Business

HIPAA Compliance, Fines, and Requirements Explained

Internxt

9 min read
HIPAA compliance

HIPAA compliance is an essential legal act that came into effect to prevent healthcare data breaches and protect patient information.

Throughout this article, we will give a comprehensive overview of HIPAA compliance, who it applies to, and how secure services like Internxt cloud storage can help the medical industry protect sensitive information with its secure product suite.

Table of contents

  1. What is HIPAA compliance?
  2. What industries does HIPAA apply to?
  3. What are the requirements for HIPAA compliance?
  4. Security requirements to meet HIPAA compliance
  5. Recent HIPAA updates
  6. How to gain HIPAA compliance
  7. Penalties for noncompliance
  8. Frequently asked questions

What is HIPAA compliance?

HIPAA, or the Health Insurance Portability and Accountability Act, is a US legal act of laws and regulations to protect sensitive patient information.

HIPPA was passed in 1996 by the U.S. Congress and signed into law by Bill Clinton and had two main goals:

  • To help people keep their health insurance when they change or lose their jobs.
  • To combat fraud, waste, and abuse in health insurance and healthcare delivery.

Since then, HIPAA has gone through many changes, specifically with the HIPAA Privacy Rule in 2003, which addressed concerns about the security and privacy of Electronic Health Records as healthcare became more digitized.

Now, HIPAA is designed to:

  • Protect patients’ health information.
  • Ensure healthcare bodies follow the necessary standards when handling digital health data.
  • Patients can access their medical records, request corrections, and control how their information is used and shared with others.

Despite the integration of HIPAA, healthcare data breaches are a common problem for the industry, costing them millions each year. As per IBM, this is the average cost of a data breach in healthcare.

Year Average Cost per Breach Year-over-Year Change Source
2020 $7.13 million IBM 2020 Report
2021 $9.23 million +29% IBM 2021 Report
2022 $10.10 million +9.4% IBM 2022 Report
2023 $10.93 million +8.2% IBM 2023 Report

These statistics demonstrate the importance of following and using secure and privacy-focused services for doctors and other health workers to protect sensitive information in the healthcare industry.

What industries does HIPAA apply to?

HIPAA applies to companies that deal with protected health information (PHI) and must have the necessary physical, network, and process security protocols to ensure HIPAA compliance.

It also extends to entities that provide treatment, payment, and operations in healthcare and any business associates or subcontractors with access to patient information and support in treatment, payment, or operations.

Business associates trusted to handle protected health information (PHI) on a company's behalf include:

These companies must also sign a Business Associate Agreement agreeing to comply with HIPAA laws.

What are the requirements for HIPAA compliance?

HIPAA compliance laws, particularly those concerning privacy, are governed by the HIPAA Privacy Rule and are codified at 45 CFR Part 164, Subpart E. This section sets the standards for protecting patients’ medical records and personal health information.

Next, we will look at the key requirements, with quotes from official regulations.

Use and disclosure of protected health information (PHI)

Covered entities may use or disclose PHI without individual authorization, but only for essential purposes related to treatment, payment, and healthcare operations because they are necessary to run healthcare services.

“A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.”

Internxt post quantum encryption

However, for uses and disclosures not related to the above, patient authorization is required as shown below:

“Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section.”

Minimum necessary standard

Minimum necessary standard refers to

“A covered entity must develop and implement policies and procedures that reasonably limit uses and disclosures of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.”

Individual rights

Individuals have specific rights regarding their PHI, as HIPAA states:

“An individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set.”

“An individual has the right to have a covered entity amend protected health information or a record about the individual.”

“An individual has a right to receive an accounting of disclosures of protected health information.”

These regulations give individuals transparency and control over their data, and ensure organizations remain accountable while empowering individuals to protect and manage data.

Notice of privacy practices covered

Entities must provide individuals with a notice outlining their privacy practices:

“A covered entity must provide a notice that describes the ways in which the covered entity may use and disclose protected health information.”

Additionally, they must train their workforce on these policies and procedures:

“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information.”

Security requirements to meet HIPAA compliance

Security tools and technologies are covered in the following sections for industries to gain HIPAA compliance.

Internxt Antivirus protects you from malware.

Access control

Covered entities must restrict ePHI access to authorized users only:

“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.”

This ensures that only those with proper credentials can access sensitive patient information by using user identification, multi-factor authentication, and zero-trust policies.

Audit controls

Systems must be able to track activity related to ePHI:

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

In doing so, staff can monitor for suspicious or unauthorized access and support data breach investigations.

Maintain data integrity

Covered entities must protect ePHI from unauthorized alteration or destruction:

“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

By maintaining data integrity, medical professionals can ensure that patient records remain accurate and trustworthy.

Transmission security

Covered entities must also secure ePHI during transmission to prevent data leaks, ransomware, phishing, or other cyberattacks.

“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

“Implement a mechanism to encrypt and decrypt electronic protected health information.”

