HIPAA Compliance


The spirit of HIPAA is pretty simple. It’s first main purpose is to secure and protect personal health information and, second, to enforce standards for electronic transactions in healthcare. Sounds simple, right? It is simple, but there’s still a lot of information you need to know to get started with HIPAA. This page is your resource to everything you need to know about HIPAA.

What is HIPAA?

HIPAA, formally known as the Health Insurance Portability and Accountability act, was signed into legislation in the United States in the 90’s. These regulations were enacted as a multi-tiered approach to improve the health insurance system. Specifically, the HIPAA Privacy Rule created the first national standard to protect personal health information and medical records.

  • HIPAA permits individuals to have power over their own health information.
  • HIPAA holds any perpetrators fully accountable for their actions if in violation.
  • HIPAA creates the necessary safeguards that all healthcare entities must attain to handle personal health information.
  • HIPAA sets parameters around the use and distribution of health data.

Why does HIPAA matter?

Well, all healthcare entities and organizations that use, store, maintain or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law. When completely adhered to, HIPAA regulations not only ensure privacy, reduce fraudulent activity and improve data systems but are estimated to save providers billions of dollars annually. By knowing of and preventing security risks that could result in major compliance costs, organizations are able to focus on growing their profits instead of fearing these potential audit fines.

What is PHI or ePHI?

Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual and is transmitted or maintained in any form or medium by a covered entity or its business associate. The definition of a business associate has been extended with the HIPAA Omnibus rule that went into effect in 2013. The term “information” is interpreted rather broadly and includes any part of a patient’s medical record or payment history. The key here is this phrase “that can be linked to a specific individual,” which is where the other acronym, PII (Personally Identifiable Information) becomes relevant. The major difference between PHI and PII is that PII is a legal definition, i.e. PII is anything that could be used to uniquely identify an individual. PHI is a subset of PII in that a medical record could be used to identify a person — especially if the disease or condition is rare enough.

Understand Business Service Agreements

The HIPAA Privacy Rule outlines the types of entities that are covered by HIPAA and entities that have to follow the HIPAA security and privacy rules. The main categories are clearinghouses, covered entities (CEs) - typically hospitals, payers, and providers, and business associates. Business associates are far away the biggest cohort of cloud computing companies. Business associates are people or organizations who contract and provide services and/or technology for covered entities. In the process of providing those services or those technologies, business associates handle, process, transmit, or in some way interact with electronic protected health information (ePHI) from those covered entities. With this ePHI access, business associates are required to sign what’s called a business associate agreement (BAA).

Proving HIPAA Compliance

Anybody can, and many companies do, put “HIPAA Compliant” on their websites and marketing material. Complying with HIPAA is essential to selling software that processes, stores, transmits, or somehow touches ePHI. It’s an essential, though non-differentiating, feature of any B2B healthcare technology product. The reason companies can self-attest to being HIPAA compliant is that there isn’t a certifying body, or accompanying certification, for HIPAA. That’s problematic for both vendors making and selling healthcare software to enterprises and enterprises buying software from third party vendors.

3 Ways to Prove HIPAA Compliance

To prove HIPAA Compliance, one of three methods is used: self assessments, full third party audits, or inheriting proof.

Path 1: Self Assessments

Self assessments are the easiest and least expensive, at least in terms of direct costs, to show compliance with HIPAA. Without official audit reports, you must illustrate your compliance story through hand-crafted documentation.

We created this compliance self-assessment worksheet to get you started on your roadmap to compliance.

Path 2: Full Third-Party Audits

While you may still have to answer questions from each customer about security and compliance, providing your third party audit reports will go a long way to circumventing long, drawn-out security and compliance reviews. Broadly speaking, there are two main healthcare compliance frameworks that you can be audited against – HIPAA (from HHS) and HITRUST.

Path 3: Middle Road — Inheriting Proof

Datica was built to create Path 3. There had to be an easier way to build modern healthcare technology, practice modern development practices, comply with HIPAA without having to hire a compliance expert and prove compliance with HIPAA without doing a full audit.

Learn more about HIPAA compliance from the resources listed on this page, or contact the compliance experts at Datica.

Datica Academy articles on HIPAA Compliance

HIPAA 101 A primer

The HIPAA acronym stands for the Health Insurance Portability and Accountability Act. This HIPAA primer covers HIPAA 101 basics, meaning, entitities, etc.

What is Protected Health Information (PHI)?

The acronym PHI stands for Protected Health Information. An individual's PHI is data on health status, provision of health care, or payment for health.

Proving HIPAA Compliance

HIPAA attestation is everywhere but are they really compliant? Companies can self-attest to HIPAA compliance because there are no HIPAA certifications.

Business Associate Agreements

With ePHI access, business associates are required to sign a HIPAA business associate agreement (BAA). Learn more about business associate agreements here.

HIPAA, Subcontractors, and BAAs

The major part of security in healthcare is HIPAA, and the HIPAA rules changed in late 2013 with the new HIPAA Omnibus that adds subcontractors entities.

HIPAA and Encryption

HIPAA encryption strategy is another factor of HIPAA compliance, whether HIPAA SSL, data at rest, Filevault2, firewall encryption, or more.

HIPAA Auditing and Logging

If you're going through a HIPAA security audit by a hospital or payer compliance office, auditing and logging will show that your application is secure.

HIPAA and Multi Tenancy

What exactly is multi tenant cloud and does Datica Compliant Cloud offer a multi tenant environment?

Blog posts on HIPAA Compliance

Discover Healthcare Technology Topics