• Home
  • Products
    • Secure Drive Wiping SoftwareSecurely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software Erase & Diagnose iOS® & Android® Simultaneously
    • File Eraser SoftwarePermanently wipe files and folders, and erase traces of apps & Internet activity.
  • Solutions
    • For Enterprise, Govt. & SMBWipe hard drives, laptops, desktops, Mac® devices, mobile phones & rackmount storage.
    • Managed Service Provider & SIGlobally trusted data wiping & diagnostic solutions to augment your managed services competences
    • ITAD & Refurbisher Bulk erase loose drives, laptops, desktops, Mac devices, rackmount storage & mobile devices with centralized control.
    • Individual & Home User Safeguard invasion of privacy at the time of disposing old PC, laptop & mobile phone
  • Resources
    • CertificationsBitRaser - Tested & certified by multiple International Bodies
    • Reports & Certficates Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure StandardsGlobal erasure standards that help you comply to international laws & regulations
    • Technical Articles Series of articles to help understand data erasure & diagnostics
    • Product FactsheetExplore in-depth details of the features, benefits..
    • Deployment Get instructions on using BitRaser for wiping PC..
    • Case Studies Read Our Customer Case Studies Illustrating The Real-World Usage In Diverse Business Scenarios.
    • Frequently Asked Questions (FAQs) Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog Gain Latest Insights Into Data Erasure, Data Protection, Privacy And Regulations.
  • Partners
  • Products

    CASE STUDIES

    The best way to know about our solution is to read our customer case studies illustrating the real-world usage in diverse business scenarios.

    Read All Case Studies

    • Secure Drive Wiping Software
      Securely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network
      Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software
      Erase & Diagnose iOS® & Android® Simultaneously
    • File Erasure Software
      Permanently Wipe Files & Folders, Erase Traces Of Apps & Internet Activity
  • Solutions

    BITRASER® DATA ERASURE SOFTWARE

    Efficient, Easy & Permanent Wiping Of Sensitive Data Across Storage Devices. Guaranteed Data Privacy.

    Learn More

    • For Enterprise, Govt. & SMB
      Wipe Hard Drives, Laptops, Desktops, Mac® Devices, Mobile Phones & Rackmount Storage.
    • Managed Service Provider & SI
      Globally Trusted Data Wiping & Diagnostic Solutions To Augment Your Managed Service Competences.
    • ITAD & Refurbisher
      Bulk Erase Loose Drives, Laptops, Desktops, Mac Devices, Rackmount Storage & Mobile Devices.
    • Individual & Home User
      Safeguard Invasion Of Privacy At The Time Of Disposing Old PC, Laptop & Mobile Phone.
  • Resources
    • Product Certifications
      BitRaser - Tested & certified by multiple International Bodies
    • Sample Reports & Certificates
      Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure Standards
      Global erasure standards that help you comply to international laws & regulations
    • Technical Articles
      Series of articles to help understand data erasure & diagnostics
    • Product Factsheets
      Explore in-depth details of the features, benefits and specifications of our variants.
    • Deployment
      Get Instructions On using BitRaser for wiping PC, Mac, hard drives, mobile devices & files.
    • Case Studies
      Read our customer case studies illustrating the real-world usage in diverse business scenarios.
    • Frequently Asked Questions (FAQs)
      Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog
      Gain latest insights into data erasure, data protection, privacy and regulations.
  • Partners
  • +1-844-775-0101
  • Submit Enquiry

Everything You Need To Know To Ensure Compliance With The HIPAA Security Rule

  • author image

    Written By Abhishek Jain linkdin

  • calender

    Updated on Apr 20, 2020

  • clock

    Min Reading 3 Min

"While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules."

That's what Jocelyn Samuels, Director of the Office of Civil Rights (OCR), U.S. Department of Health and Human Services, said in February 2016.

There is enough evidence that the OCR is dead serious about enforcing HIPAA. In 2015, the Phonix Cardiac Surgery paid a fine of US$100,000 for non-compliance with HIPAA.

