Stay One Step Ahead of HIPAA Compliance
by Azam Qureshi Founder & CTO, IntraDyn, Inc.
HIPAA compliance is a challenge — ask anyone
in the health care industry and they’ll likely tell
you the same. Health-related organizations at
every level, from small private practices to
hospitals, struggle to stay within the scope of
HIPAA compliance, in large part due to the fact
that HIPAA is so broad.For a bit of context, let’s take a look at how
HIPAA is defined. Passed in 1996, the Health
Insurance Portability and Accountability Act
(more commonly known as HIPAA)
“establishes, for the first time, a set of national
standards for the protection of certain health
information [...] The Privacy Rule standards address the use and disclosure of individuals’ health
information — called ‘protected health information’ by organizations subject to the Privacy Rule — called
‘covered entities,’ as well as standards for individuals’ privacy rights to understand and control how their
health information is used.” The U.S. Department of Health & Human Services (HHS) defines Protected
Health Information (PHI) as “any individually identifiable health information held or transmitted by a
covered entity or its business associates.”
In summary, HIPAA exists to protect patients’ private data against fraud and theft and dictates how that
data can be distributed. If it seems relatively straightforward, that’s because it is — until you factor in how
HIPAA is enforced. HIPAA applies to PHI that’s transmitted electronically and “covers a large range of
data transfer protocols, from handling face-to-face interactions to transferring and backing up data.”
Because the channels through which we communicate have expanded to include digital platforms, such
as social media, text messaging and email, it’s easy to see why it’s so challenging for organizations to
maintain HIPAA compliance. In fact, many health care organizations that think they’re HIPAA compliant
(or at least claim to be) actually are not.
That’s troubling for a few reasons: First and foremost, it leaves health care records (and patients’ private
information) vulnerable to data breaches. Between 2009 and 2019 there have been 2,546 significant
health care data breaches (those involving more than 500 records), resulting in the theft or exposure of
189,945,874 health care records. Also, health care orgs deemed non-compliant face harsh penalties.
Fines for HIPAA violations can range anywhere from $100 to $50,000 per violation, with a maximum
penalty of $1.5 million per year — and that’s on top of potential civil and criminal penalties.