Everything You Need to Know About HIPAA [A Guide]


The healthcare industry deals with some of the most sensitive data in the world. Healthcare data often contains incredibly revealing details about patients, from medical diagnoses to treatment plans to photographs. That’s where the Health Insurance Portability and Accountability Act of 1996 (HIPAA) comes in. HIPAA protects patients’ sensitive health information from disclosure in the absence of their knowledge or consent.

While HIPAA puts many patients’ minds at ease, it can be a major headache for healthcare organizations and other HIPAA-covered entities who must rigorously comply with the law or risk investigations, hearings, and even fines.

If your organization is subject to HIPAA, you may have lots of questions. Fortunately, we have answers. In this post, we’ll take a closer look at what HIPAA is and why it exists. We’ll then break down the five HIPAA rules and explain how technology can help organizations comply with HIPAA more efficiently.

Let’s get started.


What is HIPAA?
What is the main purpose of HIPAA?
Who must comply with HIPAA?
What are the HIPAA rules?
What is a HIPAA risk assessment?
Which communication and collaboration tools are HIPAA compliant?
How do you comply with HIPAA Encryption Standards?
How can modern technology help you comply with HIPAA?
You can achieve HIPAA compliance with ease

What is HIPAA?

HIPAA is a federal law that sets a nationwide standard for protecting patients’ and health plan members’ sensitive health information from disclosure in the absence of their knowledge or consent.

HIPAA is best known for requiring healthcare organizations to protect patient privacy and shield patients’ data from healthcare fraud. But HIPAA contains other types of healthcare-related mandates as well, such as ensuring health insurance coverage for employees who are between jobs.

What is the main purpose of HIPAA?

The main purpose of HIPAA is to protect patient privacy by ensuring that healthcare organizations keep health information secure and notify patients of data breaches that may affect them. But that’s not all HIPAA does. The law was also intended to make the healthcare industry more efficient by standardizing care and make health insurance more portable so that people can keep healthcare coverage when they change jobs.

Let’s take a look at the types of organizations that must comply with HIPAA.

Who must comply with HIPAA?

Organizations that qualify as “covered entities” must comply with HIPAA. Covered entities fall into three main categories:

  • Health plans, for example:
    • health insurance companies,
    • health maintenance organizations (HMOs),
    • Medicare,
    • Medicaid, and
    • other government healthcare programs.

  • Healthcare providers, namely providers that use electronic billing and other electronic means of conducting business, such as:
    • doctors,
    • health clinics,
    • hospitals,
    • mental health practitioners,
    • assisted living facilities,
    • pharmacies,
    • dentists, and
    • chiropractors.

  • Business associates that work with covered entities, including:
    • billing companies,
    • healthcare claims processing companies,
    • health plan administrators,
    • lawyers,
    • accountants,
    • information technology (IT) teams,
    • records storage companies,
    • records destruction companies, and
    • healthcare clearinghouses (organizations that process health information from standard formats to non-standard formats and vice versa).

With this list of covered entities in mind, let’s explore the main HIPAA rules.

What are the HIPAA rules?

The HIPAA rules are administrative regulations that the U.S. Department of Health and Human Services (HHS) implemented to simplify its administration of the law. The five rules are the Privacy Rule, the Security Rule, the Transactions and Code Sets Rule, the Unique Identifiers Rule, and the Enforcement Rule.

We will discuss each rule in turn below.

1. The Privacy Rule

The Privacy Rule sets forth HIPAA’s main requirements for using and disclosing protected health information (PHI). PHI is health information combined with individually identifying information that is created, used, or stored by a covered entity.

Generally speaking, the Privacy Rule gives individuals rights regarding their PHI and requires covered entities to obtain the patient’s prior written authorization before disclosing their PHI. But covered entities may also disclose PHI:

  • to law enforcement in response to a court order, warrant, subpoena, or administrative request; or
  • to arrange for treatment, payment, or other healthcare operations.

The HIPAA Minimum Necessary Rule Standard

The HIPAA minimum necessary standard applies to using and disclosing PHI permitted under the HIPAA Privacy Rule. The “Minimum Necessary Rule” requires covered entities to make a reasonable effort to share the least amount of information necessary to accomplish a given purpose. This rule applies to any use or disclosure of PHI under the Privacy Rule, including access by a healthcare professional or disclosure to another covered entity.

The Privacy Rule also requires covered entities to keep a “disclosure accounting” that documents disclosures of PHI made for any purpose outside of arranging for treatment, payment, or other healthcare operations unless specifically authorized by the individual. Individuals are entitled to receive a disclosure accounting upon request. In a similar vein, the Breach Notification Rule requires covered entities to notify individuals of any data breach involving unsecured PHI.

Finally, the Privacy Rule requires covered entities to correct inaccurate PHI based on an individual’s request and make a reasonable effort to keep communications with individuals confidential.

What is HIPAA Disclosure Accounting?

HIPAA Disclosure Accounting is the process of keeping records of PHI disclosures for purposes other than Treatment, Healthcare Operations, or Payment.

When required, the information provided to the data subject in a HIPAA disclosure accounting must be more detailed for disclosures involving fewer than 50 subject records.

2. The Security Rule

The Security Rule protects electronic PHI that falls under the Privacy Rule. The Rule requires covered entities to implement administrative, physical, and technical safeguards to protect electronic PHI.

One of the administrative safeguards set forth in the Security Rule is the requirement that covered entities implement policies and procedures to protect PHI from security violations. This mandate includes the risk analysis requirement, which calls upon covered entities to assess the potential risks to and vulnerabilities of PHI. We will discuss risk assessments in more detail below.

