turn requests coverage verification from the insurance company.
HIPAA governs all of these PHI transactions, including:

  • Claims and encounter information
  • Payment and remittance advice
  • Claims status
  • Eligibility status
  • Enrollment and disenrollment
  • Referrals and authorizations
  • Coordination of benefits
  • Premium payment

How to Become HIPAA Compliant

Becoming HIPAA compliant isn’t all that different from any of your other basic 21st-century data security plans. In fact, setting up a solid data security plan will help maintain HIPAA compliance.

Here is a HIPAA Compliance Checklist to get you started:

hipaa compliance checklist with icons

  1. Map your data and discover where your HIPAA protected files live on your network (including cloud storage)
  2. Determine who has access to HIPAA data, who should have access to HIPAA data, and implement a least privilege model.
  3. Monitor all file access to your data.
  4. Set up alerts to notify you if someone accesses HIPAA data, or if someone creates new HIPAA data in a non-compliant repository. Use data security analytics to differentiate between normal behaviors and potential HIPAA violations.
  5. Protect the perimeter with firewalls, endpoint security, locks on server rooms, two-factor authentication, strong passwords, and session timeouts.
  6. Monitor activity on the perimeter and add threat models to your data security analytics.

HIPAA compliance isn’t just the law – it will protect your customer’s data and ensure that your business prospers in the age of digital medical records.

Varonis has been working with our customers on HIPAA compliance since before the HITECH Act in 2009. The Varonis Data Security Platform provides the foundation for a HIPAA compliant data security strategy.

Get started with a free email course on HIPAA compliance or sign up for a demo to talk directly with our data security experts.