HIPAA Non-Compliance: A Snapshot

Until February 29, 2020, the OCR had levied more than US$116 million as civil penalties for HIPAA violations, informs the HIPAA enforcement highlights page of the HHS.

The number of cases that the OCR had investigated and resolved for HIPAA non-compliance until that date was 27, 829.

Civil monetary fines do not constitute the only penalty for failing to comply with HIPAA. A criminal penalty through sentencing by the U.S. Department of Justice is also possible.

In October 2016, a federal judge sentenced a former respiratory therapist to two years on probation, a fine of US$500, and one day in prison. The offender had illegally accessed patient data in the hospital where she was then employed.

That is a case of criminal conviction and prosecution for HIPAA violation.

What This Snapshot Tells Us

There is an important narrative in the snapshot we have presented above. The date to ensure HIPAA Security Rule compliance was April 20, 2005. Only small health plans had an extension up to April 20, 2006.

Yet, the U.S. healthcare industry does not seem to have fully grasped the significance of HIPAA and the criticality of complying with it. The number of cases the OCR has investigated and settled tells us that.

So do the two cases of penalty mentioned. A full understanding of HIPAA and the adverse impacts non-compliance may cause seem to be eluding U.S. healthcare organizations and professionals.

This article presents in a clear, easy-to-understand language everything you need to know about the HIPAA Security Rule. The simplicity does not indicate any lack of thoroughness or any degree of incomplete information.

However, there is another part to HIPAA: the HIPAA Privacy Rule. We have discussed that in a different article.

HIPAA In Brief

Health Insurance Portability and Accountability Act: that is what HIPAA is. It is a 1996 law that has last been amended in 2003. The main aim of HIPAA is to increase individual access to and control over personal health information.

The natural corollary of that is to reduce the way the health industry can use individual health information. The concept of protected health information (PHI) is central to HIPAA. Any health information that can identify an individual is protected.

The Scope Of PHI

Any individually identifiable health-related information falls within the scope of PHI. Below is a ready checklist:

  • All demographic details
  • Other common identifiers like address, date of birth, social security number, etc.
  • A person's physical and mental health history, covering past, present, and future
  • The healthcare provision applicable to an individual
  • The payment for all healthcare provisions of past, present, and future for an individual

However, it is possible to de-identify some health information by removing the individual identifiers in them. De-identified information is not within the purview of PHI.

The HIPAA Security Rule applies to PHI in electronic format (e-PHI).

HIPAA Security Rule

The Security Standards for the Protection of Electronic Protected Health Information: that is the formal name of the document that contains the national standards issued by the Secretary, HHS. It is popularly known as the HIPAA Security Rule.

The aim of these standards is to ensure the security of individual health data as the healthcare industry becomes increasingly more technology-dependent. The HIPAA Security Rule elucidates the measures necessary to implement the HIPAA Privacy Rule.

HIPAA grants individuals the right to retain their privacy and control over health-related data. The HIPAA Privacy Rule articulates those rights. The Security Rule informs the healthcare industry in the U.S. what to do to comply with the Privacy Rule.

Integration of information technology (IT) and artificial intelligence (AI) is necessary for healthcare service delivery to be more efficient and effective. Yet, such integration leads to the emergence of data breach threats.

Breached health data compromises the individual right to the privacy of individually identifiable health information. HIPAA Security Rule aims to prevent such a situation.

It simultaneously promotes the adoption of new technologies by the healthcare industry for delivering quality healthcare to patients. In recognition of the diversity of healthcare providers and professionals, the Security Rule has both flexibility and scalability.

Healthcare providing organizations and individual healthcare practitioners can adapt the Security Rule as per the size of their practice and the services they offer.

Who Does The Security Rule Apply To?

Organizations and individuals in the healthcare industry covered by the HIPAA Security Rule are called "covered entities." Business associates of covered entities under the HIPAA Privacy Rule are covered entities under the Security Rule.

