Tips for Keeping Data HIPAA Compliant

Print Friendly, PDF & Email

Of all the places where you should feel safe, the doctor’s office is one of the most important. When you walk into a healthcare facility, you may already feel vulnerable. Maybe you have an embarrassing health issue that you need to discuss, or you’re hurt and wary of treatment. Not every health situation is pleasant, but you should at least know that your personal information is protected.

No matter the industry, keeping customer data safe should be a top priority. When it comes to medical data in particular, there are HIPAA laws that govern how to protect patient privacy — and there are huge risks to not being compliant. Healthcare information is a target for criminals because it has such a high resale value on the black market and is frequently used for identity theft. When a patient’s protected health information (PHI) is released to the public, it can affect their personal life as well as their work.

What Is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act, and it was introduced in 1996. There are five components of HIPAA:

  1. If an individual or their family member changes jobs or loses their job, HIPAA prevents new health insurance plans from denying coverage for pre-existing conditions.
  2. It introduced national standards for electronic transactions to prevent healthcare fraud.
  3. HIPAA provides guidelines for medical spending accounts.
  4. It also provides group health plan guidelines.
  5. The Act governs company-owned life insurance policies as well.

Overall, the purpose of HIPAA is to keep patient information confidential. All healthcare information is protected, including identifying information, such as Social Security numbers or physical addresses. However, there are situations where this confidentiality can be breached, such as if there’s a gunshot or stab wound or if there’s evidence of child or elderly abuse.

All electronic devices have to be protected under HIPAA, including hardware and software. Unauthorized users should not be able to access any device or system that contains patient information. In addition to securing computers, devices such as fax machines and printers must also be considered — only authorized people should be able to access those devices.

Compliance and Risk Assessment

A HIPAA security officer is a person with a background in IT who is tasked with upholding HIPAA policies and procedures. The security officer may document activities, conduct audits, or assess risk and compliance. Security risk assessments determine how at-risk the computer systems are for hackers or infection. From there, patches can be created to prevent those security breaches.

The security officer will also train employees to follow HIPAA guidelines. Different roles will have different access levels — for example, a doctor may be able to access more information than a nurse. HIPAA training should be held annually in order to refresh employee knowledge and go over any changes that have been made to the law.

8 Ways Healthcare Facilities Stay Compliant

There are a number of ways that healthcare facilities can ensure HIPAA compliance:

  1. HIPAA guidelines should be written in easy-to-understand English.
  2. Patient information must not be allowed to be discussed in public locations.
  3. Computers should have privacy screens so they can’t be read from various angles, and they should also be pointed away from the public.
  4. Log-off notices on computers could remind employees to log off so that patient information isn’t left exposed. Furthermore, PHI should never be unattended, whether it’s in digital or hard copy form.
  5. Passwords should not be emailed, written down, or shared in any way.
  6. Reception desks should have privacy sliding doors.
  7. Employees should understand what will happen if they breach HIPAA guidelines, including legal implications and termination policies.
  8. It’s important that contractors understand that they have to follow HIPAA guidelines too. Full-time employees aren’t the only people with access to patient information.

Patient Information and Data Analytics

There’s a lot of insight that can be gleaned from patient data, and that can then be used to improve the healthcare process for facilities as well as patients. Using this data without exposing patient identifiers has been a delicate subject, though. In order to take advantage of the data without breaching HIPAA, experts have come up with a way to de-identify the data.

De-identifying data involves taking personally identifiable information, like name, address and account number, and removing such details from the data to keep it anonymous. However, cybercriminals still find ways to re-identify data, often through a process of elimination. Also, since data like genetic sequencing is unique to each person, it’s nearly impossible to completely de-identify some PHI.

Healthcare providers need patients to trust them. Without patients, a clinic, hospital, or practice can’t continue operating as a successful business. The fear of having one’s data put at risk can make it difficult for patients to provide their personal information or discuss health issues. Healthcare professionals should make it clear to patients that their information will be kept confidential. The guidelines above can put patients’ minds at ease.

About the Author

Avery Phillips is a freelance human based out of the beautiful Treasure Valley. She loves all things in nature, especially humans. Leave a comment down below or tweet her @a_taylorian with any questions or comments.

Sign up for the free insideBIGDATA newsletter.

Speak Your Mind



  1. I’m glad that you mentioned how patient information must be allowed to be discussed in public locations. My brother has not trusted his healthcare provider in the past with some information. Thanks for sharing this information and I will gladly pass along this to my brother.

  2. The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to confidentiality.