HIPAA Compliance and Data Security Demand Equal Attention


The Health Insurance Portability and Accountability Act (HIPAA) established by the U.S. Department of Health and Human Services (HHS) has been around since 1996. The components of HIPAA cast a wide net over regulations involving insurance coverage, medical records and tax rules. However, rapidly advancing technology and security threats are pointing a spotlight on the Privacy and Security rules that apply to electronic protected health information (ePHI).

In a nutshell, the HIPAA Privacy and Security rules require organizations that handle ePHI in any way to implement appropriate administrative, physical and technical safeguards to:

1. Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information
3. Protect against reasonably anticipated, impermissible uses or disclosures
4. Ensure compliance by their workforce

The regulation is intentionally flexible and scalable to allow companies of all sizes and IT budgets to implement processes based on their specific environments. However, the use of the word “reasonably” might make the rules more open to interpretation for how much privacy and security are actually necessary. 

Achieve Compliance and Data Protection with Risk Assessments

Given the complexity of technology and the extent of all the HIPAA regulations that require compliance, it’s easy to fall back on just checking boxes to meet the requirements for compliance and forget why privacy and security really matter in the digital world. Consequently, facilities aiming for only HIPAA compliance could be putting their organizations at risk.


HHS has made it clear that nonconformance with any part of HIPAA can lead to costly fines. However, a security breach can be even more costly because it can impact finances, reputation and customer trust. Therefore, ePHI handlers are urged to pursue more than “reasonably” anticipated threats and impermissible use of confidential data.

The significance of data security cannot be underestimated. It’s important to recognize that equal effort must be applied to HIPAA compliance as well as privacy and security measures surrounding confidential information. Giving these components the attention they need involves performing a thorough risk assessment.

HHS agrees. The Summary of the HIPAA Security Rule cites “Every organization that creates, receives, maintains or transmits ePHI has to conduct an accurate and thorough HIPAA risk assessment in order to comply with 164.308 of the HIPAA Security Rule.”

What Should Your Risk Assessment Task List Include?

The HIPAA security rule does not prescribe a specific risk assessment method or technology. Risk assessments are a core part of an overall risk management process. Risk assessments are unique to each environment and vary based on the organization’s size, complexity and capabilities.


Furthermore, according to the HHS “Guidance on Risk Analysis,” there is no single risk management strategy that fully guarantees a risk-free environment. That said, HHS does provide an objective of what should be accomplished with a risk assessment: “Identify potential risks and vulnerabilities that can compromise the confidentiality, availability and integrity of all protected health information.” Resources such as the National Institute of Standards and Technology (NIST) “Guidance for Conducting Risk Assessments” and HIPAA Journal contain some helpful ideas for taking a holistic approach to achieving this objective:

Identify where all PHI is stored, received, maintained and transmitted – Document the location of all servers, internal and external data centers, workstations, mobile devices, etc. that handle ePHI.

Identify all potential security vulnerabilities and threats relevant to your environment – This can include clarifying the following:

  • Are there undocumented process workarounds or other ways data is potentially mishandled by employees needing to get the job done?
  • Are all mobile and wearable technology devices (tablets, smartphones, medical devices, etc.) connected to your infrastructure tracked and documented?
  • Is security technology, such as a mobile device management (MDM) system with remote device wipe functionality, in place to mitigate risks with lost or stolen mobile devices?

Evaluate current security strategies for protecting ePHI – Some of the areas you might assess for this objective include:

  • What specific threats would be targeted at your type of organization?
  • What is the likelihood of an occurrence that would compromise the confidentiality, integrity and availability of your ePHI?
  • What would be the resulting impact on assets, operations, individuals, other organizations, etc. of lost or compromised ePHI?
  • Do all external vendors, suppliers, etc. have security measures in place and comply with HIPAA regulations?
  • Are user accounts and access rights properly aligned with each user’s role?
  • Is access to ePHI restricted to specific areas and workstations?
  • Are all ePHI access activities tracked and logged?
  • Are all employees properly trained on all security policies and procedures?

Assign risk levels for vulnerabilities and impact combinations – As cited in the “Guidance on Risk Assessment,” a risk-free environment does not exist. Use your risk assessment to define risk tolerance levels to help you focus on the most critical and high-impact vulnerabilities.


Standardize Risk Assessments

HHS asserts that a HIPAA risk assessment is not a one-time exercise. Technology, regulatory guidelines, standards and processes all continue to evolve, which creates a moving target for risk assessments. Organizations need to create a risk management plan, which includes performing routine risk assessments. There is no guidance on the frequency, but organizations should follow a consistent schedule, especially as new technology is introduced.

Technology continues to present opportunities for more innovative health care, which creates an ongoing need to integrate more systems and devices to keep pace with new trends. This, along with the exponential rise in cybersecurity attacks, further complicates the process of achieving compliance. More and more organizations are implementing automated risk management technology to set up an easier way to oversee and complete all risk management tasks and keep HIPAA compliance within reach.


David Jensen is a marketing communication specialist at MasterControl. He has been writing technical, marketing and public relations content in technology, professional development, business and regulated environments for more than two decades. He has a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.