HIPAA for Healthcare

About HIPAA

HIPAA is a US federal law that establishes national standards for protecting sensitive patient health information. It applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates who handle protected health information (PHI).

Governing Body: US Department of Health and Human Services (HHS)

Who Must Comply

• • Healthcare providers
• • Health plans
• • Healthcare clearinghouses
• • Business associates handling PHI

Key Requirements

• • Implement administrative, physical, and technical safeguards
• • Conduct regular risk assessments
• • Maintain audit controls and access logs
• • Encrypt PHI in transit and at rest
• • Train workforce on privacy and security
• • Report breaches within 60 days
• • Execute Business Associate Agreements (BAAs)
• • Implement minimum necessary access controls

Healthcare-Specific Requirements

• • Implement electronic health record (EHR) access controls
• • Secure patient portals with MFA
• • Encrypt all devices containing PHI
• • Maintain 6-year retention of HIPAA documentation
• • Conduct annual security risk assessments
• • Train staff on PHI handling within 30 days of hire

Common Violations in Healthcare

• • Unauthorized access to patient records by employees
• • Lost or stolen unencrypted laptops with PHI
• • Improper disposal of paper records containing PHI
• • Lack of business associate agreements with vendors
• • Insufficient access controls on EHR systems
• • Failure to conduct risk assessments

Penalties

Fines range from $100 to $50,000 per violation, up to $1.5 million per year per violation category. Criminal penalties include up to 10 years imprisonment for wrongful disclosure.