Below is a list of covered entities under the HIPAA Privacy Rule:

  • Health Plans, which include health insurance companies, health maintenance organizations (HMOs), health plans sponsored by employers, and government-supported healthcare payment plans.
  • Healthcare Clearing houses that transform nonstandard health information to the necessary standards or vice versa.
  • Healthcare providers:
    • Physicians
    • Dentists
    • Psychologists
    • Chiropractors
    • Clinics
    • Nursing Homes
    • Pharmacies
  • Business Associates of any of the above.

Who Are Business Associates?

A business associate in this context is an agency or individual who performs certain actions on behalf of any of the covered entities. Such functions need to involve access to e-PHI.

Below is a list of typical business associated who are covered entities under the HIPAA Security Rule:

  • Any third party administrator that assists a health plan in processing claims.
  • Any individual consultant or a consulting organization that conducts utilization reviews for a hospital.
  • Healthcare clearinghouses that process healthcare providers' nonstandardized claims data of providers into standardized formats and forwards for claims to be reimbursed.
  • Independent medical transcriptionists who provide transcription services to any covered entity

The HITECH Act of 2009 has broadened the responsibilities of business associates under the HIPAA Security Rule. The Secretary, HHS, has developed regulations that incorporate these changes.

Your Action Points As A Business Associate Of A Covered Entity

Are you a business associate of a healthcare delivery organization or an individual healthcare provider? There are measures that you must implement in order to be HIPAA compliant.

Basic measures require having administrative, physical, and technical safeguards to protect e-PHI. The typical action points are to:

  • Ensure the availability, confidentiality, and integrity of all e-PHI that you handle. That includes all e-PHI that you create, receive, maintain, and transmit.
  • Implement measures to protect the integrity and security of e-PHI from threats that you can reasonably anticipate.
  • Prevent the use and disclosure of e-PHI not permitted by HIPAA.
  • Ensure that your workforce is compliant.

As per the HIPAA Security Rule, "availability" means that e-PHI must remain accessible for use by an authorized person. "Confidentiality" in this context implies that e-PHI is not accessible to any unauthorized person. "Integrity" implies that e-PHI must not be changed or destroyed in an unauthorized manner.

The Security Rule does not specify the measures necessary to ascertain the above. That is because the relevant measures depend upon the size of the covered entity, as also on the nature of the hardware and software they use.

Every covered entity must decide on the measures necessary for them. Such adaptation needs risk analysis for identifying and managing potential security threats to e-PHI.

What Is Risk Analysis?

A risk analysis process helps a covered entity to determine what specific measures it must implement for HIPAA Security Rule compliance. Such a process includes the following:

  • Assess the probability of security threats to e-PHI and evaluate the impact of a security breach.
  • Put in place measures appropriate to guard against the potential security risks identified through the above process.
  • Document what security measures have been implemented and why.
  • 'Maintain security measures that are appropriate and reasonable on a continuous basis.

Administrative Safeguards

  • Administrative safeguards need a covered entity to designate a person in its workforce as responsible for maintaining and monitoring the appropriate safeguards identified through the risk assessment process.
  • A covered entity must have a policy and procedures in place that access of e-PHI is strictly to authorized persons only.
  • The workforce of a covered entity must be trained in order to be compliant.
  • A covered entity must undertake a periodic evaluation of how robust its security measures are.

Physical Safeguard

  • A covered entity must limit physical access to e-PHI without compromising authorized access.
  • A covered entity must implement policies and procedures necessary to ensure the proper use of and access to workstations and electronic media so that e-PHI does not remain physically accessible to unauthorized persons.

Technical Safeguards

  • A covered entity must implement technical policies and procedures that prevent unauthorized access to e-PHI.
  • A covered entity must conduct periodic audits of the adequacy of its technical measures.
  • A covered entity must implement electronic safeguards to prevent unauthorized alteration or destruction of e-PHI.
  • A covered entity must implement technical measures to prevent unauthorized access to e-PHI during electronic transmission.

Penalty For HIPAA Security Rule Non-Compliance

The Office for Civil Rights (OCR), HHS, is responsible for investigating and determining complaints of HIPAA violations. Security Rule violation penalties are tied to the compliance needs of the HIPAA Privacy Rule.

Broadly speaking, the OCR looks at violations from a tiered approach and levy penalties accordingly.

