top of page

How Do Data Security and HIPAA Work?


HIPPA refers to the Health Insurance Portability and Accountability Act that became federal law in the United States in 1996. It laid the foundation for creating national standards that protect sensitive information on patients. Today, health care providers cannot disclose such information without the patient’s knowledge or consent. The essence of this law is to provide much-needed data security and privacy.

This article delves into the practical details of data security and HIPAA. It evaluates the purpose of such laws, their primary components, and other details such as compliance. Is HIPAA compliance a necessity? You will answer this question and many more in this article. Since we’re in the age of mobile devices, we’ll also examine how it relates to mobile data security and privacy.

What is the purpose of HIPAA?

In the legal circles, HIPAA also goes by the name Public Law 104-191. Its drafters created it primarily for two purposes. However, that does not mean that it serves no other purpose.

Mainly, it ensures that workers have access to continuous health insurance coverage.

Consequently, such workers have no cause for worrying about losing or changing their current jobs.

Secondly, HIPAA seeks to reduce the cost of healthcare. On average, Americans spend close to $4.1 trillion each year on medical care. Individually, this translates to around $12,530 per person, according to the latest statistics by the Centers for Medicare and Medicaid Services (CMS). Through HIPAA, Americans’ fees and bills when seeking medical care could reduce through the standardization of electronic transmission of data.

Most importantly, though, is that HIPAA makes patient health information secure and confidential. In the past, patients had no control over their information. They could not stop medical practitioners from broadcasting their data all over the place. However, that has now changed courtesy of the power and protection that HIPAA has accorded to patients, protecting the privacy of patients.

HIPAA’s other purposes include combating the abuse of patients’ personal health records and abuse in health insurance. False pretenses can be detrimental in the healthcare sector, especially when it prevents patients from accessing quality services.

HIPAA reduces fraud and waste in the delivery of healthcare services. It also reduces these twin problems in healthcare insurance while enabling patients to access long-term healthcare services and insurance. HIPAA also deals with security risks like cyber attacks and improving access to health insurance.

What are the main components of HIPAA?

HIPAA has five sections, components, or titles. These are as follows:

  1. HIPAA Health Insurance Reform

HIPAA’s first component is the health insurance reform. Specifically, this deals with the protection that workers with health insurance coverage need in case of job loss. Such individuals also crave protection when they change their jobs. Through this component, such workers can look forward to accessing group health plans. Ordinarily, group health plans would not cover individuals with preexisting conditions or specific diseases.

2. HIPAA Administrative Simplification

This second component is designed for the United States Department of Health and Human Services, otherwise known as HHS. In it, HHS must create national standards that process transactions on electronic healthcare. Additionally, health care organizations have to adhere to HIPAA rules by implementing secure electronic access to all data on health. They must also comply with HHS-set privacy regulations and ensure the security of patient data.

HIPPA aims to reduce health care services costs by systemized electronic channeling of financial and administrative transactions.

3. HIPAA Tax-Related Health Provisions

HIPAA has specific provisions for medical insurance deductions. It has a set of defined guidelines for access to and provision of health care services. Additionally, the federal act has made many adjustments to health insurance law. Consequently, a limited number of self-employed individuals and small businesses contribute towards tax-advantaged medical savings accounts (MSAs).

4. Application and Enforcement of Group Health Plan Requirements

This component covers areas such as the portability of group health plans. It also touches on group health insurance plans’ access to and renewability requirements. Any business or entity that fails to meet specific requirements for a group health plan has to pay penalties. The government, through HIPAA, has set aside penalties that such failures warrant.

5. Revenue Offsets

The revenue offsets component touches on the amendment to the 1986 code. It has three specific subtitles. The first subtitle under this category handles company-owned life insurance, while the second talks about what to do with individuals who lose their US citizenship. It also touches on the tax compliance of residents and US citizens living abroad.

What is HIPAA Compliance?

In simple terms, HIPAA compliance is all about companies following specific processes for protecting and securing Protected Health Information (PHI). HIPAA seeks to protect PHI, which is our health care data. Anyone the law refers to a covered entity must comply with the HIPAA requirements. A covered entity includes any health care provider who has access to health data. They include but are not limited to the following:

  1. Doctors

  2. Nurses

  3. Insurance companies

  4. Nursing homes

  5. Chiropractors

  6. Mental health providers

  7. Pharmacies

Compliance can be problematic among healthcare organizations that lack the requisite processes, network, and physical infrastructure. They must have these measures in place and follow them to the latter. Federal law has defined the boundaries that must be followed. In this regard, it’s worth mentioning that HHS regulates HIPAA compliance while the Office for Civil Rights (OCR) enforces it.

