Health Insurance Portability and Accessibility Act (HIPAA) - What You Need to Know

Compliance
4 min read
James Mignacca
CEO
August 30, 2023
Author
James Mignacca
CEO
August 30, 2023
Related Resource
Take Cavelo for a Spin
Screenshot of the Cavelo dashboard
See how our platform can manage your company's digital assets and sensitive data, all through a single pane of glass.

Health data like scans, test results, and treatment plans represent highly sensitive personally identifiable information (PII) that’s entrusted to hospitals, clinics, other care providers, and their respective service and business operations providers. Protected health information (PHI) is arguably the highest level of sensitive data, potentially leading to life-threatening circumstances if compromised or exploited.

What you need to know about HIPAA

Healthcare organizations have faced year-over-year increases in data breaches; the industry currently leads all industries in reported incidents in 2023. Just this year, HCA Healthcare disclosed a data breach compromising the data of more than 11 million patients that included patient names, contact information, birthdates, and patient engagement details like service dates, locations, and future appointment details. The breach now ranks as the biggest healthcare breach of all time.

The industry is highly targeted by ransomware gangs and suffers frequent instances of mishandled information; the 2023 Verizon Data Breach Investigations Report logged personal (67%), medical (54%), and credentials (36%) as the top data types compromised as a result of breach events.

Enter the Health Insurance Portability and Accessibility Act (HIPAA), one of the world’s most thorough regulatory compliance frameworks. It’s a federal US law, enacted in 1996 to introduce standards to protect sensitive patient health information from disclosure. Comparable global regulations include Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and the General Data Protection Regulation (GDPR) in Europe.

HIPAA enforcement is a serious matter

HIPAA has evolved over time to meet and mitigate the risks of digitization across healthcare organizations and the ever-evolving threat landscape. It has served as an example for other industry-based laws that have followed since its enactment—both in its guidance, and its non-compliance and breach event enforcement.

Take for example iHealth Solutions, a healthcare coding and billing services vendor who this year paid a $75,000 fine related to a data exfiltration breach due to unsecured patient information on network servers. Or Banner Health, a US-based non-profit health system that recently agreed to a $1.25 million civil monetary penalty with the Office of Civil Rights related to HIPAA violations following its 2016 data breach.

HIPAA compliance (and non-compliance) is a serious matter—if your organization handles US-citizen PII within the parameters of PHI and HIPAA requirements, your organization must comply with HIPAA data protection and data privacy measures.

HIPAA governs all sensitive patient data

HIPAA covers a series of data privacy and security standards designed to protect health information. It outlines procedures that healthcare providers, organizations, and associations must follow to ensure patient confidentiality and the security of protected health information (PHI).

At its core, HIPAA ensures that sensitive patient data is protected, no matter the medium in which it’s been shared (written, digital, or oral). Digitally, HIPAA data privacy and security measures guard patient information from potential breach events. HIPAA’s reach extends beyond traditional healthcare delivery organizations (hospitals and doctors’ offices) and requires any organization handling patient data to comply.

If healthcare organizations and related supply and partner organizations experience a breach event, compromised patient data can lead to life-impacting scenarios. That’s an extreme example, but poignant as HIPAA is a model that other industries can follow when handling sensitive personal data and mitigating the risk that comes through service extensions and supply chains.

PHI discovery supports HIPAA compliance

Having the ability to understand the data you have on your network (data discovery), and the types of data you’re accumulating (data classification) underpins HIPAA requirements and safeguards PHI. Simply put – if you don’t know what data you have, you can’t protect it.

Many companies believe that compliance is ticking a box on an audit form, yet in reality, achieving compliance means you need to be able to demonstrate how you tick the box. In other words, you must be able to define specific processes, tools, and measures you have in place to accomplish specific requirements.

Here's how data discovery and classification supports HIPAA requirements:

| Data Discovery, Classification and Reporting Requirements | HIPAA Relevancy | | :--- | :--- | | **Limited Collection and Use** – limiting the collection, use, distribution, retention, disclosure, and creation of personal data beyond what is necessary. | Section: 164.506 | | **Data Minimization** – minimizing the collection, use, distribution, retention, disclosure, and creation of personal data. | Sections: 164.502, 164.514 | | **Data Lifecycle Management** – creating the processes and policies around the entirety of the data lifecycle from creation and collection to storage and destruction. | Sections: 164.502, 164.504 | | **Data Subject Rights** – providing individuals with appropriate access to their personal data. | Sections: 164.502, 164.522, 164.524 | | **Inquiry Management** – maintaining the ability to receive and respond to privacy-related requests, complaints, concerns, or questions. | Section: 164.522 | | **Updating Personal Data** – providing individuals with appropriate opportunity to correct or amend their personal data. | Section: 164.526 |

What you Need to Know About HIPAA Compliance

Download the Guide to Data Discovery for Regulatory Compliance for data discovery, classification, and management insights you can apply within your organization to simplify and support HIPAA compliance.

Share this post
Our blog. Your inbox.

Receive thought leadership content, advice from industry experts, and news about events with your peers. You can unsubscribe at any time.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Want to schedule a demo?

We’re confident you’ll love Cavelo. But if we’re not a good fit for your unique business security needs, no hard feelings.