Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


What is HIPAA and why should I care?

Compliance & Regulation

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996, which requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

HIPAA*Ahem* ok, I’m asleep, you?

Get the Free Essential Guide to US Data Protection Compliance and Regulations

Breaking it down, HIPPA’s overarching goal is to protect the confidentiality and security of healthcare information.  This takes place in the main two rules of HIPAA: the Privacy Rule and the Security Rule.

The Anatomy of HIPAA

The Privacy Rule

Protect patients’ right to keep health information private and what you must do to protect them. The Privacy Rule applies to oral, written, electronic health information.  For example: you must request a patient’s written authorization to share their health information with third parties.

The Security Rule

Give organizations rules to follow for safeguarding health information and to remain compliant. The Security Rule outlines the technical and administrative safeguards you should take to protect the data. The Security Rule applies only to electronic information.  For example: you should lock the door on the server room and require authentication to get on your network.

The Breach Notification Rule

If there’s ever a data leak, or a security breach (without a leak), you have 60 days to notify affected individuals of the fact. If more than 500 records were breached,  you’re required to notify the Department of Health and Human Services (HHS), which will then post the incident for all to see on its site.

So, long story short — PR nightmare.

(Footnote: the Breach Notification rule comes from HITECH, which was an update of HIPAA.)

The Enforcement Rule

Ok, so we were breached, but we don’t think there were any leaks, we’re ok, right? Nope. If you’re found in non-compliance, get ready for some hefty fines. (I’ll give you some juicy non-compliance cases in an upcoming post).

The Administrative Simplification Rule

Medical providers and health plans should standardize their health care transactions.

Ok, that’s a lot to have sink in, but essentially it boils down to:

  1. Do you have access to health information?
  2. Keep it safe and don’t show it to anyone or you get dinged.

But maybe you’re not in the health care industry. Or maybe you are, but you deal non-HIPAA user data. Does this all still apply to you?

Unfortunately, yes.

In the past, Health care providers, health plans, health care clearninghouses, and their business associates–that is, data outsourcers– had to comply with HIPAA.  But in January 2013, HITECH’s finalized rules effectively say any company with access to personal health information is treated just like a hospital or HMO.

That means that HIPAA now applies to: lawyers, consultants, subcontractors, cloud service providers, analytics services, software vendors, resellers, etc.  In short, pretty much everyone.  But wait, you say! I have a contract that releases me from liability!  Tough luck, that crafty clause you inserted won’t work anymore because you’re now directly under HIPAA.

Action steps to take

There are plenty of steps on the path to HIPAA compliance, but here are 2 to start with:

1. Be super-smart about authentication

  • One unique ID per user; no shared logins
  • Use 2 factor authentication/biometrics
  • Require strong passwords
  • Expire passwords periodically
  • Enforce automatic logoff

2. Setup alerts

How cool would it be to setup an alert that says: send me an email whenever an e-PHI shows up in a folder or SharePoint site that doesn’t have a data owner assigned?  Or a folder or SharePoint site that is public?

Risks are inevitable, mistakes happen. You should be aware of risk before they result in a breach.

What are some common things to alert about?

  • Privilege escalations
  • New e-PHI is created in an unprotected repository
  • Users activity abnormally spikes or deviates

Hope you enjoyed this lesson on what HIPAA is an how it applies to you.  This is part one in a series of blog posts we’re writing on HIPAA.  There’s plenty more to do on the road to compliance, so stay tuned.

Want more educational stuff?

Check out our video library.  We also have a great guide on US Compliance and Regulation.

Rob Sobers

Rob Sobers

Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.