Call Us Today! 877-659-2467

What is HIPAA Compliance?

7-simple steps to HIPAA compliance

Education

Our Security Risk Analysis includes a thorough review of your Administrative, Physical, and Technical Safeguards you have in place to protect Electronic Protected Health Information (ePHI).

What is HIPAA Compliance?

HIPAA compliance is a federal legal requirement designed to protect patient health information. It applies to healthcare providers, health plans, and business associates that create, access, store, or transmit protected health information (PHI).

Compliance is not a single task. It is an ongoing program consisting of administrative, physical, and technical safeguards supported by documentation and training.

HIPAA Health Insurance Portability and Accountability Act

HIPAA applies to two types of organizations:

Covered Entities

These include:

  • Medical practices
  • Dental practices
  • Hospitals
  • Clinics
  • Psychologists
  • Chiropractors
  • Pharmacies
  • Health plans

Business Associates (and Subcontractors of Business Associates)

These include any vendors that access PHI, such as:

  • Electronic health record (EHR) software
  • Medical billing companies
  • IT providers
  • Cloud storage vendors
  • Practice management (PM) software providers
  • Consultants
  • Collection agencies

If your organization accesses PHI in any form, HIPAA applies.

HIPAA (Health Insurance Portability and Accountability Act) was signed into law in 1996 to improve the portability of health insurance when people were changing jobs. The accountability portion of the law was designed to combat waste, fraud, and abuse in health insurance and the delivery of health care.

What Information does HIPAA Protect

HIPAA protects Protected Health Information (PHI), which includes any information that identifies a patient and relates to their treatment, payment, or health information.

Examples include:

  • Patient names
  • Dates of birth
  • Medical records
  • Insurance information
  • Email addresses linked to care
  • Phone numbers
  • Social Security numbers
  • Medical record numbers
  • Account numbers
  • Certificate or license numbers

Electronic PHI (ePHI) requires additional safeguards.

  • Internet Protocol (IP) address numbers
  • Web Uniform Resource Locators (URLs)
  • Biometric identifiers, including finger, retinal and voice prints
  • Full face photographic images and any comparable images
  • Social media accounts
  • Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.

The Privacy Rule 

This Rule was designed to improve the efficiency and effectiveness of the health care system and included “Administrative Simplification” provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

The privacy rule explained how PHI should be disclosed and that authorizations from patients must be obtained before their personal information was disclosed.

Keep in mind, the Rule does not replace State or other laws that grants individuals even greater privacy protections.

The Security Rule 

This Rule was created to address the protection of electronic patient data. It requires covered entities and business associates to implement Administrative, Physical, and Technical safeguards to protect the availability, integrity, and confidentiality of electronic protected health information (ePHI).

The Enforcement Rule was enacted due to thefailure of many covered entities to fully comply with the HIPAA Privacy and Security Rules. The Enforcement Rule gave the Department of Health and Human Services (HHS) the power to investigate complaints against covered entities for failing to comply with the Privacy Rule, and to fine covered entities for breaches of ePHI due to not following the safeguards outlined by the Security Rule.

The Office for Civil Rights was also given the power to bring criminal charges against offenders who fail to introduce corrective measures within 30 days.

The HITECH Act 

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA), was signed into law, to promote the adoption and meaningful use of health information technology. The HITECH Act addressed the privacy and security concerns associated with the electronic transmission of health information and that strengthened the civil and criminal enforcement of the HIPAA rules. The HITECH Act was also known as the “Interim Final Rule”.

The Omnibus Rule 

This Rule marked the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. The Omnibus Rule was known as the “Final Rule”. This rule has been a game changer since the Office for Civil Rights (OCR) could hold Business Associates and Subcontractors of Business Associates liable for data breaches. It also gave patients more rights over their information. It streamlined the ability for patients to authorize the use of their health information for research purposes and made it easier for parents and others to give permission to share proof of a child’s immunization with a school. This rule is based on statutory changes under the HITECH Act, which included the Genetic Information Nondiscrimination Act (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

The 21st Century Cures Act

This Rule was the next big change for HIPAA. The Cures Act major goal is to empower Americans to have access to their health data, delivered to their computers, cell phones, and mobile applications of their choice.

With nationwide, patient centered health IT can deliver a variety of benefits to patients. Here are some of the prospective goals:

  • Transparency into the cost and outcomes of patient care
  • Competitive options in getting medical care
  • Modern smartphone apps to provide convenient access to their records

Under HIPAA, patients already have a legal right to their data electronically. The ONC Cures Act Final Rule is one step in this process by enhancing access to clinical data. With new rules and penalties for information blocking, this affects more than just covered entities.

Information Blocking is also one of the major issues when it comes to exchanging and accessing patient data. Using the term Electronic Health Information (EHI), IT developers of certified health information technology (health IT), an entity offering certified health IT, a health information exchange, or a health information network that are responsible for the exchange or access of data can face fines for up to $1M per incident for those organizations refusing to share patient data upon request. Some areas that are required is the immediate release of health information. In other words when this information is available to the medical provider (lab, imaging, notes, etc.), it must be made available to the patient.

HIPAA is no longer easy to understand or follow without proper Education and Support.

Download the HIPAA Compliance Checklist

Click here to learn more how we can work together and get HIPAA compliant

HIPAA Keeper™ Video
Schedule a Live Demo

Aris protects their clients through Partnership, Education, and Support.

©2026 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC