Blog banner, stack of paper with "HIPAA" written on it

What Is HIPAA Compliance?

HIPAA is so hot right now. Everybody’s talking about it. And it seems like everybody’s an expert on it too. But don’t believe everything you’ve heard. Most of it is flat out wrong.

For instance, vaccine passports aren’t a HIPAA violation. Nor are mask mandates. HIPAA doesn’t cover free speech, either (that’s the First Amendment, y’all). And sorry Mrs. Lowe (of Tiger King fame), HIPAA does not cover lion cubs.


Today, we’re setting the record straight, with everything you need to know about HIPAA compliance—not to be confused with HIPPAA, HIPPA or HIPA, which aren’t real things. If your business needs to get compliant, this primer is a great place to start.


Okay, so What Is HIPAA Compliance?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, oversees the privacy and security of sensitive health care information, although it didn’t quite start out that way.

The first thing you’ve probably noticed is that HIPAA doesn’t contain the word “Privacy”. Instead, that conspicuous “P” stands for “Portability”. “Portability” refers to one of the standard’s original aims, to ensure employees retain health insurance coverage when they switch jobs. The “accountability” portion of HIPAA refers to another one of its original aims, to create standards for the digitization of records and medical claims data.

As I’m sure you can imagine, back in ‘96, when HIPAA first entered the scene, digital privacy wasn’t exactly top of mind. It wasn’t until 2000 that HIPAA added the privacy rule. In 2003, it added the security rule. Finally, and this is the last rule we’ll be covering in this article (promise), the breach notification rule came into effect in 2009.

The second thing you’ve probably noticed is that HIPAA is a federal U.S. regulation, so it’s only applicable to entities operating in the United States. That said, depending on the jurisdiction you’re in, you may have other privacy regulations to consider (like Canada’s PIPEDA, for instance). It’s also worth noting that while HIPAA is a federal standard, some states have more stringent privacy rules for health information.


The Privacy Rule: What Are HIPAA-Covered Entities?

We talk to plenty of businesses. Many of them are wrongfully under the impression that they have to be HIPAA compliant. There are four entities covered by the HIPAA privacy rule: health insurers, health care providers, health care clearinghouses and their business associates.

Health Care Insurers

HIPAA covers individual and group health care plans. These include employment-, and church-sponsored plans as well as government and multiemployer plans. HIPAA only covers an insurer’s health care line of business.

Health Care Providers

Think your family physician, a hospital or your local pharmacy. HIPAA also covers dentists and chiropractors. 

Health Care Clearinghouses

These are the middlemen between health care providers and insurers.

Business Associates

These are the people or organizations that work on behalf of one of the covered entities above.

One noteworthy point: HIPAA only applies to the entities above if they process PHI.

[Learn More: HIPAA vs HITRUST]

The Privacy Rule: What Is Protected Health Information?

Protected health information is any identifiable health information that a HIPAA-covered organization collects, uses or stores. There’s plenty of confusion about what constitutes protected health information, so let’s clear that up. Below, we’ve outlined all the identifiers of PHI.

  • Names
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Web URLs
  • IP addresses
  • Identifying photos
  • Biometric identifiers
  • Geographical data (i.e. addresses)
  • Dates, except year
  • Social security numbers
  • Vehicle identifiers (i.e. license plates)
  • Device identifiers
  • Any unique codes or numbers (i.e. account numbers, health plan beneficiary numbers, medical record numbers and license or certificate numbers)

By now, it should be pretty clear whether or not HIPAA applies to your business. If you operate in the U.S., are a covered entity, or work on behalf of a covered entity and you process PHI then you absolutely must be HIPAA compliant.


The Security Rule: Administrative, Physical and Technical Safeguards

To be HIPAA compliant, covered entities need to implement specific security safeguards across three categories to protect the confidentiality, integrity and availability of electronic PHI.

Administrative Safeguards

Administrative safeguards include policies and procedures that protect a covered entity against a breach. These safeguards ensure that physical and technical protections are working. They cover everything from training to documentation processes.

Physical Safeguards

Physical safeguards include policies for physical access, locations of workstations and servers, among many others. Basically, these safeguards physically protect PHI.

Technical Safeguards

These safeguards focus on technology and reducing unauthorized access to electronic PHI. Typically, a covered entity will conduct a risk assessment to determine which policies are relevant to them.


The Breach Notification Rule: Notification Requirements

Under HIPAA’s breach notification rule, covered entities are required to notify affected individuals, the media (in some cases) and the secretary if they experience a breach of PHI. 

Individual Notice

Covered entities are required to notify affected individuals within 60 days of a breach of PHI by first-class mail or email, if the individual has agreed to receiving emails. If the organization has outdated contact information for 10 or more affected individuals, they must post the notice on their webpage for at least 90 days or provide it in major print or broadcast media. 

Media Notice

Covered entities that experience a breach impacting more than 500 individuals must provide notice to a major media outlet serving that jurisdiction within 60 days. 

Notice to the Secretary

Covered entities must notify the secretary of breaches involving PHI. They can do so here. If 500 or more individuals were impacted, the covered entity must notify the secretary within 60 days. If less than 500 individuals were impacted, the organization can notify the secretary on an annual basis.


Who Enforces HIPAA?

As of 2009, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has been responsible for enforcing HIPAA.

The OCR enforces HIPAA in three ways:

  • It investigates HIPAA violation complaints that have been filed with it (patients can file a complaint here)
  • By conducting compliance reviews of covered entities to ensure they’re compliant
  • By educating and providing outreach to covered entities and promoting compliance with HIPAA requirements

The OCR also publishes a wall of shame for breaches currently under investigation. Suffice it to say, this is definitely not a list you want to be on.


What Are the Penalties for a HIPAA Violation?

The penalties for HIPAA violations can be expensive—in more ways than one. 

The OCR can impose a fine on a covered organization for noncompliance. The cost depends on a number of factors, such as when the violation occurred, whether the organization should have known about its failure to comply, and whether it was caused by wilful neglect.

Table containing fines for organizations that violate HIPAA

Beyond getting fined, covered entities that are noncompliant must also adopt a corrective action plan that brings procedures and policies up to HIPAA’s standards. This can have a massive impact on an organization’s productivity, which is why it’s so important to do things right the first time around. 

Finally, a HIPAA breach can damage your brand. Unfortunately, this isn’t easy to quantify, but that doesn’t mean you shouldn’t be concerned. Trust is foundational to the relationships businesses build with their customers. This is especially true in the healthcare industry. So protecting patients’ PHI should be among your top business objectives. Failing to do so will cost you.


Tugboat Logic + HIPAA Compliance

By now, you should have a high-level understanding of HIPAA and whether or not it applies to your organization. You should understand the regulation’s privacy rule, which outlines covered entities and the data they need to protect, as well as the security rule, which details the safeguards you need to have in place. If you have any questions about anything, feel free to get in touch with one of our HIPAA pros. 

At Tugboat Logic, we automate HIPAA compliance, reducing the level of effort required to get and stay compliant.