Do you need to satisfy any requirements for HIPAA compliance? Yes, and these include:

  1. Self-audits

  2. Remediation plans

  3. Policies, procedures, and training of employees

  4. Proper documentation

  5. Incident management

  6. Business associate management

The Need for HIPAA Compliance

Organizations have to be HIPAA compliant for a variety of reasons. Specifically, the benefits they stand to derive from being compliant far outweighs any negative thought they might harbor against this federal law. Compliance is good for business. It’s also good for one’s peace of mind and offers solid protection against several kinds of losses. The full range of benefits one should expect from compliance include:

  1. Protection against Protected Health Information (PHI)

  2. Increasing awareness of the well-being of patients

  3. Development of a culture that focuses on and prioritizes patient safety

  4. Making patients and their families happier

  5. Reduced liability for healthcare organizations and their executives

  6. Virtual health care providers enjoy increased protection

HIPAA also plays a critical role in the affairs of healthcare organizations. For starters, it keeps the administrative functions of these healthcare organizations running smoothly. Other than that, it has made the entire healthcare industry more efficient. Above all, the regulations ensure that nothing compromises PHI. Instead, only authorized persons can securely access and share such information, thus protecting the patients.

Patients are the biggest beneficiaries of these HIPAA benefits, though. For example, the law now requires covered entities to put several safeguards to protect patient’s personal and health data. While it is true that health organizations protect their patients, HIPAA places a legal burden on their shoulders to do just that. Without this legal burden, they would not feel compelled to protect their patients’ sensitive information.

It’s worth mentioning that HIPAA isn’t voluntary. Federal law requires all affected persons and organizations to comply with this regulation. Compliance is mandatory rather than voluntary. Otherwise, the threat of huge penalties and fines remains real. The government has often come down hard on organizations and individuals that ignore or partially neglect HIPAA requirements.

The HIPAA Privacy and HIPAA Security Rules

The HIPAA Privacy Rule has a simple objective: patient data security and PHI. In the US, HHS issued this privacy rule with the sole aim of limiting how the relevant organizations and individuals use and disclose sensitive PHI. Essentially, there isn’t much difference between HIPAA Privacy Rule and HIPAA Security Rule. After all, they both aim towards protecting patients and reducing liability on service providers.

The only slight difference is that HIPPA Security Rule has established a national set of standards for protecting specific health information. It makes the protections defined under the HIPAA Privacy Rule operational. It does this by addressing all the safeguards that covered entities have to put in place to protect and secure each patient’s PHI. The information in question has to be in electronic form.

During the pre-HIPAA days, such technical safeguards and protections were nonexistent. The few general requirements and security standards did not receive a universal acknowledgment. Consequently, patients could not enjoy the kind of protection they do these days. These rules are more crucial after the healthcare sector transitioned from paper to electronic information systems.

Mobile Data Security and HIPAA Compliance

Mobile gadgets now present a new challenge to organizations that value HIPAA compliance and privacy and security rules. Potentially, they carry a considerable risk of a data breach, especially when in the wrong hands. For this reason, organizations need to be more proactive in guaranteeing and enforcing mobile data security to comply with HIPAA regulations.

Health care providers – and the different players in that sector – have all embraced the mobile technology revolution. Smartphones, tablets, and many portable devices are standard features in most hospitals. In such circumstances, it becomes more important for covered entities to act more to avoid HIPAA violations, which can drive them out of business when the penalties arise.

HIPAA and Mobile Devices and the Healthcare Industry

It is common knowledge that players in the healthcare sector rely on mobile computing devices more than ever before. Such devices include personal digital assistants (PDAs), tablets, laptops, and smartphones, to mention a few. The healthcare sector invests in different mobile technologies that include hospital information systems (HISs), electronic medical records (EMRs), electronic health records (EHRs), and clinical decision support systems (CDSSs), among others.

The good news is while there are valid reasons for worrying about violations via mobile devices and technology, their security keeps getting better. HIPAA has regulations that touch on using any kind of electronic device. Portable devices feature on its list of regulations on protecting patients’ information. Mobile devices have state-of-the-art security, but the potential for violations is real.

Remember, mobile devices aren’t as secure as healthcare professionals would like the world to believe. If anything, computers are safer than these devices. Antivirus software, firewalls, and encryption all work together to make computers safe at the workplace. These tools and devices are not available for mobile devices. Other threats that make mobile devices a risky affair include:

  1. Lack of authentication

  2. Mobile malware

  3. Unsecure Wi-Fi networks

  4. Outdated operating systems

  5. Accidental disclosure of data by sharing the devices with loved ones

Mobile Devices are a Potential Minefield of HIPAA Violations

The best way to deal with the risk mobile devices present is to examine the potential minefield that mobile devices are to HIPAA violations. Accidental authorized exposure of PHI is a regular occurrence in the healthcare sector, primarily because of the increased use and reliance on mobile devices. Adequate controls are necessary to ensure that nobody compromises or exposes the electronic PHI on these devices.

Health care providers must:

  1. enable and use lengthier and securer passcodes

  2. desist from using mobile devices on public WIFI

  3. ascertain that any app or operating system in the mobile device is up to date

  4. implement mobile encryption

  5. lastly, don’t forget to train and retrain all personnel

  6. personnel must adhere to all essential mobile security practices

  7. they must also do more to prevent theft and loss of the devices

  8. examples of measures worth taking to prevent this include thorough assessment and addressing mobile data security risks

Remember, HIPAA requires covered entities to allow only authorized persons to access PHI.

