The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. Understanding the scope of HIPAA is crucial for organizations that handle such data to ensure compliance and maintain the trust of their clients and partners.​

📘 What is Protected Health Information (PHI)?

Protected Health Information (PHI) refers to any information in a medical record or other health-related data that can be used to identify an individual and that was created, used, or disclosed in the course of providing healthcare services. This includes a wide range of identifiers such as names, addresses, birth dates, Social Security numbers, and medical records.​

🏢 Entities Governed by HIPAA

HIPAA applies to specific types of organizations and individuals, primarily categorized as Covered Entities, Business Associates, and Subcontractors.​

1. Covered Entities

These are the core organizations directly involved in healthcare services and include:​

• Healthcare Providers: Doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, and other healthcare practitioners who electronically transmit health information in connection with certain transactions.​

• Health Plans: Health insurance companies, Health Maintenance Organizations (HMOs), company health plans, and government programs that pay for healthcare, such as Medicare and Medicaid.​

• Healthcare Clearinghouses: Entities that process nonstandard health information they receive from another entity into a standard format or vice versa.​

2. Business Associates

These are individuals or entities that perform functions or activities on behalf of, or provide services to, a Covered Entity that involve the use or disclosure of PHI. Examples include:​

• Billing companies

• Transcription services

• IT service providers

• Cloud storage providers

Business Associates are required to sign a Business Associate Agreement (BAA), ensuring they will appropriately safeguard PHI and comply with HIPAA regulations.​

3. Subcontractors

Subcontractors are entities to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate. If the delegated function involves the use or disclosure of PHI, the Subcontractor also becomes subject to HIPAA regulations and must enter into a BAA with the Business Associate.​

🔄 Recent Developments in HIPAA Compliance

As of 2025, significant changes are anticipated in HIPAA compliance, driven by the increasing use of healthcare data, integration of artificial intelligence, and escalating cybersecurity threats. The Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are intensifying enforcement, particularly focusing on areas such as ransomware attacks and the responsible use of PHI. Proposed updates to HIPAA’s Security Rule include mandates for modern security measures like encryption and multifactor authentication. Additionally, the use of AI and online tracking technologies presents further compliance challenges due to risks of unauthorized PHI disclosure. Healthcare organizations must implement robust security measures, conduct regular staff training, and review policies to navigate the evolving HIPAA landscape.

🛡️ Ensuring Compliance

To maintain compliance with HIPAA, organizations should:​

1. Identify and Classify Data: Recognize all forms of PHI handled within the organization.​

2. Implement Safeguards: Apply administrative, physical, and technical safeguards to protect PHI.​

3. Conduct Regular Training: Educate employees about HIPAA regulations and the importance of protecting PHI.​

4. Establish Agreements: Ensure that Business Associate Agreements are in place with all partners handling PHI.​

5. Monitor and Audit: Regularly review policies, procedures, and systems to detect and address vulnerabilities.​

Understanding the scope of HIPAA is fundamental for any organization dealing with Protected Health Information. By identifying whether your organization is a Covered Entity, Business Associate, or Subcontractor, and by implementing the necessary safeguards and agreements, you can ensure compliance and protect the sensitive information entrusted to your care.

Frequently Asked Questions (FAQ)

What are the key readiness factors for HIPAA?
Key HIPAA readiness factors include:

• HIPAA security and privacy training

• Endpoint protections (e.g., encryption, antivirus, access control)

• HIPAA Business Associate Agreements (BAAs)

• Technical evaluations such as vulnerability scans (internal and external)

• Penetration testing (optional but recommended)

Note: HIPAA requires regular technical evaluations to ensure continued compliance. While penetration testing is not a hard requirement, it is often the most effective way to meet this requirement. Alternatively, a well-managed vulnerability management program may also satisfy this need.

Does Secureframe provide Logging and Audit SOPs required for HIPAA?

Yes. Customers can reference the following Secureframe-provided policies which satisfy HIPAA logging and audit requirements:

• HIPAA Security Policy and Procedures Manual – includes multiple sections on logging practices.

• Data Retention and Disposal Policy – HIPAA Addendum – outlines HIPAA-specific retention requirements.

There is no need to create a new SOP from scratch if these policies are already in place.

Is there a Secureframe template available for HIPAA audit logs?

• Secureframe provides a sample Audit Log template in our HIPAA Audit Log blog post. However, this is just a reference example. If the customer already has passing logging tests in Secureframe, there’s typically no need to use or submit this template.

Which Secureframe Tests map to HIPAA audit logging requirements?

• Customers can find relevant tests by going to the Tests page in Secureframe and searching for keywords like "log". For example, the test "Logging the web application" is one where access logs may be uploaded to demonstrate compliance.

Does Secureframe provide guidance for HIPAA log retention (e.g., 6 years)?

• Currently, Secureframe does not explicitly call out the 6-year minimum retention requirement for HIPAA logs in the test descriptions.
• However, this requirement is embedded within the HIPAA framework controls and policy language. 

Can Secureframe’s existing policies be used to satisfy customer contracting requirements around HIPAA audit logging?

Yes. Customers going through enterprise contracting who are asked to provide Logging and Audit SOPs can reference the:

• HIPAA Security Policy and Procedures Manual

• Data Retention and Disposal Policy – HIPAA Addendum

These documents meet standard audit requirements without needing to draft new SOPs.

Is there an MDM or incident management tool that can detect HIPAA violations in real time?

While no tool can detect all HIPAA violations in real time, Data Loss Prevention (DLP) solutions can help identify and prevent unauthorized sharing of sensitive information like PHI. These tools can be configured to monitor for specific keywords, content patterns, and behaviors—such as emailing patient records through a personal email account.

Common DLP solutions that work well in HIPAA-regulated environments include:

• Proofpoint

• Symantec

• Forcepoint

• Microsoft Purview (formerly Microsoft Information Protection)

• Google DLP (for Google Workspace users)

These platforms are not HIPAA-specific but can be tuned to support HIPAA security requirements.

Is there a separate certification to prove that a custom-built EHR system is HIPAA compliant?

No, there is no formal HIPAA certification for EHR systems or vendors. HIPAA is a legal standard, not a certifiable framework. If an organization builds its own EHR system, it must include that system in its overall HIPAA compliance program. This means applying appropriate safeguards and controls at both the organizational and system levels, such as:

• Access controls and user authentication

• Audit logging and monitoring

• Change management processes

• Encryption for data at rest and in transit

Can a DLP tool be HIPAA-certified?

• DLP tools themselves cannot be HIPAA-certified, as HIPAA does not provide certifications for specific technologies. However, they can be used effectively as part of a HIPAA compliance strategy. Their value depends on how they are configured to align with your organization’s policies and the HIPAA Security Rule requirements.