Health Insurance Portability and Accessibility Act (HIPAA) - What You Need to Know

Health data like scans, test results, and treatment plans represent highly sensitive personally identifiable information (PII) that’s entrusted to hospitals, clinics, other care providers, and their respective service and business operations providers. Protected health information (PHI) is arguably the highest level of sensitive data, potentially leading to life-threatening circumstances if compromised or exploited.

‍

Data breaches affect healthcare more than any other industry

Healthcare organizations have faced year-over-year increases in data breaches; the industry currently leads all industries in reported incidents in 2023. Just this year, HCA Healthcare disclosed a data breach compromising the data of more than 11 million patients that included patient names, contact information, birthdates, and patient engagement details like service dates, locations, and future appointment details. The breach now ranks as the biggest healthcare breach of all time.

The industry is highly targeted by ransomware gangs and suffers frequent instances of mishandled information; the 2023 Verizon Data Breach Investigations Report logged personal (67%), medical (54%), and credentials (36%) as the top data types compromised as a result of breach events.

Enter the Health Insurance Portability and Accessibility Act (HIPAA), one of the world’s most thorough regulatory compliance frameworks. It’s a federal US law, enacted in 1996 to introduce standards to protect sensitive patient health information from disclosure. Comparable global regulations include Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and the General Data Protection Regulation (GDPR) in Europe.

‍

HIPAA enforcement is a serious matter

HIPAA has evolved over time to meet and mitigate the risks of digitization across healthcare organizations and the ever-evolving threat landscape. It has served as an example for other industry-based laws that have followed since its enactment—both in its guidance, and its non-compliance and breach event enforcement.

Take for example iHealth Solutions, a healthcare coding and billing services vendor who this year paid a $75,000 fine related to a data exfiltration breach due to unsecured patient information on network servers. Or Banner Health, a US-based non-profit health system that recently agreed to a $1.25 million civil monetary penalty with the Office of Civil Rights related to HIPAA violations following its 2016 data breach.

HIPAA compliance (and non-compliance) is a serious matter—if your organization handles US-citizen PII within the parameters of PHI and HIPAA requirements, your organization must comply with HIPAA data protection and data privacy measures.

HIPAA governs all sensitive patient data

HIPAA covers a series of data privacy and security standards designed to protect health information. It outlines procedures that healthcare providers, organizations, and associations must follow to ensure patient confidentiality and the security of protected health information (PHI).

At its core, HIPAA ensures that sensitive patient data is protected, no matter the medium in which it’s been shared (written, digital, or oral). Digitally, HIPAA data privacy and security measures guard patient information from potential breach events. HIPAA’s reach extends beyond traditional healthcare delivery organizations (hospitals and doctors’ offices) and requires any organization handling patient data to comply.

If healthcare organizations and related supply and partner organizations experience a breach event, compromised patient data can lead to life-impacting scenarios. That’s an extreme example, but poignant as HIPAA is a model that other industries can follow when handling sensitive personal data and mitigating the risk that comes through service extensions and supply chains.

‍

PHI discovery supports HIPAA compliance

Having the ability to understand the data you have on your network (data discovery), and the types of data you’re accumulating (data classification) underpins HIPAA requirements and safeguards PHI. Simply put – if you don’t know what data you have, you can’t protect it.

Many companies believe that compliance is ticking a box on an audit form, yet in reality, achieving compliance means you need to be able to demonstrate how you tick the box. In other words, you must be able to define specific processes, tools, and measures you have in place to accomplish specific requirements.

Here's how data discovery and classification supports HIPAA requirements:

‍

Download the Guide to Data Discovery for Regulatory Compliance for data discovery, classification, and management insights you can apply within your organization to simplify and support HIPAA compliance.