Recent News.

What is HIPAA?

HIPPA Logo

The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, requires the Secretary of the U.S. Department of Health and Human Services (HHS) to protect privacy and security of certain health information. Prior to 1996, no security standards or general requirements for protecting health information existed in the healthcare industry.

HIPAA applies to 18 different aspects of individual health information to be used for patient identification. To comply to this Act, HHS created the HIPAA Security Rule and the HIPAA Privacy Rule.

The HIPAA Security Rule

The HIPAA Security Rule, also known as The Security Standards for the Protection of Electronic Protected Health Information, contains the standards that must be applied to safeguard and protect electronic Protected Health Information (ePHI) when it is at rest and in transit. This applies to anyone or any systems that has access to confidential patient data. There are three parts to the HIPAA Security Rule:

Doctor and nurse with patient paperwork

The HIPAA Security Rule, also known as The Security Standards for the Protection of Electronic Protected Health Information, contains the standards that must be applied to safeguard and protect electronic Protected Health Information (ePHI) when it is at rest and in transit. This applies to anyone or any systems that has access to confidential patient data. There are three parts to the HIPAA Security Rule:

1. Technical safeguards.

These concern the technology used to protect ePHI and provide access to the data. ePHI must be encrypted to NIST standards once it travels beyond an organization’s internal firewalled servers. They include:

  • Implement a means of access control
  • Introduce a mechanism to authenticate ePHI
  • Implement tools for encryption and decryption
  • Introduce activity logs and audit controls
  • Facilitate automatic log-off of PCs and devices

2. Physical safeguards

These focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers located within the premises of the HIPAA covered entity. A covered entity is a health care provider, health plan, or health care clearinghouse who creates, maintains, or transmits Protected Health Information.

  • Facility access controls must be implemented
  • Policies for the use/positioning of workstations
  • Policies and procedures for mobile devices
  • Inventory of hardware

3. Administrative safeguards

These are the policies and procedures which bring the Privacy Rule and the Security Rule together. These are the pivotal elements of a HIPAA compliance checklist and require that a security officer and a privacy officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.

  • Conducting risk assessments
  • Introducing a risk management policy
  • Training employees to be secure
  • Developing a contingency plan
  • Testing of contingency plan
  • Restricting third-party access
  • Reporting security incidents

The HIPPA Privacy Rule

Doctor points to computer screen with patient

The Privacy Rule, known as Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. It governs how ePHI can be used and disclosed and applies to all healthcare organizations, providers of health plans, health care clearinghouses, and business associates of covered entities.

This rule demands appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The rule also gives patients, or their nominated representatives, rights over their health information, including the right to obtain a copy of their health records and the ability to request corrections if necessary.

The Office for Civil Rights has a responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties. Failure to comply with HIPAA regulations typically results in an issuance of substantial fines.

How to Comply

HIPAA Compliance Checklists To help organizations comply with these rules, there is a HIPAA compliance checklist that can be followed. The requirements of HIPAA are broad so that they can be applied to all organizations that come into contact with protected health information.

Seek Guidance from Experts

To ensure you cover all elements on your HIPAA compliance checklist and leave no stone unturned, it is worthwhile to seek expert guidance from HIPAA compliance experts. Many firms offer HIPAA compliance software to guide you through your HIPAA compliance checklist, ensure ongoing compliance with HIPAA Rules, and provide you with HIPAA certification.

Any covered entity or business associate that interacts with healthcare information falls under the jurisdiction of HIPAA and must meet the requirements set forth by the HIPAA compliance checklist. The good news for doctors, dentists, and health care providers is that document management providers are able to ensure they remain compliant with HIPAA.

Computer next to stethoscope

External IT Services

External IT services can provide managed services that will integrate the necessary components of HIPAA compliance into the structure and system of an office. This decreases the chance of a data leak or a security breach happening in some unexpected corner of document security services. Nurses, doctors, health care professionals, and all others in the medical field have enough to worry about

By placing document-security concerns in the hands of experienced professionals, healthcare offices are able to have a HIPAA compliant infrastructure that is able to meet the needs of the team and clients.

2018 Updates to HIPPA

In March of 2018, the HHS Office for Civil Rights discussed potential future changes to HIPAA regulations to include:

  1. Restitution payments to individuals whose PHI had been disclosed in a breach of HIPAA
  2. Removal of the requirement to store forms acknowledging receipt of Privacy Notices
  3. Clarification of what are considered “good faith” disclosures when a patient is incapacitated.

The Office for Civil Rights will seek feedback from covered entities by publishing changes on its website and inviting comments. General trends for HIPAA compliance include more business associates paying attention to HIPAA Privacy and Security Rules.

Discover more about HIPAA here.


H2L Solutions implements, tests, administers, and sustains cybersecurity solutions. We have a staff of information security professionals skilled in the development and management of cybersecurity programs. Our professionals assist our clients with multiple layers of information assurance and cybersecurity requirements.