The Health Insurance and Portability and Accountability Act of 1996, also known as HIPAA is US legislation
that sets data privacy and security standards for protected health information (PHI).
HIPAA was signed into law by President Bill Clinton in 1996, with the main objective being to protect patient privacy.
Who enforces HIPAA?
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules.
What are the
penalties for violating HIPAA?
Violations can result in fines as well as jail time and criminal penalties in certain circumstances.
Fines or civil money penalties (CMPs) for HIPAA violations are based on a tiered structure,
and increase based on the number of effected patients and amount of neglect. The amount of the penalty is at the discretion of HHS OCR.
Does signing a
Business Associates Agreement (BAA) make my organization HIPAA compliant?
A Business Associates Agreement (BAA) dictates how a business associate (BA) operates and deals with protected health information (PHI). These agreements typically
state how the business associate will maintain compliance and lays out responsibilities for both sides.
Most cloud platforms, including Amazon Web Services (AWS) and Google Cloud Platform (GCP) operate on a
"Shared Responsibility" model, where the cloud provider, as well as your organization are responsible for specific safeguards.
Although it is recommended you sign a BAA with service partners who will be storing PHI,
BAAs do not automatically make your organization compliant. Your organization's internal policies, procedures,
and review of administrative, physical, and technical safeguards is an important responsibility that ultimately helps dictate if your organization is in compliance.
Is there a
certification for HIPAA Compliance?
Unfortunately there is no official certification for HIPAA compliance.
Organizations must consistently address and monitor physical, technical, and administrative safeguards to stay in compliance.
cloud computing allowed under HIPAA?
Yes, HHS has released guidance
on the use of cloud services with PHI. In their release,
HHS has stated that covered entities and business associates may store PHI with cloud services after entering a Business Associates Agreement (BAA).
HHS states that BAA agreements lay out responsibilities for both parties, with certain HIPAA provisions such as: back-up and data recovery, PHI use, retention and disclose,
and administrative policy often being exceptions to agreements, and the responsibility of covered entities.