One of the primary technical safeguards that the Security Rule contemplates is encryption. A covered entity must implement encryption measures unless it performs a risk assessment and makes a documented determination that encryption is not reasonable and appropriate and that another safeguard could be just as or more protective. If your organization determines that encryption is necessary, you must encrypt all electronic devices and communications containing PHI, including emails and text messages. Email encryption generally must comply with National Institute of Standards and Technology (NIST) guidelines, whereas personal devices such as cell phones require secure messaging solutions for adequate protection.

3. The Transactions and Code Sets Rule

The Transactions and Code Sets Rule requires health plans to adopt standardized healthcare transaction practices to streamline the transaction process.

4. The Unique Identifiers Rule

The Unique Identifiers Rule requires covered entities to use a 10-digit National Provider Identifier (NPI) when identifying healthcare providers during transactions.

5. The Enforcement Rule

The Enforcement Rule lays out civil fines for noncompliance with HIPAA along with procedures for investigations and hearings. This rule also requires covered entities to take remedial action if HHS determines they have failed to comply with HIPAA provisions.

How do you know if your organization is complying with these rules? Let’s circle back to our discussion of HIPAA risk assessments and take a closer look.

What is a HIPAA risk assessment?

As noted above, a HIPAA risk assessment is an evaluation of a covered entity’s compliance procedures and the potential risks to electronic PHI. A risk assessment typically includes a review of systems, security policies and procedures, and vulnerabilities to viruses and hackers.

Under the Security Rule, a covered entity must update and document security measures on an “as needed” basis. This means that although your organization should analyze risk on an ongoing basis, there is no specified frequency for formal risk assessments. Different types of covered entities need risk assessments at different intervals, ranging from one to three or more years.

To prepare for a HIPAA risk assessment, your organization should implement proper information governance, shore up and enforce its records retention policies, cull data wherever possible, and automate its data access policies. That way, you can enter into the analysis process with your best foot forward and focus on other areas that may need improvement.

Which communication and collaboration tools are HIPAA compliant?

While many communication and collaboration tools can help your healthcare organization run smoothly, not all of them comply with HIPAA. Thankfully, some of the most popular platforms today are HIPAA compliant, provided your organization signs a business associate agreement with the software company first. Below we cover HIPAA compliant software available on the market.

Is Zoom HIPAA compliant?

The web conferencing platform is HIPAA compliant, because it meets the required Security Rule measures, such as:

  • Zoom contains authentication measures. On its website, Zoom indicates that it enables two types of authentications: OAuth 2.0, for authenticating a user context; and JSON Web Tokens (JWT) for authenticating server-to-server apps.
  • Zoom contains access control measures. Access controls govern who or what can view or use resources in a computing environment.
  • Zoom has end-to-end encryption to secure all communications. The end-to-end encryption is necessary to ensure that only the sender and recipient of an electronic message can read the content of that message.

Is Microsoft Office 365 HIPAA compliant?

With a signed BAA (Business Associate Agreement) and when properly used, Microsoft 365 is HIPAA compliant. It is the responsibility of the covered entity to ensure BAA is signed before Office 365 can be used to store and maintain PHI. The Microsoft HIPAA Business Associate Agreement is available within Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA.

Is Microsoft Teams HIPAA compliant?

Microsoft Teams is built on the Microsoft 365 basis, enterprise-grade cloud, delivering advanced security and compliance capabilities. Office 365 and Teams can be easily configured to support HIPAA security and privacy requirements.

Is Gmail HIPAA compliant?

To make Gmail HIPAA compliant, a covered entity would also need to enter into a business associate agreement with Google covering Gmail. Since Gmail is not HIPAA compliant by default, you need to take certain steps to ensure it is compliant. Hence, once the BAA box is obtained, the HIPAA compliance box is also checked. Additionally, you can enable email encryption. An important detail to mention is that the free email service which includes a email address is not HIPAA compliant, as it is only intended for personal use.

In addition to these standard tools, innovative technology can help your organization manage PHI and achieve compliance more efficiently than ever.

How do you comply with HIPAA Encryption Standards?

To ensure that you are compliant with the HIPAA Encryption Standards, you must follow these steps:

  • Enable encryption on all devices that store or have access to PHI;
  • Enable encryption for the transmission of PHI when using mediums such as email; USB flash drives; etc.
  • Develop and maintain proper response and reporting for employees who are transmitting unencrypted PHI;
  • Stay informed on the latest Federal and state legislation regarding breach notification requirements including encrypted patient data.

How can modern technology help you comply with HIPAA?

Technology can help your healthcare organization streamline and improve its HIPAA compliance practices. For example, IPRO has a range of Healthcare Solutions specifically designed for healthcare data management. These tools can help your organization:

  • Zero in on vulnerabilities so you can prevent data breaches;
  • Archive documents that must be retained;
  • Protect sensitive information from unauthorized access and data breaches;
  • Cull data from duplicate, unnecessary, and outdated documents and records; and
  • Connect to data in real time and search, review, and analyze that data in place using artificial Intelligence (AI) technology.

In addition, our Live EDA software can give your organization valuable insights into its data. Live EDA allows you to navigate live data from a single interface—without collecting it—so you can locate PHI and other sensitive information contained within your organization’s datasets quickly and efficiently.

That way, you can gain control over your organization’s PHI and evaluate sensitive information securely, without risking inadvertent disclosure. By leveraging innovative technology like Live EDA, you can avoid HIPAA violations and potential fines, save your organization’s time and money, and protect its reputation.

You can achieve HIPAA compliance with ease

Operating in the shadow of HIPAA can quickly become overwhelming, especially given the vast amount of data that healthcare organizations now deal with.

That said, by developing an understanding of the HIPAA rules and using innovative technology to simplify your compliance with those rules, your healthcare organization can manage its PHI more effectively and maintain compliance without sacrificing efficiency.

To learn more about IPRO and Live EDA, get in touch with us.