Handling sensitive patient data in the US – Guide to HIPAA Compliance

In the following post Pharma IT will describe the content of the HIPAA legislation and give some points to what is important in respect to implementation of HIPAA compliance. Should you need assistance to establish HIPAA compliance in your organisation, please contact us

HIPAA – the Health Insurance Portability and Accountability Act sets the standard for sensitive patient data or protected health information (PHI) when operating the US.

What is the Purpose of HIPAA?

The purpose of HIPAA  is to improve the efficiency, transparency and security of the healthcare systems that handle sensitive patient data by providing guidelines for administrative simplification and security standards. HIPAA is built on a number of rules that provides a basis, requirements to follow and specific safeguards to implement in order to protect the sensitive patient data.

Who does HIPAA apply to?

HIPAA applies to all companies that handle sensitive patient data in the healthcare sector – i.e. anyone providing services, treatment, payment or operate in healthcare system dealing with sensitive patient data. Any company which fits this definition must comply with HIPAA. 

HIPAA rules

The HIPAA legislation outlines a number of rules, each of which describes how to be compliant, see the figure below:

Security Safeguards

The rules above are summarized and made operational in the 3 Safeguards. Activities and controls outlined in the safeguards must be anchored in the organizational policies, processes or procedures to be compliant.

  1. Administrative Safeguards describe what administrative actions that must be in place to protect the sensitive patient data, and how to control and maintain security
  2. Technical Safeguards describes what technical activities that must be in place to protect sensitive patient data and how access to the data must be controlled
  3. Physical safeguards describes what physical operations that must be in place to protect the organizations buildings, electronic information systems and equipment from unauthorized intrusion

Violations & Reporting

Authorities require organizations to comply with HIPAA and to avoid violation of the HIPAA rules – in case of violation there is a risk of financial penalty. Violations can lead to fines up to $1.5 million per year per offence. A violation/breach with a high risk that compromises the security or privacy of sensitive patient data needs to be reported to Authorities.

The Necessary and Addressable Security Measures

HIPAA work with two different security measures; “required” and “addressable”. The required measures are mandatory unless there is a justifiable rationale not to implement the safeguard. The addressable measures give some flexibility to implement if there is an appropriate alternative or not relevant. 

Record Retention Requirements

When medical records are retained, they must be kept secure at all times. HIPAA requires appropriate administrative, technical and physical safeguards to be implemented to ensure the confidentiality, integrity,and availability during the lifecycle of patient sensitive data from creation to disposal. The Privacy Rule requires organizations to provide individuals, upon request, access to the individual patient sensitive data that has been registered. 

Communicating HIPAA to Patients & Employees

Healthcare suppliers are required by law to ensure that patients are informed about the Privacy Policy. Furthermore, healthcare supplies are also required to ensure that privacy and security policies have been read by their employees and that a sanction policy have been established for employees who do not comply.


HIPAA addresses the digitalization of medical data and outline safeguards organizations must apply to protect healthcare data in both paper and electronical formats.

HIPAA compliance is an ongoing exercise. There is no compliance test or certification one can achieve, it is a self-regulated process.

If there is a violation/breach in respect to patient sensitive data this can cause heavy financially penalties by the authorities.