What All Healthcare Organizations Should Know About HIPAA Requirements


Healthcare is continually one of the most targeted sectors for cybercriminals.

The average cost of a breach in the healthcare industry, according to IBM, is nearly $11 million, or a 53% increase since 2020. 

"With medical records as leverage, threat actors amplify pressure on breached organizations to pay a ransom," IBM states. "In fact, across all industries studied, customer personally identifiable information was the most commonly breached record type and the costliest."

That’s why following HIPAA requirements is so important.


You Must Do An Assessment At Least Once A Year

Organizations that violate HIPAA face civil and even potentially criminal penalties.

That’s why it’s essential to do an assessment at least once a year, or whenever a significant change in policies and procedures is implemented.

Any healthcare provider, insurer, or business associate is included in this requirement because all of these covered entities handle protected health information.

PHI covers:

  • Demographic information
  • Medical history
  • Test or lab results
  • Mental health conditions
  • Insurance information
  • Any other information that identifies a patient or helps determine care

If any of this information is stolen, it can be sold on the dark web or held hostage through ransomware until payment is received.


You Must Assess Internal And External Vulnerabilities

The biggest weakness in any business of any size, according to Coalfire, is people.

People make mistakes, whether they fall for social engineering hacks or make some other error.

Healthcare organizations must train staff annually on effective cybersecurity controls, such as keeping workstations and networks up to date with antivirus protection, software updates, and secure passwords.

Staff must also understand how to be on alert for phishing schemes.  

These vulnerabilities must be addressed throughout the year.


You Must Build A Risk Management Plan

The HHS provides a great overview of what’s needed for a risk management plan.

This plan will help you identify where to implement security rules, as well as how to evaluate and maintain them.

As projects are completed and vulnerabilities are mitigated, document them and update the plan.


Your IT Policies Must Be Comprehensive

The risk management plan that you create should have a number of controls in it. These include:

  • Administrative safeguards - Reduce risks and vulnerabilities.
  • Physical safeguards - Determine who has access to facilities, workstations, and devices.
  • Technical safeguards - Determine who has access to PHI, as well as who can audit and implement controls.
  • Procedures and documentation - “A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments,” says the HHS.


You Must Have BAAs In Place

Any “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity,” is what HIPAA considers a business associate.  

A business associate may be “a CPA firm whose accounting services to a health care provider involves access to protected health information,” or “an attorney whose legal services to a health plan involve access to protected health information.

These associates must have a business associate agreement (BAA) in place, which “must define definitions, obligations/activities of the business associate, and the permitted uses and disclosures by the associate.”

With some exceptions, BAAs are required in all instances.

Complying with HIPAA is critical, but it can be daunting. Consider working with a healthcare IT support partner to ensure your business is meeting these annual requirements.

Read On