What's HIPAA Compliance? Understanding Business Requirements

4 min read Michael Carroll on Jan 7, 2020

What is HIPAA Compliance?

The Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, was passed in 1996 to protect patients' private, identifiable medical information. Signed by President Bill Clinton, the Act includes five sections or titles.

Title I protects individuals with pre-existing medical conditions from coverage denial by group health plans and provides the COBRA program for medical insurance coverage for those who no longer have a policy because of a job change or loss. Title II regulates the security of electronic health data and creates a standard procedure for this type of transaction. Title III includes general tax-related guidelines for health care. Title IV provides insurance coverage reform and Title V regulates insurance owned by businesses and provides coverage to those who have lost citizenship. Companies that handle private health data have a responsibility to ensure that this data remains protected.

What Information is Protected Under HIPAA?

The text of HIPAA refers to “individually identifiable health information”. This term encompasses any details about a person's physical or mental health status and treatments he or she has received for these conditions, as well as how the person has paid for care. This protected health information (or PHI) is summarized into


HIPAA limits how protected health information can be used and disclosed with and without patient authorization. If you store patient data in the cloud, you must implement

to ensure proper data protection. When patient data is available to individuals outside of a patient’s healthcare team, it constitutes a
. Under HIPAA, every individual has the right to obtain and request changes to his or her health records. Businesses must respond to record requests within 30 days and notify patients about how their data will be legally shared and used.

HIPAA Compliance Requirements for Businesses

Any business that handles protected health information must comply with the terms of HIPAA. These laws apply to businesses categorized as covered entities, including health care providers, health insurance plans, healthcare billing services and employers, and government agencies that enroll individuals in health plans. If you communicate with your patients digitally, you must ensure

. These standards also carry over any
that involves patient data.

Business associates must also adhere to HIPAA regulations. This category includes subcontractors and vendors who have PHI access, including but not limited to data storage and processing companies, medical equipment companies, consultants, transcription services, auditors, and accountants. Businesses that send or receive personal health data must ensure that their electronic systems comply with the regulations outlined by HIPAA. Use our

to see if your business adheres to basic HIPAA requirements.

Although a robust information security system that protects HIPAA-covered data can be quite costly, the fines for failing to meet these federal regulations are also expensive. Businesses are subject to:

  • $100 fine per instance of inadvertently violating HIPAA, up to an annual cap of $25,000
  • $1,000 per violation with reasonable cause, up to an annual cap of $100,000
  • $10,000 per violation in the presence of willful neglect up to an annual cap of $250,000 provided that the issue is corrected
  • $50,000 per violation for willful neglect with no correction, up to an annual cap of $1.5 million

If PHI is breached, the business responsible must notify the Department of Health and Human Services. It must disclose information about the nature of the breach, if PHI was viewed or obtained, and if the breach has been corrected.

How To Keep Your Messaging HIPAA-Compliant

If your company currently handles PHI, electronic communications must be limited to software with messaging encryption that meets minimum HIPAA guidelines. The law outlines certain

businesses must have in place to avoid compliance-related fines:

  • An access control system in which only users with unique usernames and passwords can access electronic PHI. This system must also feature a process for quickly deploying necessary PHI in case of a medical emergency.
  • Audit controls and activity logs. These features note when a user accesses or attempts to access the system and records what he or she does with available PHI data during the log-in session.
  • An authentication mechanism. This tool can determine whether anyone has tampered with electronic PHI.
  • Automatic log-off functionality. This feature sets a predefined time after which an inactive user has logged off the system.
  • Encryption and decryption tools. These tools consist of an internal firewall system that encrypts messages sent outside of the system. It makes them unreadable in transit and decodes secure messages when they enter the firewall system.

In addition to electronic safeguards, businesses should also use physical and administrative safeguards to shield PHI. Physical safeguards include systems to detect and thwart tampering and theft, controlled access to physical PHI storage locations, policies, and procedures for workstations and mobile devices that allow PHI access and dedicated hardware inventory for these machines.

Administrative safeguards create a company culture that prioritizes HIPAA compliance. These steps may include establishing a risk management policy, conducting regular risk assessments, training employees on best practices to protect electronic health data, developing and testing a contingency plan to correct PHI security errors, restricting third-party access to electronic systems, and promptly reporting all suspected PHI breaches.

Key Takeaways

If you're building for healthcare, you need to ensure you're building a
  • Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) has several provisions designed to ensure security for patients' identifiable health data, including but not limited to medical conditions, treatments, and identifiers such as name, Social Security number and birth date.
  • HIPAA covers oral, written, and electronic transmission and receipt of protected health information (PHI), including but not limited to in-person and phone conversations, emails, electronic health records, and paper medical charts and communications.
  • All businesses that come in contact with patient PHI must safeguard this information or risk significant fines for noncompliance.
  • All electronic PHI should be encrypted using industry-standard technology and in compliance with minimum HIPAA guidelines.
  • In addition to technological safeguards, businesses must also take physical and administrative steps to prevent the breach of patient PHI.