nordpass logo

Strong passwords for HIPAA compliance

  • Ensure the safe handling of sensitive health information

HIPAA compliance explained

Patients’ health data is a sensitive and private matter, so it requires especially careful handling. But luckily, there are legal measures to ensure its safety. Learn below about HIPAA compliance and how it can help your company to ensure health data protection.

What is HIPAA compliance?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is the law overseeing the security of medical data in the US. HIPAA compliance ensures that healthcare companies and organizations will protect patients’ private data (or protected health information (PHI)) from privacy violations, internal mishandlings, or data leaks.

PHI includes all the personal data that could identify a patient or other client of such an institution. It ranges from phone numbers to actual medical records. So HIPAA compliance means that an organization should protect such info by handling it securely and putting in place all required safety measures. The failure to do that may result in severe legal punishment.

Who needs HIPAA compliance?

HIPAA compliance applies to two types of organizations: covered entities and their business associates. Covered entities are organizations that actively work with PHI, for example, healthcare and health insurance providers. Business associates are companies that provide services to covered entities. They might be app developers, providers of IT infrastructure, third-party contractors, security companies, caterers, etc. It could be any business that deals with a covered entity and PHI.

For example, an IT company that develops a file manager, which hospitals use to access PHI, must be HIPAA-compliant. Otherwise, any hospital that uses such an app would risk violating the HIPAA rules. Any app having any connections with PHI must follow HIPAA and ensure the necessary encryption and other safety measures.

HIPAA compliance checklist

HIPAA compliance requirements fall under two labels: addressable and required. The latter means that the provision must be strictly followed by all organizations. The other category allows some flexibility in applying it, or it can be non-applicable to some entities. The required HIPAA regulations are:

  1. Implementation and means of access control. Each user must have separate protected access;

  2. Introduction of activity logs and audit controls. The organization should track how one uses the data and keep activity logs;

  3. Policies for the use/positioning of workstations. An organization must monitor workstations carefully and restrict access to them;

  4. Policies and procedures for mobile devices. An organization must have a plan on how to remove PHI from mobile devices if employees no longer use them;

  5. Conducting risk assessments. The organization must identify risks and vulnerable areas in PHI handling;

  6. Introducing a risk management policy. An organization must have policies and measure on how to mitigate those risks;

  7. Developing a contingency plan. A covered entity must protect the PHI and operate in case of an emergency;

  8. Restricting third-party access. Unauthorized third parties should not access the data.

HIPAA violations and data breaches

HIPAA violations result from not complying with the above requirements properly. For example, someone might lose a device, make unauthorized access, accidentally install malware, etc.

A healthcare institution that suffered a significant breach impacting more than 500 individuals should report it within 60 days. Minor breaches (affecting fewer than 500) can be reported once a year. Moreover, an entity should inform affected patients individually too.

If a breach was caused by force majeure factors that the company could not oversee, it does not necessarily count as a violation. But not reporting the incident surely does.

HIPAA Privacy and Security Rules

HIPAA Privacy Rule safeguards patients’ privacy and their right to obtain PHI data. It oversees safety measures to ensure privacy and also sets the conditions when an organization can disclose data without the patient’s consent.

Patients can also obtain PHI data and request alterations if needed. An organization should respond to a patient request for data within 30 days. If it wants to use someone’s data for marketing, fundraising, or research, the patient must give written consent.

How to safeguard the private medical data

Here are a few online security tips on how to handle patients’ private data:

  • Use a VPN to encrypt your organization’s traffic. It is especially essential when the data is in transit and snoopers can try to intercept it;

  • Encrypt the PHI files, so they are not accessible in case of a breach;

  • Implement automatic log-off in case a user leaves a device unattended;

  • Set up regular security training for your employees;

  • Always back up your data;

  • Use secure messaging apps with end-to-end encryption and perfect forward secrecy;

  • Always update your company’s security software;

  • Make sure your employees use precaution measures to avoid malware. They should delete apps they don’t recognize, never download from suspicious websites nor open suspicious links, attachments, messages;

  • In case of doubt always make sure you and your employees share the data with the right person by double-checking via other means of communication;

  • Use secure and encrypted email services;

  • Use secure software, which complies with HIPAA rules.

  • Always make sure you use strong passwords to access your organization’s accounts and databases.

We advise you to use a password manager to memorize complex passwords. Try our safe and easy-to-use NordPass. It encrypts all your passwords and stores them in a secure vault so that only authorized employees can access them.