What the new HIPAA compliance requirements mean for your business

What the new HIPAA compliance requirements mean for your business

Every organization within the healthcare sector, including their suppliers, is legally obliged to take every reasonable step to safeguard the confidentiality, security, and integrity of protected health information (PHI) according to the health insurance portability and accountability act. A failure to comply with HIPAA regulations can result in civil action and substantial fines, as well as severe reputational damage.


While the need for patient privacy should be obvious, implementing the right administrative, technical, and physical controls isn’t always easy. After all, healthcare IT is changing all the time, and no two technology or operational environments look the same. This is why HIPAA is intentionally vague and broad in scope. As such, covered entities and business associates should adhere to the latest standards of information security and privacy and reevaluate their compliance on a regular basis.

How have HIPAA compliance requirements changed?

In December 2020, the Office for Civil Rights (OCR), the body responsible for enforcing HIPAA compliance, issued new guidance concerning health information exchanges (HIEs). During the pandemic, covered entities and business associates are allowed to disclose PHI under a broader range of circumstances, such as those mandated under federal, state, or local laws. For example, organizations may now transmit patient treatment and laboratory test information to the appropriate state or local public health department without infringing the HIPAA Privacy Rule.

No permanent changes have been made to HIPAA legislation or guidance, and all of the same rules otherwise apply. However, implementing the rules comes with some unique challenges in light of the disruption of the past year. Organizations now need to shift their attention towards protecting remote workers and facilitating telemedicine, while still adhering to the demands of compliance as best they can.

#1. Securing remote workforces

When HIPAA was introduced in 1996, remote work was practically unheard of. Mobile devices and cloud computing didn’t exist in any meaningful way, and securing digital assets was mostly a matter of locking down the local network. Today, healthcare IT is spread across a wide range of connected devices and hosted services, while employees routinely access sensitive data from mobile devices.

Keeping data stored in the cloud, instead of on local devices, and help you secure your remote workforces. Additional measures, including end-to-end encryption, multifactor authentication (MFA), and complete auditability, are all essential for securing these distributed workforces.

Related article: What is a HIPAA-compliant cloud? 5 ways to evaluate your IT services

#2. Protecting connected devices

As the internet of things (IoT) makes its way into the healthcare environment, there is a rising threat of adding more single points of failure to your technology infrastructure. The benefits of IoT are without doubt, but it is essential to take steps to protect these often vulnerable devices according to the demands of the HIPAA Security Rule.

All internet-connected devices must be secure according to technical, administrative, and physical safeguards. This includes full encryption of data in storage or in transit, and only using devices that are approved for use in a healthcare environment.  

#3. Facilitating safe telemedicine

With many patient consultations moving online over the past year, telemedicine is finally on its way to becoming an established alternative to in-person meetings. However, many popular video conferencing platforms were not designed with the healthcare sector in mind.

Although the rules have been temporarily relaxed in light of the current urgent situation, many platforms are themselves working on achieving HIPAA compliance. For example, Zoom now offers a HIPAA-compliant subscription option for healthcare providers. Organizations should continue to implement reasonable security and privacy standards to prevent unauthorized access and disclosures across these channels too.

#4. Adapting to new security threats

Achieving a high standard of information security and privacy is not something an organization does once. It must be an ongoing process that continually reevaluates the vulnerabilities and threats and improves incrementally.

While yesterday’s threats continue to evolve, many new and emerging threats are constantly changing the cybersecurity landscape. For example, cloud and remote services are now top targets for hackers, and the healthcare sector is no exception. To maintain compliance, it is necessary to adopt advanced measures, such as heuristic threat analytics and unified threat management (UTM) solutions.

#5. Training and educating employees

Providing security and privacy awareness training is a core tenet of HIPAA compliance. In the coming months and years, organizations must step up their training programs to adapt not just to current threats and vulnerabilities, but also the rise of remote work and telemedicine.

Given the unprecedented disruption of the past year, many employees in the healthcare sector are still not adequately prepared for the threats against remote workforces. They need to be trained regularly to better identify common threats like social engineering attacks, as well as the best practices for staying secure when working from home or on the move.

Charles IT provides comprehensive HIPAA compliance assessments and security services to protect your organization from data leaks and other cyberthreats. Contact us today to find out more.