ZenGRC

Simply Powerful GRC

HIPAA

What is HIPAA?

· ·

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, represents a crucial cornerstone in the safeguarding of patient health information. This act not only offers robust security provisions and ensures the privacy of patients’ medical data but has also evolved to address the modern challenges of the digital age. With the advent of cyberattacks targeting health insurers and care providers, HIPAA has been instrumental in implementing preventive measures to protect against digital data breaches, ensuring the integrity and confidentiality of health information in an increasingly connected world.

What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act, is a landmark piece of legislation in the United States that revolutionized the privacy and security of health information. Passed in 1996, this act establishes national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA applies to a wide range of entities, including health care providers, health plans, health care clearinghouses, and business associates of these entities that handle health information.

Central to HIPAA are two key components: the Privacy Rule and the Security Rule. The Privacy Rule sets the standards for the protection of individuals’ medical records and other personal health information, both in paper and electronic forms – essentially the disclosure of PHI (private health information). It gives patients rights over their health information, including rights to examine and obtain a copy of their health records and request corrections. The Security Rule, on the other hand, specifies a series of administrative, physical, and technical safeguards for entities to use to assure the confidentiality, integrity, and security of electronic protected health information (ePHI).

Furthermore, HIPAA has been amended over the years to keep pace with the changes in the healthcare industry, particularly the shift towards electronic health records and the increasing concerns about data breaches and cyber threats. The HITECH Act and the Omnibus Rule have expanded the responsibilities of business associates and increased the penalties for HIPAA non-compliance.

In essence, HIPAA plays a critical role in protecting individual health information, ensuring it’s handled with the utmost confidentiality and security. This protection fosters trust in the healthcare system and encourages individuals to seek the care they need with the assurance that their personal health information remains private and secure.

What does HIPAA protect?

HIPAA offers several key protections for individuals’ health information, primarily focusing on safeguarding the privacy and security of sensitive health data. Here’s what it covers:

  1. Privacy of Health Information: HIPAA establishes national standards to protect individuals’ medical records and other personal health information. It restricts how health information can be used and disclosed, ensuring that it’s not improperly shared without the patient’s consent or knowledge.
  2. Security of Electronic Health Records: With the rise of digital health records, HIPAA sets standards for protecting the security of electronic health information. This includes requirements for physical, administrative, and technical safeguards to ensure the confidentiality, integrity, and security of electronic medical information.
  3. Patient Rights Over Health Information: HIPAA grants patients several rights concerning their health information. This includes the right to inspect and obtain a copy of their health records, request corrections, and be informed about how their information is used and shared.
  4. Breach Notification: In the event of a breach of unsecured protected health information, HIPAA requires covered entities and their business associates to provide notification of the breach to affected individuals, the U.S. Department of Health & Human Services, and in some cases, the media.
  5. Limitations on Health Information Use for Marketing and Fundraising: HIPAA places restrictions on how health information can be used for marketing, fundraising activities, and certain other purposes without the individual’s explicit permission.
  6. Safeguards Against Genetic Discrimination: HIPAA, in conjunction with the Genetic Information Nondiscrimination Act (GINA), offers protections against discrimination in health coverage or employment based on genetic information.
  7. Protections for Special Categories of Information: HIPAA offers additional protections for specific types of sensitive information, like mental health records, ensuring higher confidentiality and discretion in handling such data.

In essence, HIPAA’s role is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide high-quality health care and protect the public’s health and well-being.

HIPAA Titles & Regulations

Title I: Health Insurance Reform Under HIPAA Title I of HIPAA safeguards health insurance coverage for individuals during job transitions or job loss. It notably prevents group health plans from denying coverage based on specific diseases or pre-existing conditions and eliminates the imposition of lifetime coverage caps. This ensures continuous health insurance protection for individuals in various employment situations.

Title II: Administrative Simplification Title II mandates the U.S. Department of Health and Human Services (HHS) to set nationwide standards for electronic healthcare transactions. This title is pivotal in promoting the efficiency of healthcare services through digital means. It emphasizes the need for secure electronic handling of health data and adherence to stringent privacy regulations, thereby enhancing the confidentiality and security of patient information in the digital landscape.

Title III: Tax-Related Health Provisions In Title III, the focus shifts to the interplay between healthcare and taxation. It outlines specific tax deductions for medical insurance and includes various tax-related policies and rules pertaining to medical care. This section integrates healthcare policy with tax legislation, offering financial implications for healthcare expenses and insurance.

