Any healthcare entity, including any business associate handling health data, must meet HIPAA’s stringent data security and privacy rules. If your organization comes under the umbrella of HIPAA, you will be expected to abide by regulations that affect access to and handling of PHI. If an affected entity breaches HIPAA’s security and privacy rules, they are bound by breach notification rules. If more than 500 users are affected by a breach, notification of the incident must be passed to the OCR. The breach details are listed on a searchable public website, “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.”

Specific types of organizations that are affected by HIPAA include the following:

Hospitals

The HIPAA Privacy Rule mandates that hospitals provide clear explanations of patients’ privacy rights. In addition, security is an essential component of protecting patient data, with HIPAA rule 45 CFR 164.502(b), 164.514(d) explicitly stating the requirement that covered entities must “… evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.”

Hospitals, therefore, must have measures to minimize the risk of unauthorized data access. A Zero Trust security approach to data access provides the framework to mitigate the risks to PHI within a hospital environment.

Business associates

A business associate under HIPAA is defined as any business that “creates, receives, maintains, or transmits protected health information (PHI)” on behalf of a covered entity. This includes companies such as software suppliers, cloud service providers, and billing agencies. Business associates are required to protect and maintain the confidentiality, integrity, and accessibility of PHI using technical measures and safeguards. Security measures to identify risk and secure PHI are a requirement of HIPAA. A Zero Trust platform provides visibility across an expanded data ecosystem to apply robust security measures to harden against unauthorized data access.