When a covered entity is unaware of a violation, and could not have avoided it even after exercising reasonable care for HIPAA compliance, it is considered a tier 1 violation. That can attract a minimum fine of US$100 per violation, with a cap of US$25,000 in a calendar year.

A tier 2 violation is one that a covered entity should have been aware of, but could not have avoided with reasonable care. The penalty is a minimum of US$1000 per violation, with a calendar year cap of US$100,000.

A violation that happens because of deliberate neglect of HIPAA rules, but corrective measures have since been taken, is a tier 3 violation. A minimum amount of US$10,000 per violation is the penalty, but the total fines in a calendar year cannot exceed US$250,000.

Wilful neglect of HIPAA rules with no corrective measures being taken is a tier 4 offense. The penalty for it is a minimum of US$50,000 per violation. The maximum limit in a calendar year is US$1.5 million.

In limited cases, there can be criminal procedures for HIPAA non-compliance, which are determined by the US Department of Justice. Up to 10 years in prison is a possibility.

It Makes Good Business Sense To Take HIPAA Compliance Seriously

As we've mentioned at the outset, the U.S. healthcare industry seems to be lagging behind in ensuring HIPAA compliance. That is a poor business decision. Implementing the action points detailed in this article will help you be HIPAA compliant.

BitRaser is NIST Certified

See All Certifications

Related Articles

Does Degaussing Work On SSDs?

April 29, 2022

What Is The Right To Erasure: An Insight

Jan 7, 2022

Are You An ITAD Upgrading To The R2v3 Standard? Here’s A Checklist!

July 27, 2021


REACH US

Stellar Data Recovery Inc.

48 Bridge Street Metuchen, New Jersey 08840, United States

Call Us

+1-844-775-0101

Email Us

sales@bitraser.com

Follow Us

linkedin youtube

Useful Links

  • About Us
  • Legal Policy
  • Privacy Policy
  • Cookies Policy
  • Sitemap

NEWS AND EVENTS

  • News & Press Release
  • Events

PARTNERS

  • Our Partnership Models
  • Reseller
  • Distributor
  • OEM
  • ITAD

RESOURCES

  • Knowledge Series
  • Technical Articles
  • Knowledge Base
  • Blogs
  • Reports & Certificates
  • Download Brochure
  • Deployment
  • Product FactSheets
  • Case Studies
  • Our Clients

BitRaser® & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2022 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

ISO Certified
NAID VENDOR
ERN VENDOR

We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!

Request Free License

Name*
Email*
Phone
Company
Country*
Number of Devices to Erase*
Details (If Any)
(*) Mandatory Fields

SUBMIT ENQUIRY

SUBMIT ENQUIRY

Usage:    Business   Personal
  • Captcha*
  • 3+0
  • =

  Yes, I would like to receive information regarding BitRaser products and I can unsubscribe any time.

  • Captcha*
  • 3+0
  • =

  Yes, I would like to receive information regarding BitRaser products and I can unsubscribe any time.

Modal body..
24 Internationally Recognized Erasure Standards
NIST Clear
NIST-ATA Purge
US Department of Defense, DoD 5220.22-M (3 passes)
US Department of Defense, DoD 5200.22-M (ECE) (7 passes)
US Department of Defense, DoD 5200.28-STD (7 passes)
Russian Standard – GOST-R-50739-95 (2 passes)
B.Schneier’s algorithm (7 passes)
German Standard VSITR (7 passes)
Peter Gutmann (35 passes)
US Army AR 380-19 (3 passes)
North Atlantic Treaty Organization-NATO Standard (7 passes)
US Air Force AFSSI 5020 (3 passes)
Pfitzner algorithm (33 passes)
Canadian RCMP TSSIT OPS-II (4 passes)
British HMG IS5 (3 passes)
Zeroes
Pseudo-random
Pseudo-random & Zeroes (2 passes)
Random Random Zero (6 passes)
British HMG IS5 Baseline standard 
NAVSO P-5239-26 (3 passes) 
NCSG-TG-025 (3 passes)  
5 Customized Algorithms & more

Listening...