Healthcare in the Age of Data
How to Comply with the HIPAA Security Rule

The HIPAA security rule requires healthcare practices and professionals to secure PHI (protected health information) from data breaches, deletions, and other problems. The law's requirements are demanding and they can be hard to wrap your head around. We'll do our best to make it easy.

To start with, there are three areas of HIPAA New browser window icon. compliance:

  • Administrative — measures to ensure patient data is correct and accessible to authorized parties.
  • Physical — measures to prevent physical theft and loss of devices containing electronic PHI.
  • Technical — technology-related measures to protect your networks and devices from data breaches and unauthorized access.

These three components represent nearly every supporting aspect of your business: your policies, record keeping, technology, and building safety. In this sense, HIPAA requires that all your employees be on the same page and working together to protect patient data.

Let's look at each of these areas and what you'll need to achieve HIPAA compliancy.

Administrative Requirements in HIPAA Laws

Administrative Requirements in HIPAA Laws

In order for your healthcare business's administrative procedures to be HIPAA compliant, you'll have to…

  • Formalize your privacy procedures in a written document.
  • Designate a privacy officer to oversee data security and HIPAA compliance.
  • Identify which employees have access to ePHI.
  • Develop a training program for employees to learn your privacy policy and how it applies to their job.
  • Require all outside contractors / business associates who need access to private data to follow HIPAA security standards and sign a business associates agreement that outlines these security requirements (for more information, see "Making Sure Your Contractors Meet HIPAA and HITECH Security Requirements").
  • Backup data and have an emergency plan that takes into consideration fires, flood, and other disasters that could cause data loss.
  • Perform a risk assessment / internal audit (usually yearly) to determine your organization's security risk.
  • Create a data breach response plan that includes how to contact customers, minimize data loss, and fix IT.
Physical Security for HIPAA Requirements

Physical Security for HIPAA Requirements

The most common cause of a HIPAA data breach is actually a lost or stolen laptop, computer, hard drive, or other device. According to Redspin [PDF] New browser window icon., this accounts for nearly 35 percent of breaches. So it's no surprise that HIPAA also requires strong physical security at your office.

To meet HIPAA's physical security requirements, you'll need to…

  • Limit physical access to computers — keeping them behind counters, locked to desks, or secured in other ways.
  • Restrict access to secure areas, monitor building safety, and require visitors to sign in.
  • Keep workstations out of public view and shield screens from passersby.
  • Exercise caution and follow best practices when removing or throwing away hardware and software (e.g., wipe hard drives before disposing of them).
  • Train employees and contractors on physical safety best practices.
Technical and IT Requirements for HIPAA Privacy Laws

Technical and IT Requirements for HIPAA Privacy Laws

Perhaps the most difficult aspects of HIPAA are the ones related to technology. Why are they so complicated? For starters, medical personnel aren't experts in computer science. When you're unfamiliar with IT, it can be tough to understand software and security requirements.

Even experts in IT have problems because technology is always changing and there are always new threats to network security.

Here's what you'll need to do to make sure your technology is HIPAA compliant:

  • Encrypt files you send via email or upload onto a cloud. Some web services like Gmail already offer encryption. For a practical look at Google's HIPAA compliant services, read this analysis on TechTarget New browser window icon..
  • Protect your network from outside attacks (hackers, malware, etc.) using security software and encryption.
  • Protect your data from accidental deletions and changes.
  • Authenticate data transfers to another party by requiring a password, two or three-way handshake, token, or callback.
  • Prevent mistakes in data entry by using double-keying, check sum, and other redundancy techniques.
  • Keep up-to-date documentation of technology and network configurations and HIPAA practices.
Why Does HIPAA Security Have 3 Components?

Why Does HIPAA Security Have 3 Components?

After looking at the administrative, technical, and physical requirements of HIPAA security, you might be a little overwhelmed. It's a lot of information to take in. That's okay. In fact, it's the right response.

HIPAA compliance is too big of a responsibility for one person to handle. In reality, HIPAA security is an organization-wide issue. Every employee at your practice will have to know and understand their role in securing PHI.

It also means that you'll probably turn to outside HIPAA consultants, IT contractors, and outsourced web services to help your organization meet these standards. While this common healthcare business practice simplifies your life, remember that outsourcing your HIPAA technology doesn't get rid of your legal responsibilities. You're always required to stay on top of changes in HIPAA recommendations, upgrade old technology, and adopt better practices to improve PHI security.

Customer Rating 4.9 out of 5
Read Customer Reviews

Grab-n-Go Information

Free eBook
HIPAA, Social Media, and Technology: A Guide for Mental Health Professionals
Browse eBook
Sample certificates
See a sample Certificate of Liability Insurance, the proof of coverage you need for most contracts.
View Sample
Sample Quotes & Cost Estimates
See what insurance really costs: actual quotes by policy & specialty.
Get Estimates
Ask A Question
Submit your questions about small business insurance and get answers from our experts.
Read Answers