What is HIPAA Compliance?

A Definition and Short Guide

What is HIPAA Compliance?

Understanding what HIPAA is isn’t new to anyone who works in medicine or is involved with health information. But turning HIPAA knowledge into compliance can be a difficult thing for most businesses due to its seeming complexity.


HIPAA compliance can refer to a wide range of systems and behaviors that medical facilities put in place to make sure they adhere to these regulations as a matter of practice.


This guide will help medical leaders and business professionals refresh their understanding of HIPAA, understand the importance of HIPAA compliance, as well as understand some of the specific tools, techniques, and strategies they can put in place to maintain a high level of compliance with the Department of Health and Human Services’ (HHS) regulations.

Understanding HIPAA

HIPAA, or the Health Insurance Portability and Accountability Act, is legislation signed into law that governs much of how patient data is transported and processed. HIPAA addresses a wide range of issues—but today, many medical professionals focus on two key areas:


  • The Security Rule. Before HIPAA, there was no general set of security standards in place for the healthcare industry, particularly as it related to private medical information. In the mid-1990s, the rise of electronic medical records meant that a standardized set of security rules needed to be put in place to ensure the protection of electronic health information. Many of the HIPAA rules pertaining to security focus on electronic security.
  • The Privacy Rule. Privacy is a major concern of HIPAA. Individuals have specific rights—such as the confidential nature of their information and the ability to request their medical history and expect that medical history in a timely manner. In turn, medical facilities need to have the infrastructure in place to make it possible to honor these requests.

Although HIPAA includes five separate titles, much of the focus of HIPAA compliance on a day-to-day basis centers on these two issues.


To understand what HIPAA compliance is, it’s important to understand both privacy and security requirements.

Which Information is Protected Under HIPAA?

PHI refers to “Protected Health Information,” which refers to any information that can be used to identify a patient. For electronic information, it’s known as ePHI. Both of this type of information is considered protected under HIPAA—it doesn’t matter if the information is on an electronic record or written down on paper.

And what does the information contain? 

Typically, it refers to identifying information such as names, addresses, social security numbers, medical records, and financial information. This is the information that any patient would want control over, especially when it comes to something as intimate as medical care.

Who Has to Focus on HIPAA Compliance?

It’s tempting to think that if your business doesn’t work in the field of medicine, that you don’t have to worry about HIPAA. But this is not the case.


You don’t have to be a medical provider for HIPAA regulations to extend to you. Billing companies, consultants, shredding companies, attorneys, accountants—all of them fall under the category of “Business Associates” who need to remain HIPAA compliant.


“Covered entities” under HIPAA rules refer to any organization that handles PHI in an electronic way. Healthcare providers and health insurance providers both fall under the category of “Covered entities.” However, they’re not the only organizations expected to live up to the standards of HIPAA compliance.

A Definition: What is HIPAA Compliance?

At its basic level, HIPAA compliance refers to the behaviors, habits, systems, and policies put in place by medical practitioners and executives to adhere to the regulations of HIPAA.


The Office for Civil Rights (OCR)—within the Department of Health and Human Services—handles enforcement of the Privacy and Security Rules for HIPAA. A failure to comply with this office can result in punishments such as monetary penalties and fines.

Compliance with HIPAA typically falls into one of the following categories:

  • Physical safeguards. Limiting the ability of people to physically access private health information is vital. Medical facilities need to be HIPAA compliant first when it comes to the security of their media, devices, and workstations.


  • Technical safeguards. Preventing unauthorized access of electronic Protected Health Information (ePHI) is vital. That means requiring unique IDs for users with access as well as other safeguards such as automatic logging off to prevent someone who is not authorized to view medical information to gain access to that information. Technical safeguards may also extend to tracking logs that keep tabs on all of the access gained to specific medical files through individual workstations.


  • Communication safeguards. Although it’s possible to introduce a tremendous amount of security through physical and technical safeguards, it’s important for medical professionals to remember that the communication of private health information can expose that information to weak points in the infrastructure. Safeguards should extend to the use of email, Internet browsing, and the way a private network interacts with its workstations.

This constitutes an overview, or a bird’s eye “checklist” of sorts, that answers that old question—what is HIPAA compliance?