Title IV: Enforcement of Group Health Plan Requirements Title IV expands on health insurance reforms, particularly emphasizing the rights and protections for individuals with pre-existing conditions and those seeking continuity in their healthcare coverage. It builds upon the groundwork laid in Title I, delving deeper into the specifics of insurance policies and coverage mandates.

Title V: Revenue Offsets The final title, Title V, addresses broader financial and tax implications. It concerns the regulations for company-owned life insurance and outlines tax consequences for individuals relinquishing U.S. citizenship. While indirectly connected to healthcare, this title highlights the far-reaching impact of HIPAA in financial and legal realms beyond traditional health insurance and care.

HIPAA Compliance: Title II

HIPAA compliance is most commonly associated with the mandates of Title II, which is divided into five pivotal rules, each addressing a different aspect of health information security and privacy:

  1. The Unique Identifiers Rule (National Provider Identifier): This rule mandates that all healthcare entities, including employers, individuals, healthcare providers, and health plans, must use a unique 10-digit National Provider Identifier (NPI). This standardized identification system enhances the efficiency and accuracy of healthcare data processing.
  2. The HIPAA Privacy Rule: As the cornerstone of patient data protection, the HIPAA Privacy Rule sets national standards for safeguarding personal health information. It limits the use and disclosure of Protected Health Information (PHI), balancing patient privacy with the necessity of sharing information for billing and healthcare operations. This rule applies to covered entities like health plans, healthcare clearinghouses, and healthcare providers, and extends to business associates through contractual safeguards. The Privacy Rule also mandates comprehensive administrative, technical, and physical safeguards to maintain the privacy of PHI.
  3. Transactions and Code Sets Rule: This rule advocates for the uniform use of Electronic Data Interchange (EDI) in healthcare transactions, particularly for insurance claims processing. It standardizes the electronic exchange of healthcare data, promoting efficiency and accuracy in billing and record-keeping.
  4. The HIPAA Security Rule: Focused on electronic health records, the Security Rule prescribes national standards for securing electronic Protected Health Information (ePHI). It requires the implementation of robust physical and electronic measures to ensure the secure creation, transmission, and storage of ePHI, addressing a range of potential security risks.
  5. The Enforcement Rule: This rule outlines the procedures for investigating HIPAA non-compliance and establishes the framework for imposing civil monetary penalties for HIPAA violations. It underscores the importance of adherence to HIPAA standards and the consequences of non-compliance.

HIPAA Omnibus Rule

In 2009, guidelines were established by HHS concerning the responsibilities of business associates of covered entities. These rules are contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act. This act was modified and expanded in 2013 as the HIPAA omnibus rule. Penalties range from $10,000 per violation to $50,000 per violation based on a tiered structure. The annual maximum penalty is $1.5 million.

Office of Civil Rights Enforcement

The Office of Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules in several ways:

  •   by investigating complaints filed with it,
  •   conducting compliance reviews to determine if covered entities and business associates are in compliance, and
  •   performing education and outreach to foster compliance with the Rules’ requirements.

OCR also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.

What is the penalty for HIPAA violations?

HIPAA violations are taken very seriously due to the sensitive nature of the data involved. The penalties for these violations vary based on the nature and extent of the breach, and the harm caused by it. They can range from minor fines to criminal charges, depending on the severity and intent behind the violation.

Monetary Penalties: The U.S. Department of Health and Human Services (HHS) has established a tiered penalty structure for HIPAA violations. The penalties are classified based on the knowledge the entity had of the violation:

  • Tier 1: For violations where the offender didn’t realize they violated the Act and would have handled the matter differently if they had, the penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million.
  • Tier 2: If the violation had a reasonable cause and was not due to willful neglect, the fines range from $1,000 to $50,000 per violation, with the same annual maximum.
  • Tier 3: For cases of willful neglect where an attempt to correct the violation was made, the penalty ranges from $10,000 to $50,000 per violation, subject to the annual cap.
  • Tier 4: If the violation was due to willful neglect and was not corrected, the fines start at $50,000 per violation, with the annual maximum still in place.

