Introduction to HIPAA compliance



Couple of weeks back, some of my colleagues had approached me to get some basic understanding on HIPAA. As part of our regular knowledge sharing session at Gorisco, I had given a presentation on this recently. I realized that probably it would be a good idea and helpful to others if I can write a short blog on this based on my 17 years of experience in Healthcare RCM.


So, here it is…


HIPAA – Health Insurance Portability and Accountability Act

If you are involved with the US – Healthcare industry it is pertinent to clearly understand the basics of HIPAA.


What is HIPAA compliance?

The Health Insurance Portability and Accountability Act (1996) is an evolving law which governs how PII in PHI is processed. Any organization which has contact with PHI would need to implement processes which protect the privacy, security and integrity of the PHI.


OK! What is PHI? Some of the acronyms frequently used under HIPAA are:

  • PHI : Protected Health Information

  • PII : Personally Identifiable Information

  • OCR : Office of Civil Rights

  • OIG : Office of Inspector General

  • HHS : Department of Health and Human Services

  • BAA : Business Associate Agreement

HIPAA was enacted to establish the “meaningful use” and disclosure of PHI. HHS regulates the compliance while OIG and OCR enforce the compliance. PHI contains both PII and the respective health information.


Why is HIPAA important?

The bottom line is that HIPAA is a LAW and therefore has to be followed.


What does HIPAA aim to achieve?

  • Ensure privacy and confidentiality

  • Ensures that patients have access to their accurate healthcare data

  • Ensures Data security

HIPAA provides organizations handling PHI a framework that safeguards who has access to PHI and why is the access required and to whom the access is provided to.


Any organization dealing with PHI should have sufficient measures to ensure Physical, Network, Environmental, People and Process security in place to be compliant. HIPAA is there to protect individuals and to ensure everyone has full access to a copy of their personal medical records. It is ultimately a civil rights issue. It mandates data protection for anyone who creates, stores, transmits or uses individually identifiable health information. Staff must be trained and frequently assessed. Failsafe on systems to be put in place.


Common HIPAA violations

  • Discussing PHI outside designated area.

  • Sending PHI to incorrect party

  • Business Associate breach

  • Hack attack and or Virus attack

  • Lost, stolen or compromised media devices

  • Social media updates

How to comply?

Processes that businesses should be following the 5 rules:

  1. Privacy rule

  2. Security rule

  3. Transaction rule

  4. Unique identifiers rule

  5. Enforcement rule

These 5 rules can be enforced by implementing the following:

  • Information Risk assessments

  • Policies, procedures and Employee trainings

  • Supply chain/ Business Associate management

  • Incident management

  • Remediation plans

  • Business continuity management

Trust me – with my experience, I can tell you that HIPAA implementation is NOT a one-time implementation exercise. The processes would need to be constantly reviewed.


HIPAA is stringent. Having said that, it is also very flexible that it can be implemented accordingly based on the size and nature of the entity. (Yeah! Context of the Organization). It is important to note that HIPAA cloud implementation will be different from a hospital implementation.


HIPAA’s recommendations can seem pretty thorough; however, in today’s threat landscape it has the firepower to enable us to protect sensitive data.


Cost of non-compliance is pretty steep! Trust me, it is very cost effective to be compliant on HIPAA and does total justice to the ROI.

39 views0 comments