What is HIPPA Compliance ?



The Health Insurance Portability and Accountability Act (HIPAA) is the law that governs the protection of sensitive patient data. To maintain HIPAA compliance, businesses dealing with protected health information (PHI) must implement and adhere to physical, network, and process security safeguards. HIPAA compliance is required of covered entities (those who provide treatment, payment, or operations in healthcare) and business associates (those who have access to patient information and assist with treatment, payment, or operations). Subcontractors and any associated business associates, for example, must likewise be in compliance.

HIPAA Privacy Rule

The Privacy Rule protects your patients’ PHI while letting you exchange information to coordinate your patient’s care. The Privacy Rule also gives patients the right to examine and get a copy of their medical records, including an electronic copy of their electronic medical records, and to request corrections. Under the Privacy Rule, patients can restrict their health plan’s access to information about treatments they paid for in cash, and most health plans can’t use or disclose genetic information for underwriting purposes. The Privacy Rule allows you to report child abuse or neglect to the authorities.

The Security Rule requires you to develop reasonable and appropriate security policies. In addition, you must analyze security risks in your environment and create appropriate solutions. What’s reasonable and appropriate depends on your business as well as its size, complexity, and resources. You should always review and modify security measures to continue protecting ePHI in a changing environment.

Three basic thumb rules of HIPPA:

Confidentiality: ePHI can’t be available or disclosed to unauthorized persons or processes

Integrity: ePHI can’t be altered or destroyed in an unauthorized manner

Availability: ePHI has to be accessible and usable on demand by the authorized person


Who Must Comply with HIPAA Rules?

Covered entities and business associates must follow HIPAA rules. If you don’t meet the definition of a covered entity or business associate, you don’t have to comply with the HIPAA rules.

Covered Entities Covered entities that must follow HIPAA standards and requirements include:

  • Covered Health Care Provider: Any provider of medical or other health care services or supplies that transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard, such as:
  • Health Plan: Any individual or group plan that provides or pays the cost of health care, such as:
  • Health Care Clearinghouse: A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice versa, such as:
  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
  • Health insurance companies
  • Health maintenance organizations
  • Company health plans
  • Government programs that pay for health care
  • Billing services
  • Community health management information systems
  • Repricing companies
  • Value-added network.

Business Associates

A business associate is a person or organization, other than a workforce member of a covered entity, that performs functions on behalf of or provides services to a covered entity that involve PHI access. Business associates also include subcontractors responsible for creating, receiving, maintaining, or transmitting PHI on behalf of another business associate. Business associates provide services to covered entities that include:

  • Accreditation
  • Billing
  • Claims processing
  • Consulting
  • Data analysis
  • Financial services
  • Legal services
  • Management administration
  • Utilization review


So in a nut-shell, HIPAA seeks to respect the rights of individuals by guaranteeing that they will retain control over their health-related data. With specific rules established to ensure privacy, individuals can receive medical care without unnecessary complications caused by this law. For example, someone may approve giving consent for her doctor to see her x-rays during one appointment then change her mind and ask for them never to be shared again during another session. HIPAA also grants broad exceptions for studying a person’s records in an academic setting but generally limits what is allowed outside those circumstances.




Related Articles

What is PCI-DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a data security standard for businesses that deal with major credit card systems’ branded cards.

Read More »
SOX Compliance

Fundamentals of SOX Compliance

Sox (the Sarbanes-Oxley Act) was a federal law introduced in the United States in 2002 that established new corporate accountability rules to guard against financial scandals like the Enron Corporation’s.

Read More »

Aquil Ahmad

SysYork Technologies

Dynamic & Details -Oriented with over 17 years of experience ranging from  IT Security, IT Service Operations, End User Services, Remote Infrastructure Management, Data Center Operations, Customer Relationship Management, Service Desk Operations, Cyber Risk and Compliance Management to Third Party Vendor Management .

Aquil Ahmad


Call us

Would like to partners with us and figure out solutions for you ?