Criminal Charges: In more severe cases, particularly where there was intentional disclosure or obtaining of health information for personal gain, malicious harm, or deceit, criminal charges can be filed. These charges can lead to substantial fines and even imprisonment. For instance, knowingly obtaining or disclosing protected health information can result in fines up to $50,000 and one year in prison. Offenses committed under false pretenses carry higher penalties, and if committed with the intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm, the fines can go up to $250,000 with imprisonment of up to ten years.

Corrective Actions and Resolution Agreements: In some cases, instead of or in addition to monetary penalties, the HHS may require entities to undertake corrective actions to remedy the violation. This may include steps like improving data security, providing additional training to staff, or making changes to policies and procedures. Resolution agreements may also be signed, which include a detailed action plan and regular reporting to HHS to ensure compliance.

Civil Lawsuits: While HIPAA itself doesn’t provide a private cause of action, individuals affected by a breach may file civil lawsuits based on state privacy laws. Damages awarded in such cases can include compensation for harm suffered due to the breach.

The penalties for HIPAA violations drive home the importance of complying with the regulations to protect patients’ health information. Organizations and individuals handling health information are thus strongly advised to understand and adhere to HIPAA requirements to avoid these significant penalties.

Meet Your HIPAA Compliance Goals with ZenGRC

ZenGRC offers a streamlined and efficient solution for meeting your HIPAA compliance goals. This software simplifies the compliance process by providing a centralized platform for managing all your HIPAA-related requirements. With its user-friendly interface and comprehensive tracking tools, ZenGRC ensures that you stay on top of necessary audits, risk assessments, and policy management. It automates the tracking of compliance tasks and deadlines, reducing the risk of human error and ensuring timely completion. By choosing ZenGRC, healthcare providers and associated entities can confidently navigate the complexities of HIPAA compliance, focusing more on patient care and less on administrative burdens.

What Are the HIPAA Standard Transactions?

· ·

The Department of Health and Human Services (HHS) defines a transaction as an electronic exchange of information between two parties, to carry out financial or administrative activities related to healthcare.  For example, a health care provider will send a claim to a health plan to request payment for medical services.

Under the Health Insurance Portability and Accountability Act (HIPAA), the department adopted specific “standard transactions” for the electronic exchange of data in the healthcare industry, to facilitate those transactions among various healthcare parties. 

The following formats replace any proprietary EDI format used within the health insurance industry:

Payment and remittance advice

This refers to the process where a health plan makes a payment to a financial institution for a healthcare provider. The plans are permitted to send an explanation of benefits or remittance advice directly to a healthcare provider (data only) or to send payment and an explanation of benefits or remittance advice to a healthcare provider via a financial institution (payment and data).

Claims status

This standardized format should be used by healthcare providers and recipients of healthcare products or services (or their authorized agents) to request a healthcare claim status update.

Eligibility

This refers to a standard format for both inquiry and response regarding eligibility, coverage, or benefits, as those things relate to a health plan. They apply to employers, plan sponsors, subscribers, or dependents under the subscriber’s policy.

Coordination of benefits

The coordination of benefits transaction refers to transmission from any entity to a health plan for the purpose of determining payment responsibilities of a health plan for healthcare claims.  

Claims and encounter information

This format should be used when a healthcare provider files an electronic request for a healthcare claim payment for the delivery of services and when providing data regarding the type of healthcare services performed during the encounter or equivalent encounter information.

Enrollment and disenrollment

This format applies to both enrollment and disenrollment from a health plan. It is used to establish communication between the sponsor of a health benefit and the health plan.

Referrals and authorizations

This standard applies to electronic transactions, including referral certification and authorization. A referral certification can be:

  • from a healthcare provider to a health plan, to obtain authorization for care;
  • from a healthcare provider to a health plan, to obtain authorization for referring an individual to another healthcare provider; or
  • from a health plan to a healthcare provider about authorization and referral requests.

Premium payment

This standard applies to health plan premium payments for health insurance plans. This format applies to employers, employees, unions, and associations that are required to make or track premium payments to health insurers.

The Latest on HIPAA Standard Transactions

The Standards for Electronic Transactions and Code Sets were published in 2000. They were subsequently modified in 2010 to include newer standards for several transactions, claims and encounter information, payment and remittance advice, and claims status. 

When combined, all these provisions are referred to as Administrative Simplification, because they were created to simplify the business of healthcare.

