Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?
Is your business required to be HIPAA compliant? HIPAA violation fines could cost your business millions, so it’s essential to know. Plus, HIPAA compliance can actually help you increase your revenue.
If you want to know more about what HIPAA is, what the rules are, and who is required to be HIPAA compliant, this is the guide for you.
HIPAA stands for the Health Insurance Portability and Accountability Act. It is a collection of regulations in the United States governing the privacy and security of individuals’ protected health information (PHI).
One of the included regulations is the HIPAA privacy rule, which is one of three important HIPAA rules focused on how covered entities must ensure the confidentiality, integrity, and availability of PHI. PHI is simply any information used to identify someone’s health status or healthcare services, including things like names, addresses, test results, medical diagnoses, summary health information, and treatment plans.
The HIPAA Privacy Rule requires covered entities to have policies and procedures in place to ensure that PHI is used and disclosed only for permitted purposes and that individuals have the right to access and receive a copy of their PHI.
For example, HIPAA compliance requires ongoing training for employees who handle PHI, regular risk assessments to identify vulnerabilities and potential breaches, and the implementation of policies and procedures to address security incidents and breaches.
While that covers the basics of how HIPAA works, you might be curious whether or not it applies to your business, so let’s touch on that next before going over violations and how to seek HIPAA compliance.
HIPAA applies specifically to two types of parties:
A covered entity is basically any healthcare provider, health insurance company, or billing service that sends electronic health information in connection with a HIPAA transaction. So, think hospitals, doctors' offices, and insurance companies. They all have to follow the rules of HIPAA, which means they're on the hook for any violations of privacy, security, or breach notification.
Business associates, on the other hand, are the helpers of covered entities. They're companies or people that work with covered entities, doing tasks like processing insurance claims or transcribing medical records, and need access to PHI to get their jobs done. Business associates also have to follow HIPAA regulations, but their responsibilities are a bit different. They only have to follow the security and breach notification rules, but they still have to respect patient privacy when handling PHI.
For reference, here’s a useful list of things that cannot be shared under HIPAA:
You should also know that these rules aren’t without exceptions, like in the case of life-threatening emergencies.
If you’re concerned about violations and how much they might cost, read on.
Once again, HIPAA violations occur when a covered entity or business associate fails to comply with one or more aspects of the HIPAA rules. Any mishandling, misuse, or improper care of PHI could potentially lead to a violation. Let’s take a look at a few examples in the case of covered entities:
And, in the case of business associates, violations might look like this:
With the right measures in place, these kinds of events can be avoided. Unfortunately, knowing what to do and implementing procedures are two different things. Sometimes covered entities or business associates fail to bridge the gap.
To reflect different levels of severity, there are four tiers of violations:
You might notice that the maximum penalty for each type of HIPAA violation is $50,000 per incident. We should note that the penalties for HIPAA violations can be assessed for each individual incident, meaning that a single breach of PHI can result in multiple violations and penalties. And, keep in mind that violations can also result in significant damage to your company's reputation, loss of business, and even criminal charges in extreme cases.
So, now that you know more about HIPAA and the importance of getting compliant, let’s go over how you can build a strategy that will ensure that you get and stay HIPAA compliant.
Quick sidenote: if you’re in the process of researching HIPAA compliance, you may have come across information on HITRUST, a privately owned company that offers a framework to demonstrate HIPAA compliance. There seems to be a misconception that the only route to guaranteed HIPAA compliance is through HITRUST but this isn’t true.
HIPAA requirements are complicated but with the right system in place, you can unburden yourself and your business (or startup), while also cutting down on the cost and stress of pursuing compliance.
Strike Graph is an all-in-one compliance and certification platform that allows you to design, operate, and measure — think certify — your security program in line with whichever frameworks are most beneficial to your business.
If you’re pursuing HIPAA compliance, you’ll find the most common HIPAA controls ready to use out of the box as soon as you log in to the platform. Then, our risk assessment walks you through common pitfalls to ensure you’re 100% covered. Set up automatic evidence collection and you’ll soon be ready for our in-house assessment team to certify you as HIPAA compliant.
What makes it even better is that once you’re HIPAA compliant, Strike Graph allows you to apply those controls across any other framework, including ISO 27001, SOC 2, PCI DSS, CPRA, and GDPR. It’s that combination of ease and flexibility that makes Strike Graph the best choice to build trust and spare you from violations, fines, and headaches.
The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.
Strike Graph offers an easy, flexible security compliance solution that scales efficiently with your business needs — from SOC 2 to ISO 27001 to GDPR and beyond.
© 2024 Strike Graph, Inc. All Rights Reserved • Privacy Policy • Terms of Service
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?