HIPAA Compliance with Google Workspace and Cloud Identity

Google Workspace and Cloud Identity offer users a platform to exercise HIPAA compliance. Google has gone out of its way to ensure that Workspace, one of its most popular products, doesn’t compromise customers’ data. Workspace is full of different features that make it popular with users worldwide. Some of its features include:

  1. Gmail

  2. Calendar

  3. Google Meet

  4. Cloud File Storage

To put your mind at ease, Workspace and Cloud Identity is HIPAA compliant. However, anyone who wishes to use them must first sign the Business Associate Agreement with Google. This agreement is required for any individual, organization, or healthcare provider who wishes to use Workspace or Cloud Identity with Protection Health Information (PHI).

Physical security requirements

HIPAA is not just confined to the electronic world. It also requires putting physical safeguards in place. Such safeguards include physical measures, procedures, and policies enacted to protect electronic information systems that store PHI. Physically, covered entities must secure their buildings and equipment to prevent data loss to unauthorized persons.

Technical Security Requirements

The HIPAA Act has placed plenty of responsibility on covered entities. It requires them to adhere to technical security requirements too. For example, audit and access controls are the basic requirements. Under access control, the entities have to implement technical procedures and policies for all PHIs. The hardware and software that keep information systems running must undergo regular auditing too.

Determine if the Privacy Rule Affects You

Are you what the law refers to as a covered entity? In that case, the HIPAA privacy rule affects you directly. The law has no direct bearings on anyone who is a non-covered entity. Nevertheless, as long as you need services from any covered entity or healthcare provider, HIPAA and its attendant regulations apply to you. For this reason, you need to learn as much as you can about it.

Am I subject to GDPR?

The General Data Protection Regulation (GDPR) is a product the European Union (EU) created to guarantee and advocate for consumer data protection. GDPR has set the standards that individuals and organizations must observe when collecting, storing, or using data. This law defines the digital rights of any EU citizen. Therefore, everyone is subject to GDPR laws and standards even when in the US, where HIPAA rules apply.

What are the key differences between GDPR and HIPAA?

GDPR refers to a set of European Union (EU) laws that have been in existence since May 25, 2018. It primarily handles personally identifiable information (PII). On the other hand, HIPAA is a piece of legislation in the United States that deals with Protected Health Information (PHI). Whereas GDPR protects the digital rights of EU citizens, HIPAA focuses on organizations (business associates and covered entities).

Key differences between GDPR and HIPAA are in the following areas:

  1. HIPAA allows a bit of disclosure of PHI without the patient’s consent, but only for treatment and healthcare operations. GDPR requires consent from the EU citizen at all times.

  2. Under GDPR, the EU citizen has the Right to be Forgotten. HIPAA does not accord data subjects such rights.

  3. In case of data breaches affecting over 500 individuals, HIPAA requires covered entities to notify HHS’ Office for Civil Rights (OCR). GDPR offers a window of 72 hours for reporting any data breach.

Data breaches

Data breaches are always a huge concern when talking about electronic information systems. HIPAA and GDPR are both prone to data breaches simply because no system is 100 percent foolproof. Nevertheless, the concerned parties are doing their best to keep the data breaches to a minimum. That way, they avoid parting with huge sums of money in penalties and fines. In some cases, they could lose their licenses or face court cases.

How can I become GDPR compliant?

Being GDPR compliant is all about making the privacy and security of your patients’ information your priority. For this reason, follow these steps to comply with GDPR regulations:

a) Appointing data protection officer

b) Conducting data assessment regularly

c) Implementing measures for identifying and reporting data breaches fast

d) Establishing privacy by design

Meeting Stringent HIPAA Regulations

Undoubtedly, HIPAA regulations are not a walk in the park. They are stringent with plenty of responsibilities put on the shoulders of the covered entities and business associates. Any organization that abides by these regulations is HIPAA compliant. One of the most important things to remember is to comply with the HIPAA Privacy Rule. Next, respect the following:

a) HIPAA Security Rule

b) HIPAA Breach Notification Rule

c) HIPAA Enforcement Rule

Most importantly, put physical and technical measures in place to safeguard patient data from any kind of breach or unauthorized disclosure. You may also want to invest in Data Loss Prevention (DLP) systems and tools. Such tools analyze potential risks facing electronic PHI, educate care providers on all security policies in real-time, and assess security policies periodically.

Consequences of Noncompliance

Failure to comply with HIPAA regulations can attract heavy penalties. Noncompliance, especially any that’s not crime-related, can attract fines of $100-$50,000 for each violation in any calendar year. There have been instances of HIPAA settlements running into more than $1 million. Thus far, Advocate Health Center paid the most significant settlement made, which was $5.5 million, in 2016.

bottom of page