These transaction formats standardize the electronic exchange of patient-identifiable health information via electronic data interchange (EDI) transactions for submitting, processing and paying claims.  

These HIPAA standards apply to health plans, healthcare clearinghouses, and healthcare providers that transmit healthcare information in electronic form, to complete healthcare transactions. 

These national standards apply to electronic transmissions using all media, even when it is physically moved from one location to the next via magnetic tape, disk, or CD.  

These standards also apply to transmissions over the internet, private networks, leased lines, dial-up lines, and other types of private networks. The standard does not, however, pertain to telephone voice response or fax-back systems.

Covered entities that complete any of these HIPAA transactions electronically are required to use an adopted standard from ASC X12N or NCPDP for certain pharmacy transactions. Failure to do so can result in penalties for HIPAA violations.

Schedule a Demo for Our HIPAA Compliance Software

ZenGRC is a governance, risk management, and compliance solution that can work to support your HIPAA compliance program. 

With it, companies gain real-time visibility into the application of their HIPAA operating rules, and the insight to implement better HIPAA privacy standards that can prevent a breach of protected health information (PHI).

ZenGRC allows organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make risk management a burden such as documentation collection and storage and compliance task management. 

Not only can ZenGRC and the experts at Reciprocity serve as HIPAA implementation guides; we can also empower you to make risk management best practices throughout the organization far simpler. 

To see how ZenGRC can improve your HIPAA regulations-based practice management and implementation of privacy rules, schedule a demo today.

Complying with HIPAA Breach Notification Rules

· ·

Learn all about the HIPAA breach notification rules and how you can best protect your business by being ready to comply with anticipated 2021 HIPAA breach notification rules.

The HIPAA (Health Insurance Portability and Accountability Act) breach notification rules spell out how hospital systems, physicians, and other healthcare providers must notify their patients, as well as the U.S. Department of Health & Human Services (HHS), if those healthcare providers experience a data breach that affects patient information protected by HIPAA. 

A breach could include unsecured protected health information (PHI) or sensitive personal data such as names, addresses, or Social Security numbers that have fallen into the hands of unauthorized individuals, typically after a hacking or other data breach incident. 

HIPAA compliance obligations have remained essentially the same since the last update to HIPAA rules in 2013. That is about to change. Several significant updates to HIPAA are expected in 2021, making it extra important to stay on top of compliance requirements new and old.

Brief history of HIPAA breach notification rules  

One change in 2013 was passage of the HITECH (Health Information Technology for Economic and Clinical Health) Act, which applies to all health insurance and healthcare providers, as well as their third-party contractors. HITECH mandated the notification requirements we know today. 

Shortly after onset of the COVID pandemic, the U.S. Congress passed the Corona Aid, Relief, and Economic Securities (CARES) Act. One main objective of the CARES Act was to ensure access to healthcare during the pandemic, including access to treatment for substance abuse disorders (SUD). 

Expected in 2021 are changes to federal regulations regarding how healthcare providers and health insurance companies treat records of patients with SUD and mental health issues, as well as regulatory protection specific to the sharing and safe-keeping of these two types of health records. 

HHS is considering changes that would allow for the sharing of SUD records with primary care physicians, both to provide better care for the patient and also to stop a physician from prescribing opioids to a patient already in treatment for such an addiction. These changes will also bring new HIPAA breach notification rules, as more patients will be covered by them. 

What triggers the HIPAA breach notification rule? 

Under the HIPAA Privacy Rule, a breach is an impermissible use or disclosure of unsecured PHI (for example, unencrypted PHI) that compromises the security or privacy of the protected health information. The nature and size of the breach trigger the corresponding HIPAA breach notification rule. 

Interestingly, HIPAA only requires notifications of breaches for PHI that is not secured. So the first step toward avoiding a fine is to make sure covered entities and their business associates use appropriate encryption and destruction techniques to assure that PHI is unusable, unreadable, or indecipherable should that data fall into the clutches of an unauthorized person. 

Who is covered by breach notification rules?

Covered entities include health plans, healthcare providers, healthcare clearinghouses, health insurance companies, and individual providers; as well as their business associates. Outpatient facilities and pharmacies are also considered covered entities. 

A business associate is defined as any company or individual — other than a workforce member of a covered entity — that does work for a covered entity, no matter what type of work the contractor provides. 

What qualifies as a breach?

