HIPAA protection is required for healthcare providers. HIPAA policies protect patient health information, ensure it is safe, and use it properly. Sensitive data that could reveal a patient's identity must be kept confidential in order to comply with HIPAA rules. These policies operate at several levels and require a specific organizational approach to implement comprehensive privacy and security policies to ensure compliance. Most organizations find this a daunting task. To facilitate the process, we have created HIPAA compliance requirements. The first is to understand how HIPAA relates to your organization. The second is to learn to implement practical steps, strategies and training to prevent HIPAA data leaks or accidental disclosures. Finally, a third physical and technical guarantee must be provided to protect patient data. By taking a look at this list, you will have a better knowledge on what you should discuss with your advisors. 

What is HIPAA all about? Before we talk about compliance, let's go back to the basics of HIPAA. The Health Insurance and Trust Act, signed by President Bill Clinton in 1996, sets out rules for medical records. HIPAA does a number of important things. It reduces health harassment and fraud and sets safety standards for the payment of health care bills. The same goes for collecting information about patients' health. The law protects and preserves medical information and ensures the preservation of information about health services.


HIPAA privacy policy:  HIPAA's privacy policy sets national standards.  The goal of HIPAA is to protect medical records as well as other vital personal identifiable health information (PHI).  This applies to three types of companies: service providers, supply chain (contractors, dealers, etc.) and now online service providers (such as data centers and cloud services).  All health plans and health services must comply with HIPAA.  The rules also apply to healthcare providers that handle health-related transactions.  The Privacy Act requires providers to set up security staff to protect the privacy of their patients.  The protection must protect PHI.  The HIPAA privacy policy also places restrictions on the publication of ePHI.  Due to the data protection rule, patients have legal rights to their health information. This includes the three basic rights.  

  • First, the right to disclose their health and personal information.  
  • Second, the law constantly searches and publishes their health information. 
  •  Lastly, patients reserve the prerogative to request that necessary corrections be made to their records.  The HIPAA Privacy Policy requires providers to maintain patient data.  It also gives patients the right to their health information.

Responsibilities of HIPAA Security Officer


The HIPAA Safety Policy states that a person assigned by a HIPAA Safety Officer must apply policies and procedures to prevent, detect, prevent and correct ePHI violations. Before the HIPAA Safety Authority develops policies and procedures, it must create and conduct a risk assessment to cover all aspects of technical, physical and procedural safeguards. Security Policy - For information, see the HIPAA Guide. Once a risk to the integrity of the ePHI has been identified, the HIPAA Security Officer should take steps “to reduce the risk of injury to a reasonable level and adhere to 45 CFR 164. 306. (a) ”. Employees should be trained on any new approaches and be informed of the new policy and procedure non-compliance restrictions. In order to strengthen the policy of criminal sanctions, a system for reviewing the information system of activities must also be implemented. The. 


HIPAA Security Officer Job Description

 The HIPAA Security Officer job description describes the officer's responsibility to develop and maintain procedures in accordance with HIPAA to ensure confidentiality, transparency and log in. 


These certifications may vary depending on the size and size of the organization but must include: 

  • The law establishing, administering, and complying with the Security Code and one of the following rules: OCR
  •  Responsibility for IT security and HIPAA integration to the organization's business strategy and needs. 
  • Management Responsibilities for issues related to access management, business growth, disaster recovery, and disaster response. 

  • Responsible for raising public safety awareness, including training staff in collaboration with the HIPAA Privacy Manager. 
  • Responsible for managing risk assessments and audits - especially with regard to consumers and other third parties. 
  • The right to investigate criminal records and take measures to prevent and limit future occurrences.


Technical Safeguards

The technical safeguards included in the HIPAA Security Rule break down into four categories. These categories include 

First Access control

Audit control

Integrity control

Transmission security


Access control: 

Access controls are designed in such a way that they limit easy access to ePHI. Only individuals with authorization have the power to access confidential information.

Audit control. Audit control mandates the use of hardware, software, and procedures to record ePHI by enlisted entities. Audit controls ensures that the access and  activities all systems making use of the ePHI is property monitored.

Integrity controls: Parties should have effective procedures in place to ensure that the EPHI is not damaged or altered improperly.  These should include electronic confirmation measures.

Transmission security.

 Enlisted organizations must protect the necessary data when ePHI is sent or received over an electronic network.

Technical protection mandates HIPAA compliant organizations to put in place policies and procedures to ensure that ePHI is safe.  This safety should be guaranteed whenever ePHI is been stored, used, or transmitted.





HIPAA requires the practice of naming both the privacy and security officer. Both of these roles have similarities. However, Robben suggests that filling in with two different people allows you to maintain control and balance. Both the privacy and security authorities should be fully aware of how this practice is carried out, what can cause compliance problems and what motivates employees. Both should be connected in all aspects of the practice, from doctors and nurses to accountants and reception staff.

The main difference between the two roles is that the security officer should pay close attention to IT and Technical aspects of the business.  

They need to have knowledge of where your personal health information (PHI) should be stored. Any medical practice has a PHI to be protected. This PHI can be stored on paper charts (hard copy files) or in spreadsheets on an electronic health care system (EHR) that can be easily accessed, on computers through the web, the Internet, or mobile applications.  Every new technology has a security risk and the safety officer must be aware of these risks.


 The security guard should know if doctors have the ability to access PHI information from their phones or Ipad. To be always aware in case of loss of a laptop containing PHI data or in cases where such laptops are stolen. Also, the security officer needs to have knowledge of the location of all relevant chart tables in the office. When the security officer properly understands all of these, he/she is better equipped to formulate a policy that would be more suitable in securing the PHI DATA. help manage the PHI and ensure its security.   


Risk Assessment

The idea that one of the employees needs to understand when PHI is at risk and find ways to deal with it can be quite challenging.  In small businesses, employees may not have the technical knowledge.  This might pose as a challenge but not such a big challenge for the security officer.  

"The security officer does not need to have all the answers to this issue, but it is very 

important that they have the capacity to identify this risk and know when to ask for help.  


The need to outsource goes a long way to secure and strengthen the already existing security protocol. This should be as deliberate and precise as a safety precautionary measure especially in smaller firms where decisions are often made on an economic basis. Risks should always be identified and always treated as priority.


HIPAA Breach Notification Rule

Violations can occur even if the strictest security measures are taken. When these violations occur, the HIPAA infringement notice law sets out how the affiliated organizations should deal with it.  


             It is important to properly define the breach. Breach of HIPAA

simply refers to an unwarranted use or disclosure of PHI without proper authorization as prohibited by the Privacy Policy.  The organization needs to assess the risk using the following methods:


  • The type of PHI data at risk, including other relevant data and the possibility of re-validation
  • Identity of the unauthorized person who receives or uses the PHI; 
  • How the PHI was breached. Whether it was viewed, downloaded or obtained
  • The level of compromise to the PHI data  


In some cases, PHI may be purchased or disclosed without violating PHI. The HIPAA rules provide three examples of such situations.  

  • The first scenario is that PHI is obtained conscientiously and unknowingly by an employee or person who has worked under his or her authority.  
  • Second is the accidental disclosure of PHI by an authorized person.  Information should not be disclosed or used in a manner that is not provided for in the Privacy Policy.  


  • Third, it is possible if a closed organization finds that an unauthorized person who received the revelation is unable to retain this PHI data.


 If there is a violation as described above, the organization must divulge such breaches. By divulging this information, individuals and HHS becomes notified of any breaches that might have occurred.

By Tyler Burket, Human Resources

Strategic Security Corp.