IAMRoadmapIAMRoadmap
Back to Compliance
Healthcare Compliance

HIPAA

Health Insurance Portability and Accountability Act

United States
Effective: August 21, 1996
Updated: January 25, 2013

Overview

HIPAA establishes national standards to protect individuals' medical records and personal health information (PHI). The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security of electronic PHI. Covered entities and their business associates must implement comprehensive access controls and audit capabilities.

IAM Requirements

Access Control (§164.312(a))

  • Unique user identification for all users accessing ePHI
  • Emergency access procedures for accessing ePHI during emergencies
  • Automatic logoff after period of inactivity
  • Encryption and decryption of ePHI

Audit Controls (§164.312(b))

  • Implement hardware, software, and procedural audit mechanisms
  • Record and examine activity in systems containing ePHI
  • Regular review of audit logs
  • Retention of audit logs per organizational policy

Integrity Controls (§164.312(c))

  • Mechanisms to authenticate ePHI integrity
  • Electronic mechanisms to verify ePHI has not been altered
  • Access controls to prevent unauthorized modification

Transmission Security (§164.312(e))

  • Integrity controls for ePHI transmission
  • Encryption of ePHI during transmission
  • Secure authentication for transmission endpoints

Administrative Safeguards

  • Workforce clearance procedures
  • Authorization and supervision of workforce members
  • Termination procedures for access removal
  • Security awareness and training program

Compliance Checklist

1
Conduct comprehensive risk analysis
2
Implement risk management program
3
Develop and maintain security policies and procedures
4
Assign security responsibility to designated official
5
Implement workforce security measures
6
Establish information access management procedures
7
Deploy access control mechanisms
8
Implement audit controls and review processes
9
Develop incident response and breach notification procedures
10
Execute Business Associate Agreements (BAAs)
11
Conduct regular security awareness training
12
Implement physical safeguards for facilities and devices

Penalties for Non-Compliance

Tier 1: $100-$50,000 per violation (unknowing). Tier 2: $1,000-$50,000 (reasonable cause). Tier 3: $10,000-$50,000 (willful neglect, corrected). Tier 4: $50,000+ (willful neglect, not corrected). Annual maximum: $1.5 million per violation category

Quick Facts

Region
United States
Effective Date
August 21, 1996
Enforcing Body
U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)

Related Certifications

Related Vendors

Related Solutions

Resources

Official Website
Back to All Compliance