Any impermissible use or disclosure of PHI is considered a breach unless the covered entity or business associate can show that there’s a low probability the PHI has been compromised. That conclusion must be based on a risk assessment of certain factors, including: 

  • The nature and detail of the PHI, including the types of identifiers and the likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed, or the unauthorized access was an attempted data breach of unsecured PHI that didn’t succeed. 
  • The extent to which the risk to the PHI has been mitigated, and plans and cybersecurity software have been put in place to help with the discovery of breaches in the future. 

What are the breach notification duties?

After discovery of large breaches, a business must comply with HIPAA breach notification rules and meet notification requirements within 60 days

Once a covered entity knows or should have known that a breach of PHI occurred (referred to as the “date of discovery”), the keeper of the data is required to notify the affected individuals, HHS, and prominent media outlets. 

The covered entity has to do this “without unreasonable delay” or before 60 calendar days after it discovered the breach. That applies even if the organization wasn’t entirely certain the PHI had been compromised at the time it discovered the breach.  

If the breach involves the unsecured PHI of more than 500 people, a covered entity must notify a major print or broadcast media outlet in the state or jurisdiction where the breach occurred, and still notify HHS. 

Enforcement, fines and penalties 

The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. The OCR may issue civil monetary penalties for violations of the rules. In cases of egregious neglect of data security, the U.S. Department of Justice may file criminal charges. The OCR also posts the names of entities with breaches involving more than 500 people on its “wall of shame.”

According to HHS, the federal agency has received more than 259,972 HIPAA complaints, and has initiated 1,073 compliance reviews, since the privacy rule took effect in 2003. HHS reports having solved 99 percent of the cases brought forth. 

According to HHS’s website, HHS.GOV, the most common violations leading to a HIPAA investigation in descending order are: 

  • Impermissible use and sharing of unsecured PHI 
  • Lack of cybersecurity and encryption applied to protect the information
  • Lack of or denying patients access to PHI
  • Lack of security systems put in place to protect electronically protected health information
  • Disclosure of too much PHI (see above about substance abuse treatment)

Roughly $135.3 million has been collected in fines since 2003. 

What about smaller breaches?

For breaches involving fewer than 500 people, a covered entity can keep a log of the relevant information and notify HHS within 60 days after the end of the calendar year via the HHS website.

The covered entity and its business associates must also make any required reports available to HHS and the affected individuals. Notification to individuals must be sent via first class mail, or email if the individuals have agreed to accept notices electronically. 

If a covered entity doesn’t have contact information for 10 or more individuals, it must either post a notice on the homepage of its website or make it available on major print or broadcast media located in the geographical area where affected individuals likely live.

How to determine if your business must be HIPAA compliant

The HIPAA Journal has published an updated compliance checklist for 2021 by compiling compliance demands of the HIPAA Privacy and Security Rules, HIPAA Breach Notification rules, the HITECH Act and HIPAA Enforcement Rules. 

The list will help you determine whether your business must comply with HIPAA compliance guidelines. The steps included are: 

  • Determine which audits are applicable to your business and how frequently they should be done. 
  • Conduct said audits and document any deficiencies. 
  • Make plans for mediation in case of the discovery of a breach.
  • Assign a HIPAA compliance officer and needed staff. 
  • Implement a HIPAA training program and document your staff’s participation. 
  • Review business associates and third party contractors

Cybersecurity and compliance management tools

As you steer your business through the pandemic and our highly interdependent world, many tools can help keep your business safe and in compliance, with your information secure.

ZenGRC’s compliance management, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also easily identifies areas of high risk before that risk has manifested as a real threat. 

Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.

Using Cybersecurity to Protect Sensitive Healthcare Data

· ·

Sensitive corporate data is always a prime target for data breaches. The healthcare industry is no exception, and the compliance obligations a healthcare firm must fulfill to protect that data are formidable. 


The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to implement robust security controls to safeguard health information from unauthorized access. This mandate is not optional.


Any organization that falls under HIPAA compliance guidelines is legally (and ethically) required to protect the personal privacy of patients from the loss, modification, or misuse of data. Ignoring those duties can bring legal, reputational, and financial penalties. 


Healthcare organizations are also obligated to provide clear notices to individuals about what data the organizations are collecting, why they’re collecting it, how they plan to use it, and what other entities will have access to the data. 


