Learning Center

// -->

How to Comply with HIPAA, Part 2

This is the second part of the article, “How to Comply with HIPAA, Part 1.”

The HIPAA Security Rule

In general, the Security Rule, like the Privacy Rule, requires healthcare organizations to protect individually identifiable healthcare information with “reasonable and appropriate administrative, technical, and physical safeguards.” More specifically, the Security Rule generally requires healthcare organizations to:

  1. “Ensure the confidentiality, integrity, and availability of all [protected patient data] they create, receive, maintain or transmit;”

  2. “Identify and protect against reasonably anticipated threats to the security or integrity of the information;”

  3. “Protect against reasonably anticipated, impermissible uses or disclosures; and”

  4. “Ensure compliance by their workforce.”

In terms of specific security requirements, the Security Rule requires healthcare organizations to do the following:

  • “Implement technical policies and procedures that allow only authorized persons to access electronic” patient information

    • Implement policies, procedures, and security measures to prevent unauthorized physical access to any IT hardware that contains or handles any patient information
  • Prevent patient information from being “improperly altered or destroyed”

  • Protect patient information from inappropriate access when it’s being transferred via a network

  • Set up an auditing system that logs activity on systems that contain patient data

  • Perform risk analyses on a regular basis in which they consider all potential risks to patient data and implement or change their security policies, procedures, and measures to protect their data from these risks

  • Maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.”

  • Train employees to follow policies and procedures

  • Designate “a security official who is responsible for developing and implementing its security policies and procedures”

Business Associate Contracts

HIPAA also requires healthcare organizations to sign “Business Associate Contracts” with anyone outside of their own organization they allow to access their patients’ information, including claims processing firms and IT hosting companies. These Business Associate Contracts dictate how the “Business Associate” can access and use the patients’ information, as well as what the Business Associate needs to do to protect this information from inappropriate access. Healthcare organizations aren’t liable for any HIPAA violations committed by any of their contracted Business Associates. If you need help drawing up your own Business Associate Contracts, HHS has a Business Associate Contract template on its website.

Breach Notification Requirements

In addition, HIPAA requires healthcare organizations to notify patients within 60 days, via phone, email, or a notice on their website, whenever their information is inappropriately accessed. These notifications must include “to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches.” Healthcare organizations must also notify the HHS of security breaches within 60 days if it involves the information of more than 500 patients and within 60 days of the end of the calendar year if it involves the information of less than 500. Finally, if a security breach involves the information of more than 500 patients in the same “State or jurisdiction,” healthcare organizations must also notify all of the “prominent” media outlets serving these areas within 60 days of the breach.


Healthcare organizations can be penalized up to \$1.5 million per calendar year per violated HIPAA requirement. Violations that are not the result of “willful neglect” and that are corrected within 30 days of their discovery will not be punished. Employees of healthcare organizations may face criminal charges if they knowingly make patients’ information available to people that aren’t authorized to access them.


To sum up, HIPAA applies to three types of healthcare organizations: healthcare providers, health plans, and healthcare clearinghouses. The law requires these organizations to protect most types of patient data (including both paper and electronic records) from inappropriate access. In general, the law requires organizations to protect patient data with what could be considered “reasonable and appropriate” security measures.

If a physicians’ office has a PC that has patient data on it, for example, it would be “reasonable and appropriate” to protect the PC by:

  • Assigning a unique username to each employee that uses that the PC

  • Requiring users to log in to the PC with a non-default password

  • Installing antivirus software on the PC and running it regularly

  • Situating the PC in such a way that patients can’t easily access it or see its monitor (e.g., putting the PC tower under and behind the front desk)

  • Assigning a non-default password to the PC’s wireless network and/or router

  • When disposing of the PC, ensuring that any patient still on the PC is inaccessible with specialty software or by physically destroying the hard drive

HIPAA also requires organizations to protect patients’ data from intentional or inadvertent deletion, which means backing up their patients’ data—and, obviously, protecting these backup copies from inappropriate access, too. It also requires them to develop and maintain written risk assessments and security policies and procedures, train their employees to follow their policies and procedures, designate privacy and security officials, sign “Business Associate Contracts” with anyone outside their organization that they provide with access to their patients’ data, and notify affected patients, the HHS, and “prominent” media outlets within 60 days whenever a security breach occurs.