The document outlines the Health Insurance Portability and Accountability Act (HIPAA), a federal law established in 1996 to protect the privacy and security of health data. It explains key terms such as protected health information (PHI), the responsibilities of covered entities and business associates, and the significance of the four main HIPAA rules: privacy, security, enforcement, and breach notification. Compliance involves implementing administrative, physical, and technical safeguards to ensure the confidentiality and security of PHI.

1. A brief introduction
to HIPAA Compliance
Prince GeorgeSoftware Quality Engineer

2. What is HIPAA?
● Health Insurance Portability and Accountability Act
● HIPAA is a federal law that protects the privacy and security of health
data. It is enforced by the Office for Civil Rights (OCR) of the U.S.
Department of Health and Human Services (HHS).
● Developed in 1996. HIPAA was initially created to help the public with
insurance portability. In addition, they built a series of privacy tools to
protect healthcare data.
● HIPAA sets the standard for protecting sensitive patient data.
● Covered Entities and their Business Associates need to protect the privacy
and security of protected health information (PHI).

3. Important terms to know
Protected Health Information (PHI)
PHI is any information in a medical record that can be used to identify an
individual, and that was created, used, or disclosed in the course of providing
a healthcare service.
Includes:
Medical records ,Billing information ,Health insurance information and Any
individually identifiable health information.

4. Important terms to know
Electronic Protected Health Information (ePHI)
All individually identifiable health information that is created, maintained, or
transmitted electronically.
Covered Entity (CE)
Anyone who provides treatment, payment and operations in healthcare.
Includes:
Doctor’s office, dental offices, clinics, psychologists,Nursing home, pharmacy,
hospital or home healthcare agency ,Health plans, insurance companies,
HMOs ,Government programs that pay for healthcare ,Health clearing houses

5. Important terms to know
Business Associate (BA)
Anyone who has access to patient information, whether directly, indirectly,
physically or virtually on behalf of a Covered Entity.
HIPAA requires that business associate relationships be formalized in a
contract or agreement, commonly called a "Business Associate Agreement" or
BAA.
includes:
IT providers, health applications ,Telephone service provider, document
management and destruction ,Accountant, lawyer or other service provider

6. HIPAA Fines and Penalties
Violation Amount per Violation Violation of an identical
provision in a calendar year
did not know $100 - $50,000 $1,500,000
reasonable cause $1000 - $50,000 $1,500,000
willful neglect - corrected $10,000 - $50,000 $1,500,000
willful neglect - not corrected $50,000 $1,500,000

7. Who needs to be HIPAA compliant?
If you handle PHI then you need to be HIPAA
compliant.
The HIPAA rules apply to both Covered Entities
and their Business Associates , need to protect
the privacy and security of protected health
information (PHI)

8. The Four Rules of HIPAA
HIPAA has four main “rules,” or sets of regulations, that specify how regulated
organizations need to operate and handle PHI.
HIPAA Privacy Rule
HIPAA Security Rule
HIPAA Enforcement Rule
HIPAA Breach Notification Rule

9. HIPAA Privacy Rule
Addresses the saving, accessing and sharing of medical and personal
information of an individual, including a patient’s own right to access.
Privacy is securing, protecting and maintaining the confidentiality of the
patients data in all formats including electronic, paper and oral.

10. HIPAA Security Rule
National security standards intended to protect health data created, received,
maintained, or transmitted electronically.
Protection of ePHI data from unauthorized access, whether external or
internal, stored or in transit, is all part of the security rule.
Security is the methods, tools, strategy and process that is used to ensure the
privacy.

11. HIPAA Enforcement Rule
The HIPAA Enforcement Rule contains provisions relating to compliance and
investigations, the imposition of civil money penalties for violations of the
HIPAA Administrative Simplification Rules, and procedures for hearings.

12. HIPAA Breach Notification Rule
This rule establishes:
● What constitutes a reportable HIPAA breach
● What you must do in case of a breach
● Who you must notify in the event of a breach.
Possible entities include: Your customers, Individuals whose identity
was breached, HHS, Law enforcement, The media
● How quickly you must notify

13. Becoming HIPAA Compliant
If you comply with the HIPAA rules, then you are "HIPAA-compliant."
The HIPAA Security Rule requires having the appropriate Administrative,
Physical, and Technical Safeguards in place to ensure the confidentiality,
integrity, and security of protected health information (PHI).
In other words, you need to cover all three bases in order to be compliant per
the HIPAA guidelines.

14. The HIPAA Security Rule
The rule is divided into “standards,” which are required but often vague, and
“implementation specifications,” which are either ‘required’ or
‘addressable’ and usually not much more specific than the standards.
September 23, 2013
Before Sept 23. Rules applied to hospitals,
doctors, clinics, etc
After Sept 23. The rules now apply to
anyone that touches PHI

15. 3 Parts to the HIPAA Security Rule
Administrative Safeguards Technical Safeguards Physical Safeguards

16. Administrative Safeguards
The administrative components are really important when implementing a
HIPAA compliance program.
Includes :
● Security Management Process
● Assigned Security Responsibility
● Information Access Management
● Security Awareness And Training
● Security Incident Procedures
● Contingency Planning
● Evaluation
● Business Associate Contracts
and Other Arrangement

17. Physical Safeguards
Controls to protect the physical facilities, computers, and devices that house
PHI, such as data centers, offices, laptops, thumbdrives, workstations, etc
include:
● Facility Access Controls
● Workstation Use
● Workstation Security
● Device And Media Controls

18. Technical Safeguards
Controls implemented through engineering processes , contain elements of
privacy and security by design, and should be incorporated as early as
possible into your technical design process.
include:
● Access Controls
● Audit Controls
● Integrity Controls
● Person or Entity Authentication
● Transmission Security

19. Developers need to focus on
the Technical and Physical
safeguards outlined in the
Security Rule.

20. Certifications
there is no one that can “certify” that an organization is HIPAA compliant
The Office for Civil Rights (OCR) from the Department of Health and Human
Services (HHS) is the federal governing body.
The evaluation standard in the Security Rule requires you to perform a
periodic technical and non-technical evaluation to make sure your security
policies and procedures meet security requirements.

21. Conclusion
When you boil it down, HIPAA is really asking you to do 4 things
● Put safeguards in place to protect patient health information
● Reasonably limit uses and sharing to the minimum necessary to
accomplish your intended purpose.
● Have agreements in place with any service providers that perform
covered functions or activities for you.
● Have procedures in place to limit who can access patient health
information, and implement a training program for you and your
employees about how to protect your patient health information

22. Thank You….