These requirements sometimes coincide with other data privacy laws like the General Data Protection Regulation (GDPR) which requires explicit consent from any patients or customers who live in the EU.

Are healthcare information systems really a target for security breaches?

Medical records may not be the first thing that comes to mind when you consider valuable data that a cybercriminal might want to steal, but such records most certainly are. The rate of healthcare data breaches increased by 55 percent from 2019 to 2020, with nearly 600 occurrences reported in 2020.


To remedy the situation, healthcare organizations are obligated to limit access to sensitive data, implement data security measures such as encryption and firewalls, and train employees on information security practices for data handling, vendor risk assessment, and overall information technology best practices. 


Incidentally, healthcare firms are also expected to spend $125 billion on cybersecurity from 2020 to 2025.

Cybersecurity Attacks in the Healthcare Industry

Cybercriminals use everything from malware, to ransomware, to weak passwords and other cyber threats to gain access to confidential personal data. Such information can include names, birth dates, credit card numbers, phone numbers, employment histories, and more. 


In addition to patient medical records, providers also typically have financial information stored on patients. And due to privacy regulations, cybercriminals may feel that simply threatening to expose a data breach, and holding patient data for ransom, will be enough to force healthcare businesses to give the attackers what they want: money, or some other ransom.

What are the consequences of poor healthcare security?

When organizations ignore or neglect their compliance duties, the consequences can be severe.


In 2019, data breaches cost healthcare organizations an estimated $4 billion in damages, with an average of $423 per compromised patient record. This amount doesn’t include the costs associated with HIPAA fines or any lost productivity suffered during or after the data breach. 


And not all loss caused by a data breach can be measured in dollars and cents. Information stolen during security incidents, such as Social Security numbers, addresses, and phone numbers, can be used to open new loan and credit accounts, commit identity theft, or blackmail patients or organizations. 


Additionally, a malware attack could cause medical devices to shut down or malfunction, which could result in the loss of human life. Examples include pacemakers, insulin pumps, and more.

How can the healthcare industry improve on cybersecurity?

To respond to this increasing threat, healthcare organizations need to take several steps. 

1.    Invest in cybersecurity training for team members

Yes, invest in robust security controls and to encrypt and protect sensitive customer information — but those controls are only as effective as your staff is at implementing and maintaining those controls over time. 


It’s equally (or perhaps even more) important that your staff be trained and understand their role in keeping your organization’s private information safe, and that they know how to adhere to security standards.

2.    Keep your information systems and tools updated 

Many organizations don’t understand the threat that unpatched software creates. Cybercriminals know how to seek out such vulnerabilities and then exploit them to gain access to your IT environment. So it’s important to create a routine cadence for updating every application running in your IT ecosystem.

3.    Replace legacy systems with newer, more secure technologies

Legacy systems weren’t built with today’s threat landscape in mind, so strive to replace those systems with more modern, secure technologies. 


It’s true that change can be difficult, particularly for a large organization like a hospital system. But when weighed against the potential penalties for using a poorly secured system, the effort of investing in better technology becomes much more compelling. 


Modern cybersecurity technologies provide several out-of-the-box benefits, like SSL encryption and authentication protocols that you can use to get a jump start on implementing your HIPAA compliance controls.

4. Implement access controls

Not all threats are external. Some cybercriminals disguise themselves as trusted employees. Other threats include trustworthy, yet uneducated employees. Both present a threat to your organization. 


By implementing access controls, you can designate access and authority to use, move, or change sensitive data to a select group of employees that require access to do their job. Furthermore, most identity management and access control tools will allow you to revoke access automatically for terminated employees, preventing a disgruntled ex-employee from exposing your organization. 

5.    Enforce password requirements

To assure that a hacker can’t access your systems through weak passwords, employees must be educated on best practices like:

  • Using complex passwords
  • Not including personal data in a password
  • Not using personal passwords for professional systems
  • Changing passwords regularly
  • Using 2FA (two-factor authentication), like biometric scanning or an application on an encrypted personal device, for an added layer of security

6.    Conduct regular risk assessments

Just as technological innovation expands and grows, so do cyber threats and compliance requirements. A risk assessment you did a year ago may very well be outdated today. 


So your risk management strategy should include routine risk assessments, to assure that you are still able to mitigate existing threats properly and are prepared for emerging threats.