Recent HIPAA updates

Since its inception in 1996, HIPAA has adapted to meet the growing needs and integration of technology. Over the past few years, there have been changes and requests to update HIPAA laws to protect patient data.

  1. Between November 2022 and April 2024, updates were made to protect records related to substance abuse disorder (SUD). By seperating these records, it simplifies HIPAA compliance by allowing a patient to consent to use and disclose SUD records under HIPAA rules.
  2. In 2019, the Office for Civil Rights (OCR) updated how HIPAA penalties are enforced after reinterpreting the HITECH Act.
  3. In December 2022, the Centers for Medicare & Medicaid Services (CMS) proposed updates to improve the handling of healthcare attachment transactions. It proposed new transaction codes and digital signatures so attachments can be sent securely and electronically.

As technology develops, it’s important that your company stays up to date with compliance laws and takes measures to ensure it adheres to new regulations to maintain future HIPAA compliance and reduce the risk of data breaches.

How to gain HIPAA compliance

While keeping up to date with new compliance laws is essential, there are other ways you must meet HIPAA compliance by being aware of the following suggestions.

Internxt is a cloud storage service based on encryption and privacy.

Keep security protocols updated

The nature of cybersecurity and the growing threats to medical data mean healthcare organizations must implement the best and most up-to-date security protocols. These include measures to continually monitor access to sensitive data to prevent data leaks.

Encryption is also a crucial aspect of security protocols, especially when sending emails and storing or sharing files in the cloud. The best and most advanced encryption currently available is zero-knowledge and post-quantum cryptography, which Internxt Drive uses in its cloud storage, ensuring medical and patient data is protected against the future threat of quantum computers.

Regularly train employees

Human error unfortunately, plays a major part in data leaks because of how advanced phishing emails or other cyberattacks have become.

To avoid this, employees should be trained on what HIPAA requires of them to protect patient data and how to prevent cyberattacks, such as phishing, at least every three to six months.

Limit access to PHI

Limit access to sensitive information by implementing access controls for all data, departments, and personnel to prevent patient information from being shared with unnecessary parties.

The best way to do so is by using a zero-trust approach in the workplace, which requires verification every time data or files are accessed by a person, regardless of whether the request comes from inside or outside the organization.

Dispose of patient information properly

Healthcare organizations must establish and follow policies to properly dispose of electronic and physical records, ensuring that once they are disposed of, PHI cannot be reconstructed or retrieved by threat actors.

Penalties for noncompliance

Penalties for not complying with HIPAA are broken down in four tiers and can cost a maximum of over $2 million. The first three tiers were lowered in 2019, but the final tier, referring to willful neglect, remained the same.

  • Tier 1 (no knowledge of violation): $137,785
  • Tier 2 (reasonable cause): $1,379,768
  • Tier 3 (willful neglect): $1,379,768
  • Tier 4 (willful neglect): $2,068,540

Depending on the severity of the breach, companies can receive multiple fines. In 2016, Anthem, one of the largest health benefits companies, was fined $16 million for not taking the necessary measures to prevent hackers, failing to conduct a risk analysis, and not having procedures to review system activity.

Protect healthcare data with Internxt

Internxt offers secure, zero-knowledge cloud storage to store healthcare data securely with Internxt Drive for Business, and Internxt S3 for large-scale data.

Internxt S3 is a GDPR-compliant cloud storage solution for storing and accessing data securely. It also backs up data to ensure increased redundancy and protection against accidental data loss, ensuring patient and medical files are always accessible.

As it is a 100% hot cloud storage solution, patient data can be retreived and accessed instantly, so there’s no interruption to your department’s workflow.

Internxt Object Storage is an affordable solution to store large scale data

Internxt S3 is an alternative to AWS, Azure, and Google Cloud. Because there are no egress fees egress fees, it is up to 80% cheaper than its competitors.

Get started with Internxt object storage at a cost of just €7/TB/month, and pay only for the storage you use, so you can scale and upgrade your storage whenever you need, with no additional fees for data transfer.

Visit our website for more information and to get in touch with a member of our team to talk about how Internxt can help you with your secure storage needs.

Frequently asked questions

What are HIPAA compliance rules?

HIPAA compliance rules refer to the privacy and patient control of how their data is handled. Second, the security measures invoked on how this data is protected, and data breach notification rules, which explain the impact and scope of a breach.

What are the most common HIPAA compliance violations?

  • Lack of employee training on HIPAA compliance.
  • Database breaches of ePHI.
  • Sharing PHI between coworkers.
  • Loss of a laptop or mobile device containing unencrypted ePHI.
  • Improperly disposing of ePHI in ways that make it accessible to unauthorized users.

What does HIPAA not cover?

HIPAA applies to PHI and ePHI in the United States only; any other information, such as employee records, is not covered. However, if an entity provides medical care to individuals, it would be subject to HIPAA.

Protect your privacy with Internxt