Published 2024-01-10 by TechNet Team
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information. Non-compliance can result in fines from $100 to $50,000 per violation, with annual maximums of $1.5 million.
The Three HIPAA Rules
- Privacy Rule: Establishes standards for how PHI can be used and disclosed
- Security Rule: Requires safeguards for electronic PHI (ePHI)
- Breach Notification Rule: Requires notification following a breach of unsecured PHI
Security Rule Safeguards
Administrative Safeguards
- Risk analysis and risk management
- Workforce training and security awareness
- Security policies and procedures
- Contingency planning
- Business Associate Agreements
Physical Safeguards
- Facility access controls
- Workstation security
- Device and media controls
Technical Safeguards
- Access controls and user authentication
- Audit logs and monitoring
- Integrity controls
- Transmission security (encryption)
Required Documentation
- Security Risk Assessment (required annually)
- Written security policies and procedures
- Training records
- Business Associate Agreements
- Incident response procedures
- Audit logs (retain for 6 years)
Common Compliance Gaps
- No documented risk assessment
- Lack of encryption on portable devices
- No BAAs with cloud vendors
- Inadequate access controls
- Missing or incomplete audit logs
- Untrained workforce