7.    Implement multiple security layers

Redundancy in cybersecurity is key. There are no guarantees that even the best firewall software will go un-hacked forever. That’s why it’s best to incorporate multiple layers of security to ensure that if one fails, another will stand in its place.

8.    Incorporate data recovery and backups into your strategy

It only takes one cybersecurity incident, like a DDoS attack, to cripple your system entirely and cause the loss of all your data. That’s why it’s important to run routine backups of your data, systems, and servers, and store them in a secure, remote location, to enable recovery in the event of an incident. 

Looking to the Future of Cybersecurity & Healthcare

The cybersecurity risk landscape is constantly evolving. Some of the emerging threats the healthcare industry faces include:

  • bringing telehealth into compliance with expanding HIPAA regulations
  • adjusting to changing clinical trials
  • encouraging digital relationships while ensuring patient privacy stays protected

To add to the challenge of implementing modern cybersecurity best practices, healthcare companies must also stay abreast of changing regulations. 


And with COVID-19 forcing telemedicine to grow faster than regulators’ ability to adopt new regulations for it, businesses are expected to do their own due diligence to assure they don’t face legal penalties later on down the road. 

ZenGRC Has HIPAA-Compliant Security Solutions

HIPAA requirements run more than 115 pages. Ensuring that you’re compliant with each applicable rule and scaling your cybersecurity protocols to multiple locations can be extremely time-consuming and overwhelming.


With ZenGRC, you can assure your organization does its due diligence to protect sensitive information through risk analysis and mitigation, so your organization can meet its compliance requirements across a variety of frameworks whether they be for HIPAA, PCI, NIST, HITECH, or otherwise.


ZenGRC’s functionality can help you to implement self-audits for security risks if you’re new to HIPAA compliance or just need an extra hand getting started. And its easy-to-use dashboard provides an integrated view of your HIPAA-regulated data and compliance requirements, showing where your gaps are and how to fill them.


ZenGRC stays up to date in real-time with changing compliance regulations so you don’t have to. With Zen, you always know where you stand and can fix gaps in your compliance as soon as they occur. 


Worry-free HIPAA compliance is the Zen way! Learn how ZenGRC can help you achieve compliant software by booking a demo today.

Tips for Meeting HIPAA Compliance Documentation

· ·

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires healthcare organizations, as well as any other “covered entities” that handle electronic protected health information (ePHI), to implement data security protocols that protect health records from unauthorized access or release.

As defined by HIPAA, covered entities include health plans, healthcare clearinghouses, and healthcare providers.

HIPAA compliance can be a daunting task for businesses. Not only are there more than 100 pages of rules to follow, but HIPAA regulations change constantly to address new aspects of ePHI, patient rights, and cybersecurity. 

Daunting or not, however, healthcare organizations and their business associates must perform their due diligence to remain HIPAA-compliant. That means constantly monitoring data activity and improving security measures that protect unauthorized access to medical records. 

After all, non-compliance can result in hefty fines and penalties, lost business, and lost trust among patients whose privacy is breached. 

To ease the burden, we’ve created this guide to help you better understand documentation requirements for your HIPAA compliance efforts and what you need to obtain HIPAA compliance

Why Document for HIPAA Compliance

As part of your HIPAA compliance program, it’s necessary to prepare documentation that outlines your implementation specifications. An assessor will use this material to validate your security measures and assure that they meet HIPAA requirements in the event of an audit. 

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the regulator tasked with enforcing HIPAA. OCR is also the office that performs a compliance review in the event that a claim involving HIPAA is laid against your organization.

If your organization doesn’t have documentation your HIPAA compliance program is essentially worthless, as the program can’t be validated and you will most certainly lose in the complaint. 

When done properly, documentation creates the foundation for your security standards around processes, workforce members, and the information systems employed by your organization.

What Are the 5 Rules of HIPAA?

HIPAA compliance has five main rules to put its privacy and security objectives into effect.

1. The HIPAA Privacy Rule

The HIPAA Privacy Rule lists the requirements for protecting ePHI. Therefore, all types of ePHI listed in the rule must be protected with administrative, technical, and physical safeguards.

The privacy rule lists access controls under which certain medical professionals can procure ePHI without authorization.  

The rule also defines the rights of patients. Patients can view or request their personal medical records, and request corrections of any inaccurate information.

2. The HIPAA Security Rule

The security rule details the requirements for security measures used to protect patient data and methods for identification, remediation, and prevention of data security breaches.

