HIPAA Compliance & the Role of Enterprise Information Archiving

| June 28 2022

Most people have heard of the Health Insurance Portability and Accountability Act (HIPAA), so it’s not surprising that companies dealing with digital health information will have to be HIPAA compliant. To do so, any protected health information (PHI) must be kept confidential, secure, and available when being stored or transmitted. HIPAA also requires healthcare providers to implement safeguards protecting PHI against cyber threats, security breaches, and other improper use of health data.

However, with the increasingly complex and interactive elements common in today’s websites and the quickly growing stores of unstructured data from collaboration apps and other SaaS platforms, understanding how regulatory bodies such as HIPAA affect your organization is a vital first step in making sure your website and digital channels comply with archiving and preservation regulations.

What is the HIPAA Security Rule?

Under the HIPAA Security Rule, organizations must:

  • Ensure the confidentiality, integrity, and availability of all electronic PHI they create, receive, maintain or transmit
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information
  • Protect against reasonably anticipated, impermissible uses or disclosures
  • Ensure compliance by their workforce

HIPAA Risk Analysis Requirements

HIPAA also requires covered entities to perform risk analysis as part of their security management processes. Under HIPAA, risk analysis may include, but is not limited to, the following activities:

  • Evaluate the likelihood and impact of potential risks to e-PHI
  • Implement appropriate security measures to address the risks identified in the risk analysis
  • Document the chosen security measures and, where required, the rationale for adopting those measures
  • Maintain continuous, reasonable, and appropriate security protections
  • Include risk analysis as part of the ongoing process, so that records are reviewed to track access to PHI and detect security incidents; risk analysis should also periodically evaluate the effectiveness of security measures put in place, as well as potential risks to PHI.

HIPAA Technical Safeguard Requirements

HIPAA also requires technical safeguards, including:

  • Access Control, which requires a covered entity to implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • Audit Controls, which require a covered entity to implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
  • Integrity Controls, which require a covered entity to implement policies, procedures, and electronic measures to ensure that e-PHI is not improperly altered or destroyed.
  • Transmission Security, which requires a covered entity to implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Enterprise Information Archiving and HIPAA

All but two HIPAA enforcement actions in 2021 were the result of HIPAA Right of Access violations. The Right of Access standard gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.  When a request is received from an individual or their personal representative, the records must be provided within 30 days. As of December 2021, 25 penalties for HIPAA Right of Access violations were issued totaling $1,564,650. The fines range from $3,500 to $200,000.

The remaining two cases involved data breaches that caused HIPAA violations. In one, Rochester, NY-based Excellus Health Plan suffered a data breach of nearly 10 million records. According to HIPAA Journal, HIPAA’s Office of Civil Rights (OCR) “uncovered multiple HIPAA violations, including the failure to conduct an accurate and thorough organization-wide risk analysis, the failure to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a lack of technical policies and procedures to limit data access to authorized persons and software programs. Excellus chose to settle the case and paid a $5,100,000 penalty and agreed to implement a comprehensive Corrective Action Plan to address all areas of non-compliance.”

Having an Enterprise Information Archiving (EIA) solution in place makes HIPAA compliance much easier to manage, saving time, reducing costs, and mitigating risk. And because fines for failing to comply with HIPAA can be significant — up to $50,000 per violation and $1.5 million per year, with some HIPAA violations including prison terms of up to 10 years – an EIA solution is worth it.

To learn more about how EIA can help with your compliance needs download our latest guide: Enterprise Information Archiving in the Digital Age: A Guide to Satisfying Regulatory Bodies Like FINRA, HIPAA, FDA & More

Download the Guide


Related posts

Why Marketing Compliance for Financial Services Is A Big Deal

Why Marketing Compliance for...

In today's fiercely competitive business landscape, financial services companies, like their counterparts in other ...

Read More >
4 Best Practices to Build Better ESG and Sustainability Programs

4 Best Practices to Build...

In recent years, there has been an increasing trend for companies to claim environmental sustainability, making public ...

Read More >
The Downside of ESG: The Dangers of Greenwashing

The Downside of ESG: The...

In recent years, there has been an increasing trend for companies to claim environmental sustainability, making public ...

Read More >

Get in Touch to Learn More

Hanzo’s purpose-built, best-in-class solutions can help your readiness to respond to the next discovery request, investigation, or audit. Contact us to learn more.

Contact Us