Most recent

HIPAA Compliance and Certification in the USA

By Tom Skeen

From time to time you’re likely hearing references to HIPAA compliance and certification in the context of the health care system. So, like me, you are probably wondering what it means and how it has impact on you and your medical providers.

Last month I wrote an article titled "Are healthcare companies keeping your most personal information secure?". Following on this article, I thought that it was a good idea to go into more detail about some of the “ins & outs” of HIPAA compliance. 

HIPAA spelled out is - Health Insurance Portability and Accountability Act of 1996. It was enacted by the United States Congress and signed by President Clinton in 1996. It is broken down into five “titles” or sections. For the purposes of this article, I’m only going to focus on parts of title II - which is known as the Administrative Simplification (AS) provisions, and requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers [1] [2].

HIPAA Compliance and Privacy Rules 

Lets start with the privacy rule as it relates to HIPAA compliant file transfer. It establishes national standards to protect our medical records and other personal health information and it applies to insurance companies, health care clearinghouses (i.e. 3rd party billing companies), and those health care providers that conduct certain health care transactions electronically. So what does this mean? Those that touch or interact with our Protected Health Information (PHI) must maintain its privacy. This provision also sets limits as to the uses and disclosures of PHI that can be used without our prior authorization [3]. Yes, your medical providers, in some restricted circumstances, can provide your health information to others. These medical personnel better be properly trained and be very clear as to when and to whom this information can be shared or the consequences can be severe, which can include civil and criminal penalties.

The HIPAA security rule establishes national standards to protect our electronic personal health information that is created, received, used, or maintained by a covered entity. This includes information regarding a medical diagnosis, medication prescribed by your doctor, tests administered to determine a patient medical plan. The Security Rule also requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. For those of us in the security field, this is by far the most interesting of the provisions.

Outlined below are a few violations of PHI under HIPAA:

  1. Improperly storing data - Data should be secured in digital data vaults or some other secure location. This includes on local machines such as a laptop or on an enterprise file system
  2. Failure to properly dispose of data – Data should be shredded or destroyed by some other unidentifiable means
  3. Sending data over an unsecure channel – Data should be sent using a safe data exchange method such as secure managed file transfer or secure email
  4. Providing data to the incorrect patient – When sending files on an ad hoc basis, it’s important to use an application that properly supports this type of file delivery
  5. Publically making data available – Data must be secure and not visible to unauthorized recipients

Concequences for Violating HIPAA

Now that we’ve discussed the privacy and security rules of HIPAA, what does all of this mean if someone or a health care institution violates one of these rules? For starters, the individual or institution could be charged with civil and criminal penalties. In reviewing the penalties, they are quite severe. The civil penalties can range from $100 to $50,000 per violation and the criminal penalties can be even harsher. According to the American Medical Association, covered entities and individuals whom “knowingly" obtain or disclose individually identifiable health information can face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed intended to deceive others allow penalties to be increased to a $100,000 fine and with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years [4].

The policies are clear under HIPAA and the fines for civil and criminal liability are significant and there are still so many health care breaches occurring. It’s my belief that the “system” is so large and there is so much data being generated on a daily basis that some of the systems, applications and health care workers are simply struggling to keep our data safe. In 2015, 134 million health care records were breached [5] and if change doesn’t occur soon, 2016 will be another record year of lost health care information.

Discover more about Safe-T's secure data exchange solutions and best practices by downloading the whitepaper. The in-depth analysis gives important warnings and solutions to a wide-spread and completely preventable problem.

Software Defined Access


[1] Centers for Medicare and Medicaid services
[3] HHS – US Dept. of Health & Human Services
[4] American Medical Association

All posts