The security rule also specifies that covered entities must undergo periodic risk assessments and audits to assure that their technical safeguards are reliable.

3. The HIPAA Enforcement Rule

The HIPAA Enforcement Rule defines the penalties for a data breach. Penalty amounts can vary depending on the number of medical records exposed and how many data breaches have occurred within an organization.

Fines can range from $100 to $50,000 for the first violation, but can go as high as $1.5 million for subsequent breaches.

4. The HIPAA Breach Notification Rule

This rule dictates that if a data breach affects fewer than 500 individuals, the organization is required to notify those individuals within 60 days. The affected business must also notify the Office For Civil Rights (OCR) within 60 days of the new year after the breach.

If more than 500 individuals are involved in a data breach, then the organization is required to notify the public through news media channels. 

5. The Omnibus Rule

This rule, added in 2013, extends the obligations of “business associates”—that is, third parties that work with companies subject to HIPAA—to comply with the HIPAA rules while dealing with ePHI. This inclusion is especially important for software developers.

How Do I Prove HIPAA Compliance?

There isn’t an entity assigned to validate HIPAA compliance, except for the OCR in the event of a claim. As our prior section laid out, however, ignoring HIPAA compliance can cost you your ability to do business in the event of a claim.

Therefore, to ensure that you’re properly prepared in the event of an audit or a claim, you must have documentation in place that attests to the requirements specified in HIPAA regulations.

How to Meet HIPAA Documentation Requirements

What documentation do you need to meet HIPAA requirements? This can be a confusing topic for many organizations. 

To begin, every procedure, person, and policy surrounding ePHI should be documented. This includes any associated risks to its data security and your risk mitigation strategies. 

Furthermore, your documentation should demonstrate your current HIPAA compliance stance, how it has improved over time, and your plans to prepare for its evolution in the future.

Here are some questions you should have documentation to answer:

  • What is our cybersecurity stance?
  • Risk analysis: what potential risks are there to the security of the ePHI we handle?
  • What risk management strategies do we have in place to mitigate electronic and physical security risks?
  • Are our team members trained in strategies to safeguard ePHI?
  • What is our stance on BYOD (Bring Your Own Device) and how do we prevent electronic or physical access from unauthorized parties to our information systems?
  • How have our processes evolved since self-auditing for HIPAA compliance?

HIPAA Compliance Checklist

If you’re ready to begin documenting your compliance stance as it relates to HIPAA, here is a helpful checklist to get you started.

  1. Identify and document where your ePHI and HIPAA-related data lives and what security policies are in place to protect it from unauthorized access.
  2. Map your ePHI and HIPAA-related data to your business processes and workflows. Document how the ePHI is handled, transmitted, and stored, and any team member that plays a part in that process.
  3. For those who have access to ePHI and HIPAA-related data, assign privilege access to the appropriate parties and remove access for anyone who doesn’t need to have it.
  4. Create alerts for any ePHI and HIPAA-related data that is accessed so there are audit controls, as well as an alert for any new incoming data that needs to go through any workflow to make it compliant.
  5. Implement any physical and technical measures necessary, that you don’t already have, to protect your sensitive data. Examples include 2FA (two-factor authentication), file encryption, auto logoff protocols, physical locks, access keypads, and so forth.
  6. Implement continuous monitoring protocols, both virtual and physical, so that any security incidents are caught and can be remediated as quickly as possible. 
  7. Have contingency plans in place in the event of a breach that implements automatic lockdowns until the damage can be controlled and the risk eliminated.

How ZenGRC Can Help With HIPAA Compliance

With HIPAA requirements expanding constantly, it’s unmanageable for healthcare organizations or their subcontractors to rely on manual processes and spreadsheets to track compliance.

ZenGRC can help to ease the burden of conducting a HIPAA security risk assessment and preparing the necessary documentation to support your compliance stance. 

Our easy compliance templates make self-audits a breeze while our central dashboard can tell you where gaps exist in your compliance documentation, and how to fill them.

Furthermore, ZenGRC can audit your compliance documentation across frameworks so you can streamline your efforts whether they be for HIPAA, NIST, HITECH Act, or any other healthcare-related requirements.

Worry-free HIPAA compliance is the Zen way! Learn how ZenGRC can help you achieve compliant software by booking a demo today.