But it’s important that medical facilities also understand the specific strategies and reasons why these safeguards should be in place.

Why Do Medical Facilities Need to Put Such Importance on HIPAA Compliance?

The rise of electronic systems used in the management and communication in patient data has necessitated a set of standards for how facilities handle confidential patient information.


What’s important to remember is that this applies to any professional setting in which medical information is stored, used, transmitted, or accessed. Because any such facility might fall under the purview of HIPAA law, it’s important not only to maintain the right level of awareness of HIPAA’s Privacy and Security rules, but to have the systems in place that make compliance possible in the first place.


Breaching or failing to remain compliant can lead to fines up to $100-$50,000 per incident up to $1.5 million for every security and privacy rule violation by the Office for Civil Rights (OCR).

Requirements for HIPAA Compliance Put in Place by the Department of Health and Human Services

HIPAA establishes a set of regulation standards that require hospitals, clinics, and other medical facilities to safeguard the way they access and transfer medical information. Many of these regulations come in the form of required safeguards such as:


  • Limited access. There need to be physical and technical safeguards in place for medical organizations, ensuring that only those authorized to search and use medical records are the duly authorized medical professionals who are using that information to treat their patients with the proper permission. One of the chief ways to protect patient privacy is by restricting access for anyone not authorized to view this information.


  • Restrictions for transferring electronic data. Electronic protected health information, or ePHI, is the focus here. Both privacy and security have to be respected when it comes to ePHI. That includes limited access as listed above—but also refers to having safeguards in place for the proper disposal and removal of this information when necessary.


  • Workstation policies. Given the need for medical professionals to access workstations—and how easy it is for multiple users to use one electronic workstation—professionals need to have a policy in place that regulate the use and access to these workstations and the electronic media that can be displayed on them.


  • Logging. Audit reports and tacking logs capable of recording both hardware and software activity are critical to maintaining security and understanding who might have access to a specific point of entry. These are also essential logs for maintaining adequate electronic security and evaluating weak points in the data infrastructure.


  • Tools for encryption. Sending messages beyond a server with a firewall may require encryption tools in place, although this is not always absolutely required in the list of technical safeguards. However, having the latest security tools in place should be a top priority for anyone in a medical leadership position.


  • Off-use management of PCs and other devices. A function that logs off personnel automatically after a period of inactivity is central to maintaining privacy and security beyond the point of use for workstations, PCs, and devices. It’s integral that any medical system responsible for data management and authorized personnel access can log off a session automatically to prevent unknowingly creating weak points in the structure.


These specific solutions should help individual organizations and facilities better understand the level of work that can go into HIPAA compliance. But the HIPAA compliance shouldn’t be a chore, either—it should be possible to boost HIPAA compliance by using the right strategies and tools.

How to Boost HIPAA Compliance

What is HIPAA compliance as it relates specifically to your organization? And what are the strategies organizations can use to ensure that they’re HIPAA compliant?


  • Run a risk assessment of your organization. Assessing the risk of data breaches, security breaches, and other problematic ways in which the confidential information you hold could be accessed by an authorized party is an essential first step in diagnosing the risk of HIPAA non-compliance.


  • Get a HIPAA certification. Companies offer HIPAA certification to help you ensure that you have all of the tools, strategies, and platforms in place to make HIPAA compliance nearly automatic. This helps reduce much of the guess-work that comes with handling compliance completely internally, helping boost your confidence that you have everything you need to remain HIPAA compliant for the long-term future.


  • Run an audit on your HIPAA compliance. Effective HIPAA certification often begins with an audit of the way your medical center or business handles its private medical data. It’s important to submit to an audit like this to help expose potential weak points in the process and get a full evaluation of where you stand. It’s far better to discover any shortcomings as you work to ensure your HIPAA compliance rather than wait for bad results later.

HIPAA Compliance

What is HIPAA compliance? At its core, it simply refers to the processes you undertake to stay within the confines of HIPAA.


The more you understand it, the more you’ll realize that it’s not a scary prospect to work on becoming HIPAA compliant.


Make sure that you work on your organization’s HIPAA compliance to prevent penalties and make every patient confident that you’re someone that they can trust.


For professional help on becoming HIPAA compliant visit our main website at HAOA.org

Find us on Facebook and Linkedin