Glossary

What is HIPAA?

HIPAA, short for the Health Insurance Portability and Accountability Act, is a U.S. federal law designed to protect sensitive healthcare data. Although the law does not mandate specific cybersecurity practices or tools related to how software systems collect, store, process or transmit healthcare data, it does define security and privacy goals and outcomes that businesses must uphold to remain HIPAA-compliant.

Healthcare systems often store highly sensitive data – including not just personally identifiable information (PII) about patients, but also private patient medical data such as health histories. What’s more, healthcare data has a tendency to move around frequently. To deliver effective care, healthcare providers often need to correlate a patient’s health data from across multiple systems, or share it with one other.

NIST CSF HIPAA Glossary

For these reasons, healthcare data creates something of a perfect storm when it comes to data privacy: It involves data that is highly sensitive, and that can easily fall into the wrong hands during the process of moving from one system to another.

HIPAA aims to address these challenges by mandating consistent, efficient and secure modes of storing and transmitting healthcare data. To comply with U.S. federal law, most businesses that manage healthcare data for U.S. residents – including companies not based in the U.S. – must adhere to HIPAA’s requirements.

The purpose of HIPAA

Enacted in 1996, HIPAA establishes a number of requirements and regulations that businesses must follow when working with protected healthcare information. The purpose of the law is to provide a standardized and secure way of storing and sharing healthcare data.

HIPAA emerged out of a recognition that the healthcare industry in the United States lacked an efficient and secure approach to managing health data because different healthcare providers, insurance companies and other entities managed the data in varying ways. By standardizing the process and imposing security rules, HIPAA aimed to reduce risk and add efficiency – hence the references to “portability” and “accountability” for healthcare data within the law’s name.

Who must comply with HIPAA?

Any business that operates in the U.S. and is defined under HIPAA law as a “covered entity” must comply with the regulation.

In general, any business that engages in storing, processing or transmitting healthcare data is a covered entity and therefore subject to HIPAA. This includes organizations that manage analog healthcare data as well as healthcare data stored digitally (which HIPAA refers to as “electronic protected health information,” or e-PHI).

Note as well that companies do not need to be based in the U.S., or even have a physical presence there, to be subject to HIPAA compliance. International organizations that store, process or otherwise have access to e-PHI associated with U.S. residents are typically subject to the HIPAA mandates.

What does HIPAA require?

HIPAA includes five main rules (which are defined in detail on the HIPAA website):

  • Privacy: Prevents medical records from being shared without patients’ consent.
  • Security: Requires reasonable security measures to be in place to protect against unauthorized access to healthcare data.
  • Transaction: Standardizes the way healthcare data is transmitted between systems.
  • Identifiers: Defines standards for identifying healthcare entities.
  • Enforcement: Describes the enforcement process and establishes penalties for non-compliance.

In the context of cybersecurity and data privacy, the Privacy and Security rules are the most important because they describe regulations that are relevant for securing data inside digital systems.

Ensure Compliance

Generate SBOMs Automatically with Checkmarx SBoM

With Checkmarx SBOM you can automatically generate SBOMs on your behalf, saving you time and headache in ensuring you have an up-to-date inventory of 3rd party packages being used within your software projects.

Discover Checkmarx SBOM

HIPAA challenges

Unfortunately, the Privacy and Security HIPAA rules can also be somewhat difficult for cybersecurity teams to interpret. That is because HIPAA lays out high-level requirements but doesn’t describe exactly how to achieve them.

For example, the Security rule states in part that businesses must ensure the integrity, availability, and confidentiality of all e-PHI they create, maintain, transmit or receive. But it doesn’t describe precisely which types of security controls, tools or processes businesses must implement to meet this requirement.

This lack of precision is unavoidable because technology is always changing, as are cybersecurity and data privacy threats – so strategies that represent best practices one year may cease to be sufficient for protecting healthcare data or preventing breaches the next. Indeed, given that HIPAA was enacted in 1996, there was no way that the law’s designers could have foreseen modern cloud security challenges, given that the cloud as we know it did not exist in the 1990s.

Nonetheless, HIPAA places the onus on organizations to interpret its rules and enforce them in a way that regulators deem adequate. This includes implementing tools and processes – such as zero-trust security policies, continuous vulnerability scanning and security monitoring – that can help to mitigate the risk of breaches and, in the event they do occur, help businesses to identify and remediate them.

Best practices for HIPAA compliance

To minimize the risk of HIPAA non-compliance, consider the following security and data privacy best practices:

  • Minimize data exposure: The less e-PHI data you transmit or store, the lower your risk of security events that could affect HIPAA compliance. In general, it’s a best practice to avoid allowing applications and systems to interact with HIPAA-regulated data unless necessary.
  • Encrypt data: While simply encrypting data is not enough on its own to guarantee HIPAA compliance, data encryption can help reduce the risk of unauthorized access.
  • Embrace least privilege: Least privilege – the practice of granting users only the minimum access rights necessary – helps prevent data breaches linked to malicious insiders or stolen access credentials.
  • Perform recurring audits: Audits allow you to detect cybersecurity shortcomings that could trigger HIPAA non-compliance.
  • Educate employees: No matter how many security controls or automations you deploy, you can’t guarantee that employees won’t place sensitive health data at risk. Educating workers on where and how they can use protected data helps prevent HIPAA compliance violations.

HIPAA compliance with Checkmarx

As a code-to-cloud security platform, Checkmarx provides the broad range of capabilities you need to help protect applications from the vulnerabilities and other risks that could lead to HIPAA violations. Alongside other types of tools – like Data Loss Prevention (DLP) software, which can help identify where e-PHI resides – Checkmarx’s application and infrastructure security solutions are one key pillar of a modern HIPAA compliance strategy.

Checkmarx’ customers do business everywhere in the world. Our solutions comply with global industry standards and regulations to protect both our business data and yours.