Protecting Your Medical Data Privacy: A Guide to HIPAA Compliance

As healthcare organization your company should be able to protect the medical data privacy of your client. Especially since this is something that regulated in HIPAA so every healthcare organization must comply to it.

Medical Data Privacy

The Importance of HIPAA Compliance

This also include the patients’ data privacy, security measures to protect the patient’s data, as well as the requirements that healthcare organizations must fulfill when breach is done by malicious parties.

So, the main focus of this regulation is the patients’ data privacy protection. The HIPAA compliance already breaks down a lot of critical parts into comprehensive standard such as the encryption standards that must be used to protect patients’ data, physical security standard, as well as the standard procedures when storing, transmitting and document the patients’ data. 

Who Need to Follow the HIPAA Regulations?

There are a few organizations that need to comply with HIPAA and making sure that patients’ health data that is sensitive is secured and not being disclosed to other unauthorized entities or individual. 

The HIPAA regulation also makes sure that the patients’ medical data is only used for the intended purpose and not being used for the other purpose. Here are the business types that need to comply with HIPAA:

  • Companies in health insurance business
  • Healthcare clearinghouses business
  • Healthcare providers business such as hospitals, dentists, doctors, etc.
  • The company’s business associates for covered entities for example the companies hired to store document, companies hired to do the billing and many other. 
  • Public Health Authorities 
  • Universities and Schools
  • Pharmacies 
  • Companies that provide facilities for long-term care
  • Research Institutions 
  • Employers 

Read More What Is GDPR: A Comprehensive Guide To Data Protection

Why Is It Necessary for Company to Comply With HIPAA?

It is necessary for company to comply with HIPAA to make sure that the patients’ healthcare information are confidential and secure. HIPAA is actually a federal law so related organization for example healthcare companies should maintain the patient’s data security and privacy as required in the regulation. 

It is necessary for companies to comply with HIPAA since it can help to protect various sensitive data for example the patients’ insurance information, medical records, and many other identifiable information related to the patients.

If your companies do not comply with the regulation then you can face serious consequences. US HHS OCR will issue various sanctions to your company which may include penalties, fines, civil money penalties, corrective action planning, and many other. Furthermore, in some cases your company can get criminal charges. 

The penalties that your company faces will be very high ranging from hundreds of dollars to millions of dollars per violation done. This means the penalties can build up into huge amount which can damage your company finance and reputation. 

The reason why these big penalties are done is because when the patients’ sensitive data is stolen then it will violate their medical data privacy. The stolen data can then be used on financial fraud or identity theft which may lead to unauthorized benefits use or financial loss. Furthermore, the patient’s medical data can be used to target the patients themselves for harassments or to blackmail them. 

Who The HIPAA Compliance Applies to?

The HIPAA compliance applies to all individual or organization that maintain, receives, transmits or creates ePHI. This also includes various healthcare provider for example hospitals, insurance companies, doctors, health plants and many other companies that work in healthcare industry. 

Furthermore, this regulation also applies to the company’s associates such as IT provider, transcriptionist, billing companies, and many other related associates. All in all, any entities whom maintain, receives, transmits or creates ePHI follow HIPAA compliance regulation.

However not all company work in close relation with the healthcare industry is required to comply with HIPAA if they do not maintain, receives, transmits or creates ePHI such as the restaurants and retailers in the facilities. 

But some organization who are not involved directly inside the industry may also subject to the HIPAA regulation. For example, the cloud storage provider that used to store healthcare information must comply with HIPAA. 

HIPAA Compliance Main Rules That All Company Must Follow

Privacy Rule

This rule is used to establish national standard on patients’ medical data privacy and rights. It also helps to set the framework that define ePHI, the method used to protect it, the way it cannot and can be used, the method that can be used to store and transmit it. There is also additional medical data privacy rule for paperwork as well as the required waivers for parties that handle ePHI. 

According to this rule, ePHI definition on identifiable medical data of the patients’ must be protected by all related entities and all business associate. The protected health info also include:

  • Future, present and past documentation of the patients’ mental and physical condition.
  • Record of the patient care.
  • Record that reference future, present or past payment on healthcare.

Inside the rule also regulate one specific scenario when the company is allowed to disclose the patient’s medical data which involved very specific research, legal, or care situation. 

Security Rule

After the previous rule had define the ePHI and the privacy then this next rule is used to protect the medical data privacy. This rule is used to establish national standard of the method and mechanism that required in protecting the ePHI data.

The mechanism itself will be extend across all operation of the medical company which include administration, technology, as well as physical safeguards of the devices and computer or anything that can have impact on the ePHI safety.

This rule is further outlined into 3 safeguards groups such as:

  • Administrative safeguard group
    This group regulate the policies and procedure that will impact ePHI including the system design, technologies, maintenance and risk management that related to the other security methods. It also further includes various aspect of administration done by healthcare industry such as employee training and human resources.
  • Physical safeguard group
    This group regulate the physical security and the access of physical equipment which include data storage, switches, routers, and computers. The medical company is required to secure the premises and only allowed authorized individual to access the stored data. Furthermore, the medical company should also make sure that disposal of device and media related to ePHI is done in secure method.
  • Technical safeguard group
    This group regulate the cybersecurity technology aspect such as the device security, network security, encryption, mobile device computers and anything else that related to technology used in communicating and storing ePHI.

It is required for the company to implement integrity control, audit control, verification control as well as other measures that can be used to safeguard ePHI.

Breach Notification Rule

This rule regulates what need to be done when security breach happened. It is necessary since it is impossible to always protect the data under 100% effectiveness. Thus, the company need to prepare plans that can be used to send notification to the victims of the breach and the public to tell them about the things that happened as well as the company’s next steps.

Omnibus Rule

This rule is used to expand the HIPAA regulation reach to wider organization outside the medical industry. Through this rule now the obligation for HIPAA compliance now not only required by the medical industry company but also the business contractors and associates. 

This means the medical industry company themselves are also responsible on any violation that potentially done by their business contractors and associates so they need to perform updates on their risk assessments, compliance procedures and gap analysis accordingly.

How to Fulfill HIPAA Compliance Requirements

There are a few things that your company can do to comply with HIPAA and follow all of the requirements such as:

  • Creating plan for HIPAA privacy and security compliance to protect the patients’ medical data privacy.
  • Creating procedures and policies that will be used to protect and handle PHI in secure way.
  • Implement the required technical, administrative and physical safeguards needed to protect the PHI.
  • Perform training on the employee about the HIPAA protocols and best practices that they need to do to perform the protocols as standard.
  • Make employees to sigh HIPAA acknowledgments as well as confirming that they actually understand their obligation and responsibilities.
  • Making sure that all of the business contractors, associates and venders already signed the BAA and that they are also comply with HIPAA requirements.
  • Implementing procedures to regularly audit, review and update the HIPAA compliance.
  • Document and record all of the PHI privacy and security measures.
  • Creating response plan for incident to be used during data loss or breach event.
  • Monitoring the PHI security regularly to make sure that it stays compliance with HIPAA requirements.


Medical data privacy is very important thing for all individual thus it is the healthcare company duty to protect and secure them by complying with HIPAA. That is why, it is important for your company to follow the HIPAA compliance regulation closely to make sure that the data is secured. 

Tags: Medical data privacy, HIPAA compliance, patient data privacy, HIPAA regulation, HIPAA requirements

%d bloggers like this: