HIPAA Compliance Guide Questions That Are Commonly Asked

HIPAA compliance is a must for all healthcare providers. What HIPAA or the Health Insurance Portability and Accountability Act does is protect the health information of patients, ensuring their secure storage, and making sure that healthcare providers use this information correctly. HIPAA requires the covered organizations to keep any sensitive data bearing the identity of patients confidential. 

The rules of HIPAA work on multiple levels, and a specific organizational method is a must to implement security policies and comprehensive privacy to be HIPAA compliant. HIPAA and its requirements can be daunting for a lot of organizations. This HIPAA compliance guide has put together some of the commonly asked questions and their answers to help make the process quicker and more comfortable.

What’s HIPAA Compliance?

HIPAA compliance is an ongoing process, and it’s one of the most important things that healthcare providers should remember. Becoming HIPAA compliant doesn’t rely on one action, software, or training program. For your organization to obey the law, you must have the necessary documents containing your Privacy and Security Policies Procedures, and, of course, strictly follow the protocols you have set for protecting PHI. Since HIPAA compliance is an ongoing process, your plan will change as your business, IT department, and staff evolves or grows.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It’s a federal regulation defining a set of standards on how to safeguard PHI or Protected Health Information. The Department of Health and Human Services Office of Civil Rights is the one mainly responsible for regulating HIPAA. In some cases, the State Attorney’s General can also enforce HIPAA, requiring organizations to address every facet of the law.

What’s Protected Health Information?

HIPAA compliance is all about safeguarding Protected Health Information or PHI. So, what’s the PHI? It’s a combination of different health-related information such as diagnosis of a serious medical condition or medical record of a drug addict who has undergone a recovery program. As long as such information contains information that may reveal the identity of the patient, it belongs to PHI.

Some of the unique personal identifiers covered by PHI include SSN, DOB, email address, physical address, phone number, MAC address, and IP address, among others. Take note that any of this information doesn’t have to be current for it to qualify as PHI. For most states, health care providers keep all PHI confidential for six years unless the state imposes more stringent requirements.

Who Should Protect PHI?

There are three categories identified as institutions or persons who have the responsibility to protect PHI and should be HIPAA compliant. These categories include the covered entities, the business associates, and the subcontractors that these business associates use.

Individuals, organizations, or institutions that maintain payment information or patient healthcare information belong to the covered entities. Also included are those that reasonably come into contact with protected health information as part of their daily duties; these include health care and health plans clearinghouses, and health care providers, among others. 

Why Is HIPAA Compliance Essential?

HIPAA compliance is essential in the sense that it protects the patient’s health information from misuse. Breaches of PHI can also damage the reputation of the healthcare company or organization. Successful attacks from cybercriminals in healthcare organizations due to failure to comply with HIPAA can disrupt the country’s delivery of healthcare services severely.

Unfortunately, many healthcare organizations still use outdated systems that are prone to exploitation from hackers. It’s easy for cybercriminals to carry out attacks when there’s inadequate support for a new system/software and the lack of security control implementation. Keep in mind that the strength of hackers is growing each day, and they can punish your organization if you’re still using outdated technologies. It’s the reason why HIPAA also regulates technology systems used to manage, store, and transfer Protected Healthcare Information.

What Happens If Organizations Don’t Comply With HIPAA?

While there’s no consequence for covered entities, business associates, and subcontractors for not complying with HIPAA, the problem starts when you suffer a loss of PHI records or a breach. There can be severe punishments for violations, which include steep fines from the Department of Health and Human Services’ Office for Civil Rights. The fines will depend on the number of PHI involved and the severity of the neglect found. However, you should expect hefty amounts to pay for breaches.

Sure, the fines can hurt the financial aspect of your organization, but the impact of not complying with HIPAA goes beyond that. Your organization depends on patient trust a lot, and if you lose this, it can have devastating effects on your future. In some cases, jail time is also involved, especially if the breach is linked to specific employees. 


HIPAA exists to ensure that any institution that collects, uses, or maintains protected health information of patients handles it appropriately. While it’s true that it can be time-consuming to work your way to become HIPAA compliant, the law mandates you to comply, not to mention it’s the right thing for you to do to protect the personal health information of patients who trusted you for it. The questions discussed in this HIPAA compliance guide should somehow make things easy to understand for you so that you can start complying with HIPAA rules for the benefit of your organization and your patients.