HIPAA Security Requirements: How to Avoid Pitfalls


Security is a top priority for every organization, especially for the healthcare industry. According to Ponemon Institute, 91 percent of practices have suffered at least one data breach in the past two years. Protecting medical information is more important than ever, and staying up to date with HIPAA security requirements must be a top priority.

 What is HIPAA and who does it apply to?

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data through electronic billing and other processes. It requires that any company dealing with protected health information (PHI)—including healthcare providers, emergency medical clinics, dental offices, nursing homes, as well as business associates—meet HIPAA compliance rules and ensure that all required physical, network and process security measures are in place and followed. However, with so many rules and regulations, it’s difficult for practices to stay up to date and ensure they’re maintaining compliance. Here are four major pitfalls that practices are susceptible to:

Not Using Proper Security Controls

While no two medical practices are exactly the same, all must take steps to understand and minimize security risks. You can start by creating a detailed list of components that play a role in the storage or transmission of storing patient health information. Then, build a diagram or a detailed description of how your hardware, software and network components collect, access, store and transmit PHI. You must also protect your physical security to ensure information isn’t readily available for anyone to see; this includes automated screen locks, strong passwords, surveillance cameras, and physical locks and keys.

Lack of Email Encryption

It’s becoming more common for patients to have direct online communication with their physicians through email. The problem with email is anyone can easily read the contents if not properly secured. Practices must be more mindful about data security and stay aware of email threats—from hacking to phishing—all while staying compliant with HIPAA security requirements. Luckily, email encryption is a big help. Email encryption uses a complex cipher algorithm to render your data unreadable to anyone without the necessary credentials. So, if a cybercriminal makes his way into an email you sent, they won’t be able to use that data unless they also get ahold of your encryption key.

Out-of-Date Business Associates Agreement

Having an up to date Business Associates Agreement often falls through the cracks because many doctors don’t really know what it entails. Business Associates (BAs) are any individual or organization that creates, receives, maintains or transmits PHI while performing functions on behalf of a practice., This includes IT service providers, shredding companies, documents storage companies, attorneys, accountants, collections agencies and more. This agreement states that BAs must be aware that they are bound by the same Rule and Privacy Rule regulations and implement appropriate technical, physical and administrative rules to protect PHI.

No Evidence of HIPAA Compliance Policy

Are you prepared to answer specifics on a moment’s notice regarding how facility doors are locked, firewall information, how faxes are managed, and whether servers are on-site, in a data center or in the cloud? Within healthcare, HIPAA violations can cost millions—with penalties that can run more than $50,000 per violation. That’s why it’s imperative to have documentation of your HIPAA policy that expands on the measures you’ve taken to remain compliant.

Sometimes You Can’t Do It All

Practices already have a laundry list of priorities and HIPAA compliance can’t be left on the back burner. But, identifying gaps in your ability to meet HIPAA security requirements, closing those gaps, staying current and adapting to on-going requirement changes is overwhelming.

Many practices are teaming up with a trusted IT partner who has expert knowledge about HIPAA—from what’s required to safeguard how you collect, store and transmit information, to the risks and consequences of violations, how to get you in compliance and how to keep you there.

John Fakhoury
CEO and Founder of Framework


Please enter your comment!
Please enter your name here