INFOGRAPHIC - How to Achieve Reliable HIPAA Compliance

Many healthcare organizations struggle with HIPAA, but the right guidance can put you on track to dependable compliance.

February 25, 2020Manhattan Tech Support

Tech Support & Managed IT ServicesCloud ServicesIT Consulting & StrategySecurityHealthcare

HIPAA infographic

How to Achieve Reliable HIPAA Compliance by Manhattan Tech Support

Many healthcare organizations struggle with HIPAA, but the right guidance can put you on track to dependable compliance.

In recent years, regulators have aggressively increased efforts to enforce HIPAA and HITECH, the two most common regulations for the healthcare industry. Yet despite continued vigilance and awareness, HIPAA non-compliance is still very common throughout the healthcare industry.

The U.S. Office of Civil Rights (OCR), which is responsible for HIPAA enforcement, found HIPAA violations in 70% of the cases it investigated.[i]

78% of healthcare employees showed some lack of preparedness with common privacy and security threats, which is 8% higher than the average among all industries. [ii]

Lack of employee preparedness keeps the total number of data breaches in the healthcare industry high. There were 32 million records breached in the first half of 2019, double the number of breaches in all of 2018.[iii]

The Path to Strong HIPAA Compliance

HIPAA wasn’t designed to be a one-size-fits-all regulation. Instead, it gives organizations some leeway to determine how they should best protect their systems and data. Any healthcare organization that stores and manages electronic protected health information (ePHI) should protect that data with three types of safeguards:

  • Technical Safeguards
    This category includes all the ways an organization can use technology to automatically protect ePHI as it flows through their network.
  • Administrative Safeguards
    Administrative safeguards specify the responsibilities of human staff members. They make up over half of the HIPAA text.
  • Physical Safeguards
    HIPAA also requires that physical office space and network endpoints are secured against tampering and intrusion.

The Five Technical Requirements of HIPAA Compliance

Although organizations have difficulty with the administrative and physical safeguards, it’s often the five technical safeguards that challenge them the most.

HIPAA has five technical safeguards to protect ePHI.

  1. Access Controls – These limit ePHI access to authorized personnel.
  2. Audit Controls – Organizations must use the right mix of hardware, software, and process to monitor and log data access.
  3. Integrity control – These ensure that data is not altered or destroyed by unauthorized personnel
  4. Transmission security – This set of controls is used to ensure that ePHI is protected when in transit across a network.
  5. Authentication – Verifies the identity of individuals accessing sensitive information.

Making sure that you’ve implemented the five technical safeguards on all your systems is just one part of achieving HIPAA compliance. It’s just as important to maintain compliance as your systems evolve, which requires on-going vigilance.

Common HIPAA Stumbling Blocks

Due to HIPAA’s complexity, there are several different ways in which healthcare organizations can get compliance wrong. Here are some of the most common errors that organizations make.

Unsecured Email

The OCR maintains a “wall of shame,” where it posts HIPAA violations that are under investigation. Attacks that originate in a company’s email system make up a significant proportion of those attacks. [i]

HIPAA email best practices include:

  • Obtain patient’s written consent before sending information via email
  • Never including ePHI in subject lines
  • Always confirming the accuracy of email addresses
  • Encrypting emails whenever possible

Mobile Devices

Mobile devices can help keep doctors and nurses in better communication, but they’re often a major compliance liability.

Four out of five doctors are using their personal smartphone for work

Three out of five nurses are using their personal smartphone for work[ii]

Using personal devices contributes directly to employees, inadvertently leaking electronically protected healthcare information. To mitigate this problem, mobile devices must be secured using an enterprise mobility management (EMM) solution.

Proper Vendor Management

A business associate is any person or organization that interacts with your ePHI. HIPAA requires that you have a business associate agreement with each of those vendors. This includes:

  • Medical billing service providers
  • Data back-up and disaster recovery services
  • Software-as-a-service (SaaS) and cloud service providers

For even a small healthcare provider, this can lead to the maintenance of dozens of different vendor relationships and agreements. But having a signed business associate’s agreement isn’t enough for compliance.

Delegate BA management responsibility -> Perform technical due diligence on each vendor -> Control vendor access to ePHI with the rule of least privilege -> Regularly audit vendors -> Manage and review contracts

Lay a Foundation for HIPAA with the NIST Cybersecurity Framework

The National Institute for Standards and Technology (NIST) Cybersecurity Framework was developed by the Federal Government to help improve the security of the national-level infrastructure.

Because of its detailed prescriptions, it can also be used as a valuable reference for achieving HIPAA compliance.

The NIST process has five major high-level functions.

Identify – Gain full visibility of your physical and digital assets, and their vulnerabilities

Protect – Control access to those assets with appropriate safeguards

Detect – Possess visibility over your network and identify threats quickly

Respond – Contain cybersecurity events with a response plan and clear lines of communication

Recover – Effectively recover any damaged services with clear action points

Manhattan Tech Support can help guide you through every stage of the NIST implementation process, achieving strong HIPAA compliance, and better cybersecurity in the process.

Manhattan Tech Support – NYC’s Trusted HIPAA Consultant

We’ve been serving the security and compliance needs of NYC’s healthcare community for two decades, and during that time, have helped a wide variety of healthcare organizations, from small doctor’s offices and clinics to large hospitals and insurance companies, navigate the complex road to dependable HIPAA compliance.

Do you have HIPAA questions for your experts? Contact us any time at 212-299-7673 or [email protected]! We’re always happy to help.








Kaytuso – the cybersecurity & regulatory compliance division of LLC.

Exceed Digital – the custom software development and business intelligence solutions division of LLC

Related Articles

Hiring versus outsourcing the IT

calendar May 5, 2022

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

Hiring versus outsourcing the IT

When you run a business, especially a bigger one, the idea of outsourcing any aspects of the work that needs to be done might seem a bit off. This is a conversation that comes up a lot when companies are

Read More
A guide to  IT disaster recovery planning

calendar April 28, 2022

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

A guide to  IT disaster recovery planning

While it might seem like an inconvenience to a lot of people, downtime isn’t something a lot of businesses can afford to deal with. It isn’t just annoying, it’s straight-up expensive for any business when something goes wrong.  According to

Read More
Security challenges while migrating to the cloud

calendar April 14, 2022

author Manhattan Tech Support

Business Intelligence IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Construction Finance Healthcare Legal Non-Profits Real Estate Startups

Security challenges while migrating to the cloud

Moving to the cloud? Here’s what you need to know about doing it safely Moving at least some part of your business to the cloud can potentially make a huge difference to your business.  Cloud adoption brings unparalleled flexibility that

Read More