HIPAA – What is HIPAA? Understanding Risk Maturity Standards

University of Nebraska Base Hospital No. 49 was mobilized in March 1918.

From the archives: World War I Physician – McGoogan News | McGoogan News | University of Nebraska Medical Center (unmc.edu)


The Airius Risk Maturity Knowledgebase is intended to give you a snapshot of those things in the world affecting information risk for April 22th through April 28th, 2023.

HIPAA stands for Health Insurance Portability and Accountability Act of 1996. It is a federal law that sets standards for protecting the privacy and security of health information in the United States. HIPAA applies to covered entities and business associates that handle protected health information (PHI).

PHI is any information that can identify a person and relates to their health condition, health care services, or payment for health care. Examples of PHI include name, address, date of birth, medical records, diagnosis, treatment, insurance information, and billing information.

HIPAA compliance means following the rules and regulations of HIPAA to ensure the confidentiality, integrity, and availability of PHI. HIPAA compliance is important for both healthcare providers and patients because it:

  • Protects the rights and interests of patients to access and control their own health information
  • Prevents unauthorized or inappropriate use or disclosure of PHI that could harm patients or compromise their privacy
  • Enhances the quality and efficiency of health care delivery by enabling secure and timely communication and coordination among health care providers
  • Reduces the risk of legal liability, fines, penalties, or reputational damage for violating HIPAA

What are the main components of HIPAA compliance?

HIPAA compliance consists of four main components:

  • The Privacy Rule
  • The Security Rule
  • The Breach Notification Rule
  • The Enforcement Rule

The Privacy Rule

The Privacy Rule establishes the rights of patients to access and control their own PHI and the obligations of covered entities and business associates to protect the privacy of PHI. The Privacy Rule requires covered entities and business associates to:

  • Provide patients with a notice of privacy practices that explains how their PHI will be used and disclosed and how they can exercise their rights
  • Obtain written authorization from patients before using or disclosing their PHI for purposes other than treatment, payment, or health care operations (TPO) or as required by law
  • Limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose
  • Respect the requests of patients to restrict or limit the use or disclosure of their PHI or to communicate with them in a certain way or at a certain location
  • Allow patients to access, inspect, copy, amend, or transmit their own PHI or designate a personal representative to do so on their behalf
  • Maintain an accounting of disclosures of PHI that are not for TPO or authorized by the patient
  • Implement policies and procedures to ensure compliance with the Privacy Rule and train staff on them

The Security Rule

The Security Rule establishes the standards for protecting the security of PHI that is created, received, maintained, or transmitted electronically (e-PHI). The Security Rule requires covered entities and business associates to:

  • Conduct a risk analysis to identify the potential threats and vulnerabilities to e-PHI and the likelihood and impact of a breach
  • Implement administrative, technical, and physical safeguards to protect e-PHI from unauthorized or accidental access, use, disclosure, modification, or destruction
  • Ensure that any subcontractors or agents that handle e-PHI on their behalf also comply with the Security Rule
  • Develop a contingency plan to respond to emergencies or disasters that could affect e-PHI
  • Monitor and audit the effectiveness of the security measures and address any gaps or weaknesses

The Breach Notification Rule

The Breach Notification Rule requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media in the event of a breach of unsecured PHI. A breach is defined as an impermissible use or disclosure of PHI that compromises its security or privacy. Unsecured PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction.

The Breach Notification Rule requires covered entities and business associates to:

  • Investigate any suspected or actual breach of unsecured PHI and determine its scope, cause, and impact
  • Notify each individual whose unsecured PHI has been breached without unreasonable delay and no later than 60 days after discovery
  • Notify HHS of any breach affecting 500 or more individuals within 60 days after discovery and any breach affecting less than 500 individuals within 60 days after the end of the calendar year
  • Notify prominent media outlets of any breach affecting 500 or more individuals in a state or jurisdiction within 60 days after discovery

The notification must include:

  • A brief description of what happened and when
  • A description of the types of unsecured PHI involved
  • The steps that individuals should take to protect themselves from potential harm
  • The contact information of the covered entity or business associate for questions or complaints

The Enforcement Rule

The Enforcement Rule establishes the procedures and penalties for enforcing HIPAA compliance. The Enforcement Rule authorizes HHS to investigate complaints, conduct audits, and impose civil monetary penalties for violations of HIPAA. The Enforcement Rule also grants the authority to the Department of Justice to prosecute criminal cases for willful violations of HIPAA.

The Enforcement Rule provides for different levels of penalties based on the nature and extent of the violation and the degree of culpability of the violator. The penalties range from $100 to $50,000 per violation, with a maximum of $1.5 million per year for identical violations. In addition, criminal penalties can range from $50,000 to $250,000 in fines and from one to 10 years in prison.

How does HIPAA compliance demonstrate risk maturity?

HIPAA compliance demonstrates risk maturity by requiring organizations to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (e-PHI). This risk analysis is the first step in an organization’s Security Rule compliance efforts and is an ongoing process that should provide the organization with a detailed understanding of the risks to e-PHI.

HIPAA security compliance is not a point-in-time achievement, but rather a duty of care process that operates over time. To achieve ongoing due care, HIPAA risk management is applied. This involves monitoring and correcting security controls so they remain effective at reducing risk.

Is HIPAA aligned with recognized standards like the NIST CSF?

Yes, HIPAA is aligned with recognized standards like the NIST Cybersecurity Framework (CSF). The Office for Civil Rights (OCR) has released a crosswalk developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC), that identifies “mappings” between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule.

Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful in identifying potential gaps in their programs. Taking specific action to address these gaps can bolster compliance with the Security Rule and improve an entity’s ability to secure ePHI from a broad range of threats.

What are some common risk management frameworks?

There are several common risk management frameworks that organizations use to manage and reduce cybersecurity risk. Some examples include:

  • NIST Risk Management Framework
  • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO) Risk Management Framework
  • ISO 31000 (series)
  • Control Objectives for Information and Related Technology (COBIT)
  • Threat Agent Risk Assessment (TARA)
  • Factor Analysis of Information Risk (FAIR)

These frameworks provide a structured approach to identifying, assessing, and managing risk across an organization.

What are some benefits of HIPAA compliance?

There are several benefits of HIPAA compliance for both healthcare organizations and patients. For healthcare organizations, HIPAA compliance can help to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. HIPAA compliance can also help to foster trust and loyalty with patients, increase profitability, and differentiate your business from others.

For patients, HIPAA compliance ensures that healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities must implement multiple safeguards to protect sensitive personal and health information. HIPAA gives patients control over who their information is released to and who it is shared with. It also allows patients to take a more active role in their healthcare by giving them the ability to obtain copies of their health information and check for errors.

What is the HIPAA Standard?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as protected health information or PHI) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to make sure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare, and to protect the public’s health and well-being.

What is HITECH

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009. It was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

HITECH incentivized the adoption and use of health information technology, enabled patients to take a proactive interest in their health, paved the way for the expansion of Health Information Exchanges, and strengthened the privacy and security provisions of HIPAA. HITECH strengthened HIPAA by extending the reach of the HIPAA Security Rule to Business Associates of Covered Entities, who also had to comply with certain Privacy Rule standards and the new Breach Notification Rule. Tougher penalties for HIPAA compliance failures were also introduced to add an extra incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules.

What are the parts of the HIPAA standard?

The complete suite of HIPAA Administrative Simplification Regulations can be found at 45 CFR Part 160, Part 162, and Part 164, and includes:

1. Transactions and Code Set Standards

The HIPAA Transactions and Code Set Standards are rules to standardize the electronic exchange of patient-identifiable, health-related information. They require providers and health plans to use standard content, formats, and coding. The purpose of the standards is to simplify processes and decrease costs associated with payment for health care services. The standards apply to patient-identifiable health information transmitted electronically.

2. Identifier Standards

The HIPAA Identifier Standards require covered healthcare providers, health plans, and health care clearinghouses to use a ten-digit “National Provider Identifier” number for all administrative transactions under HIPAA, while covered employers must use the Employer Identification Number issued by the IRS.

3. Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information (collectively defined as “protected health information”) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.

4. Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information¹.

5. Enforcement Rule

The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E.

6. Breach Notification Rule

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.


How does a company get HIPAA certified?

There is no official HIPAA certification process or accreditation recognized by the Department of Health and Human Services (HHS) or its Office for Civil Rights (OCR). However, some companies offer HIPAA certification programs that provide training on HIPAA regulations and assess an organization’s compliance with the regulations. These programs can help organizations understand their obligations under HIPAA and demonstrate their commitment to protecting patient privacy and security.

How can you acheive HIPAA compliance?

HIPAA compliance is not a one-time event, but an ongoing process that requires constant vigilance and improvement. To achieve HIPAA compliance, you need to:

  • Understand the requirements and expectations of HIPAA and how they apply to your organization
  • Conduct a comprehensive risk analysis and implement appropriate safeguards to protect PHI
  • Develop and update policies and procedures to comply with HIPAA and train staff on them
  • Monitor and audit your compliance activities and address any issues or incidents promptly
  • Seek expert guidance or assistance if you have any questions or doubts about HIPAA compliance

HIPAA compliance is not only a legal obligation, but also a best practice for ensuring the trust and satisfaction of your patients and customers. By following HIPAA compliance, you can demonstrate your commitment to protecting their health information and providing them with quality health care services.


HIPAA compliance is a complex and challenging topic that affects every aspect of health care delivery in the United States. It is essential for both health care providers and patients to understand what HIPAA compliance entails and why it matters. By complying with HIPAA, you can protect the privacy and security of health information, enhance the quality and efficiency of health care services, and reduce the risk of legal liability or reputational damage.

If you need help with achieving HIPAA compliance, you can contact us at info@airius.com.

We are a team of experts who can provide you with customized solutions and support for your HIPAA compliance needs. We can help you with:

  • Conducting a risk analysis and implementing security safeguards
  • Developing and updating policies and procedures
  • Training staff on HIPAA compliance
  • Monitoring and auditing your compliance activities
  • Responding to breaches or incidents
  • And more

Don’t wait until it’s too late. Contact us today and let us help you achieve HIPAA compliance with confidence and ease.

Regulatory compliance with Airius

In The News

Notable Mentions

We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources to helping us provide up-to-date information. Send your stories and announcements to knowledgebase@airius.com

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information.

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information. Can you translate the blog? Please reach out.

Ready to Help!

If we can help you with risk management, SOC reporting, an emergency or you just need guidance with INFOSEC, please reach out to us.

Coming Soon

  • AI engines
  • Political choices and reputational risk
  • GDPR
  • Automated risk management
  • Ernest M. Park, Airius, LLC, 2023


References and Credits

Copyright © Airius, LLC 1999-2023
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram