Ultimate Governance, Risk &
Compliance (GRC) Guides
AI-powered. Integrated content.
Unique Hub & Spoke architecture.
Compliance HIPAA Compliance is the process of ensuring that all health care entities, including health care plans, health care clearinghouses, and business associates, comply with the standards set forth in the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was enacted in 1996 to protect the privacy and security of health information, and to ensure the privacy and security of health information is maintained. The HIPAA Security Rule is the primary regulation governing the security of health information. It requires organizations to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of health information. Administrative safeguards are policies and procedures that govern the management of health information, including how it is collected, used, and disclosed. Physical safeguards are physical measures, such as locks and restricted access, that protect the physical access to health information. Technical safeguards are technical measures, such as encryption and authentication, that protect the electronic access to health information. The HIPAA Breach Notification Rule requires organizations to notify individuals and the Department of Health and Human Services (HHS) if there is a breach of unsecured protected health information (PHI). Unsecured PHI is health information that is not secured through the use of encryption or other technologies. The notification must be provided without unreasonable delay, and no later than 60 days after the breach is discovered. The HIPAA Privacy Rule sets forth the standards for the use and disclosure of PHI. It requires organizations to obtain individuals’ written authorization before using or disclosing PHI for any purpose other than providing treatment, payment, or health care operations. It also requires organizations to provide individuals with access to their PHI upon request. Organizations must also comply with the HIPAA Omnibus Rule, which requires organizations to enter into business associate agreements with third-party vendors that have access to PHI. The business associate agreement must include provisions that require the vendor to comply with the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the HIPAA Privacy Rule. HIPAA compliance is an ongoing process. Organizations must continually assess their compliance with the HIPAA Security Rule, the HIPAA Breach Notification Rule, the HIPAA Privacy Rule, and the HIPAA Omnibus Rule. Organizations must also review and update their policies and procedures, and train their staff on best practices for handling PHI. Failure to comply with HIPAA can result in significant penalties. Organizations can be fined up to $1.5 million per violation, and individuals can be fined up to $250,000 per violation. Organizations must ensure they are compliant with all HIPAA regulations to avoid costly penalties.