Expert IT Leadership Blogs

Rick Pollack, President and CEO of the American Hospital Association, wrote in a recent article: “The health care field continues to be a top target for cybercriminals. According to data from the Department of Health and Human Services (HHS), there has been an 84% increase in the number of data breaches against health care organizations from 2018-2021."

In today's digitally driven world, securing Protected Health Information (PHI) is of the utmost importance for healthcare organizations. To stay one step ahead of cybercriminals, IT security must remain the highest priority. As the usage of cloud and electronic systems accelerates, so does the risk of data breaches. 

HIPAA compliance can help healthcare organizations minimize the risk of data breaches and avoid expensive penalties and legal recourse.  Despite popular belief, many healthcare organizations lack the expertise to become HIPAA compliant. To overcome this challenge, healthcare organizations can seek help from an IT firm specializing in HIPAA compliance.

HIPAA Compliance Overview:

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations handling sensitive patient data to adhere to administrative, physical, and technical safeguards for compliance.

HIPAA Compliance is a requirement for:

• Covered Entities: Healthcare providers, including physicians, hospitals and clinics, long-term care centers, health insurance companies, HMOs, etc., are considered Covered Entities.
• Business Associates: Vast array of professionals, including CPAs, attorneys, consultants, etc., that access PHI in providing services to Covered Entities.

When Covered Entities fail to do their obligatory due diligence in verifying that Business Associates are adhering to HIPAA compliance, and a breach of PHI occurs as a result, the Covered Entities could be held legally liable.

Under HIPAA Omnibus Rule, Business Associates and their subcontractors and agents (including any third-party service providers) are directly liable for any violations of HIPAA violations.

HIPAA Compliance consists of (3) key components as follows:

1. Privacy Rule is designed to ensure that sensitive patient data remains private.


2. Security Rule is designed to protect sensitive patient data by requiring organizations to perform regular risk management assessments and implement the following safeguards.
• Administrative: Security Management, Security Personnel, Data Access Management, Workforce Training and Management and Evaluation.
• Physical: Facility access and Control, Workstation and Device Security, Device and Media Controls.
• Technical: Access Controls, Audit Controls, Integrity Controls, Transmission Security.
3. Breach Notification Rule requires organizations to notify patients in the event of any unauthorized access to their Protected Health Information (PHI).

To meet HIPAA compliance requirements, healthcare organizations must comply with Privacy, Security, and Breach Notification Rules.

Examples of Typical HIPAA Violations:

Neglect due to not having a qualified IT firm perform organization-wide periodical (at least once a year) risk assessment is often the primary cause of HIPAA violations. The Enforcement Rule allows the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to impose severe HIPAA penalties (up to $1.5M per violation per year) on non-compliant Covered Entities and Business Associates.  Here are just a few scenarios (not a comprehensive list) of HIPAA violations:

• Cybersecurity incidents where PHI is accessed/stolen.
• Unencrypted laptops or mobile devices containing PHI.
• Accessing PHI using unauthorized or unsecured devices/computers.
• Transmitting PHI using unencrypted methods (emails, texts, instant messaging, etc.)
• Storing PHI on unsecured devices (unencrypted computers, rooms, etc.)
• Lack of business continuity and disaster recovery plans to protect PHI.
• Lack of proper and recurring training for staff having access to PHI.
• Staff dishonestly accessing PHI, thus abusing the access privileges.
• Not having a proper policy on disposing of documents containing PHI.
• Not having a proper data breach notification policy (i.e., a system where all affected are notified of the breach within an acceptable time frame.)

Road to HIPAA Compliance:

To determine the best strategy for achieving HIPAA compliance, IT security firms typically ask healthcare organizations discovery questions, such as those outlined below.

• What are protective measures currently in place to guarantee the security of PHI when it is accessed, transmitted, and stored?
• What restrictions are in place to protect PHI from any unauthorized access?
• What tools are used for logging and monitoring access to PHI?
• What steps are taken to revoke access privileges of personnel who no longer require access to PHI?
• What authentication, password, account lockout and timeout policies are in place to protect access to PHI?
• What measures are in place to guarantee the security and privacy of PHI when transferring, removing, disposing of, and reusing media containing PHI?
• Which type of encryption is employed to ensure PHI's integrity and protect it from unauthorized access?
• How often are security procedures reassessed, fine-tuned, and upgraded to ensure that PHI is optimally protected?
• When was the organization's last mandated and recurrent compliance training session completed?
• What are the security measures currently in place to ensure the safety of confidential data and accounts of authorized personnel?
• What security protocols have been established to protect user terminals from unauthorized access when left idle for even a brief period?
• What audit or tracking tools are used to document hardware and software activities?
• What safeguards are in place to protect the integrity of access audit logs?
• What measures have been implemented to ensure that all PHI is intact and safe from alterations or destruction?
• What safeguards have been implemented to protect all PHI against potential errors or outages, enabling quick data recovery with no data loss?
• What safeguards are implemented to ensure that PHI remains secure and current with the latest federal and state HIPAA regulations?
• What system is being used to provide auditors with reports illustrating compliance with HIPAA requirements?
• What procedures are in place to effectively and efficiently respond to identified incidents?