What Is HIPAA?

HIPAA (the Health Insurance Portability and Accountability Act of 1996) was designed to protect health data or electronic protected health information (ePHI). It is a U.S. law designed to provide privacy standards to protect patients’ medical records and other health information. HIPAA establishes definitions of ePHI, rules and policies for using and sharing ePHI, and penalties for misusing or breaching ePHI to unauthorized parties. While the original objectives encompass governing data privacy via consented access and ensuring portability of ePHI to simplify insurance plan changes, HIPAA established a foundational piece of policy to build upon as industry needs change. 

The law is more relevant than ever today, as ePHI is included in most standard formats of healthcare exchange, with all parties (including threat actors) interested in access to the sensitive data. A 2023 report from the U.S. Department of Health and Human Services (HHS) Office of Information Security shows an upward trend in healthcare data breaches between 2012 and 2021. The report also highlights that healthcare data breaches doubled in the preceding three years. Healthcare institutes and associated bodies, such as insurance, are protected health information (PHI) custodians. This makes these organizations an attractive target for cybercriminals. Cyberattacks on healthcare include the insidious threat of ransomware and data security issues, which often begins with unauthorized access and a lack of least-privilege access controls. 

HIPAA was enacted on August 21, 1996. However, since then, the framework has had several major additions. These include the Security Rule, Privacy Rule, Breach Notification Rule, and the Omnibus Final Rule. HHS regulates HIPAA, but the Office for Civil Rights (OCR) enforces HIPAA.

Under “Administrative Simplification,” HIPAA is defined through several components, including:

• Transactions and code set standards
• Identifier standards
• Privacy rule
• Security rule
• Enforcement rule
• Breach notification rule

Together these rules and standards set the bar for the protection of ePHI.

Protecting ePHI is at the heart of HIPAA compliance. Akamai security solutions provide intelligence and end-to-end protection to support the ePHI protection against breaches and accidental exposure. Akamai helps your security teams to enhance the effectiveness and ROI of your security investments by moving beyond traditional endpoint detection to provide a powerful Zero Trust solution to the security and privacy of data. 

Akamai provides:

• A global security platform that enables Zero Trust security with comprehensive coverage of your IT environment

• Deep visibility into assets, access, and network flows

• Granular enforcement of customer configured security policies

Any healthcare entity, including any business associate handling health data, must meet HIPAA’s stringent data security and privacy rules. If your organization comes under the umbrella of HIPAA, you will be expected to abide by regulations that affect access to and handling of PHI. If an affected entity breaches HIPAA’s security and privacy rules, they are bound by breach notification rules. If more than 500 users are affected by a breach, notification of the incident must be passed to the OCR. The breach details are listed on a searchable public website, “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.”

Specific types of organizations that are affected by HIPAA include the following:

_Hospitals

The HIPAA Privacy Rule mandates that hospitals provide clear explanations of patients’ privacy rights. In addition, security is an essential component of protecting patient data, with HIPAA rule 45 CFR 164.502(b), 164.514(d) explicitly stating the requirement that covered entities must “… evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.” 

Hospitals, therefore, must have measures to minimize the risk of unauthorized data access. A Zero Trust security approach to data access provides the framework to mitigate the risks to PHI within a hospital environment.

_{Business associates}

A business associate under HIPAA is defined as any business that “creates, receives, maintains, or transmits protected health information (PHI)” on behalf of a covered entity. This includes companies such as software suppliers, cloud service providers, and billing agencies. Business associates are required to protect and maintain the confidentiality, integrity, and accessibility of PHI using technical measures and safeguards. Security measures to identify risk and secure PHI are a requirement of HIPAA. A Zero Trust platform provides visibility across an expanded data ecosystem to apply robust security measures to harden against unauthorized data access.

HIPAA has stringent protective measures to ensure the security and privacy of ePHI. Applying the tenets of HIPAA provides a series of benefits to covered entities and patients. Among some of the most important benefits:

Improves patient privacy: Personal and sensitive information on patient health is limited to only those who need to know. Under certain conditions, patients must consent to sharing their health data.

Enforces role-based access and least-privilege principles: Data is only available to those who need to know. Zero Trust security can help to enforce these principles.

Mandates robust authentication: HIPAA requires that all covered entities implement robust authentication to help enforce access control policies.

Protects against malware: Ransomware attacks hospitals and other healthcare institutes. This leaves ePHI vulnerable. HIPAA compliance protects against malware infection.

Akamai provides a comprehensive solution family that delivers Zero Trust security to help meet and maintain HIPAA compliance. Our customers recognize Akamai’s leading security solutions as best in class; our healthcare customers use Akamai to protect ePHI and enforce the principles of least privilege and robust access controls. Akamai’s security portfolio has grown from a collection of point solutions to a comprehensive and powerful Zero Trust platform. Akamai’s world-class solutions provide security controls for supporting HIPAA’s Security and Privacy Rule covering data security, availability, integrity, confidentiality, and privacy. Akamai delivers deep visibility into your IT environment and across your expanded infrastructure to include business associates.

Akamai Cloud: Our massively distributed edge and cloud platform delivers cloud computing, security, and content delivery. Akamai Cloud is designed to ensure that HIPAA-covered entities can use cloud computing and remain compliant.

Akamai Identity Cloud: Privacy and security is built into Akamai Identity Cloud by design. The solution provides highly scalable identity management and handles complex use cases — Identity Cloud stores customer data in a highly secure manner, applying least-privilege principles to mitigate cyberattacks. In addition, the solution has built-in consent management to abide by regulations, including HIPAA, GDPR, CCPA, PIPEDA, and others.

HHS places HIPAA-covered entities into three classes:

1. Healthcare providers: includes doctors, clinics, dentists, and pharmacies
2. Health plans: includes health insurance companies and company health plans
3. Healthcare clearinghouses: organizations that process nonstandard health information from another entity 

The protection of PHI is extended by the Omnibus Rule to include any business associate that handles health data.

Electronic protected health information (ePHI) under HIPAA regulations refers to individually identifiable health data or personal health information: HIPAA includes 18 “identifiers.” These identifiers represent the different types of identifying data that HIPAA covers. The types of information include patient names, email addresses, Social Security numbers, electronic health records (EHR), medical records, biometric data, and so on. Patient authorization is required to release records containing any of this data.

The ePHI is excluded from HIPAA controls if it can be de-identified using the “de-identification standard” under HIPAA ​​Section 164.514(a) of the HIPAA Privacy Rule.

Any HIPAA-covered entity that creates, receives, uses, or maintains PHI must abide by the HIPAA Security Rule. The rule explicitly covers the administrative, physical, and technical safeguards that ensure ePHI’s confidentiality, integrity, and security. Technical safeguards to help adhere to HIPAA and protect PHI include:

• Access control to ePHI
• Person or entity authentication
• Transmission security, e.g., encryption

Other security provisions include employee compliance training and awareness, and physical access safeguards.

The HIPAA Privacy Rule was added in December 2000 and updated in August 2002. It provides the privacy framework to protect individually identifiable health information by covered entities and to control the disclosure of protected health information. Associated data is also covered by the Privacy Rule, for example:

• Physical or mental conditions in the past, present, and future
• The treatment for a condition
• Payment information regarding the treatment

HIPAA and the HITECH Act (The Health Information Technology for Economic and Clinical Health Act) are concerned with protecting ePHI. However, HITECH expands the HIPAA encryption compliance requirements and the disclosure of data breaches of “unprotected” (unencrypted) PHI. This means that patients can request notice of any disclosure of their PHI.

HIPAA has a Breach Notification Rule that defines what triggers a breach notification under HIPAA violations. The basic rules for breach notification are:

• Breaches affecting 500 or more individuals: Covered entities must notify the Secretary without unreasonable delay within 60 days following a breach.
• Breaches that affect fewer than 500 individuals: Covered entities can notify the Secretary annually but within 60 days after the end of the year of the breach.

The HIPAA Breach Notification Rule can be found under HIPAA 45 CFR §§ 164.400-414.

Penalties for HIPAA noncompliance include fines of up to $50,000 per HIPAA violation and can include criminal penalties.