What Is HIPAA and How Does It Work? | Synopsys
Go Back
By Industry
By Technology
Synopsys Cloud
Synopsys Cloud

Cloud native EDA tools & pre-optimized hardware platforms

Request a Free Evaluation →
Synopsys Cloud Insights
Cloud Insights

Insights & answers to help you familiarize yourself with the best cloud solution for EDA

Explore →
View All Solutions →
Explore Silicon Design & Verification

Synopsys is a leading provider of electronic design automation solutions and services.

Platforms
Optical Design
Photonic Design
Design
3D Image Processing
Verification
Modeling & Simulation
Silicon Engineering
Try Synopsys Cloud
Synopsys Cloud

Unlimited access to EDA software licenses on-demand

Free Evaluation →
Explore Silicon IP

Synopsys is a leading provider of high-quality, silicon-proven semiconductor IP solutions for SoC designs.

Interface IP
Processor IP
Analog IP
Memories & Libraries
SoC Architecture
Security IP
SoC Infrastructure IP
IP Accelerated
IP Markets
DesignWare IP Portfolio Cover
DesignWare IP Portfolio
Download Brochure →
DesignWare Technical Bulletin
Read Latest Issue →
Explore Application Security

Synopsys helps you protect your bottom line by building trust in your software—at the speed your business demands.

Intelligent Risk Management
Comprehensive Software Analysis
Holistic Program Development
2022 Gartner® Magic Quadrant™ for Application Security Testing
2022 Gartner® Magic Quadrant™ for Application Security Testing
Download Now →
View All Products →
Company Overview
Resources
SNUG 2022
SNUG 2022

Thanks for attending!

Access on-Demand →
Synopsys Job Search Thumbnail
Pursue Your Passion

Start Your Job Search

Apply Now →
Table of Contents

Definition

The Health Insurance Portability and Accountability Act (HIPAA) was established by Congress in 1996. The legislation was passed to improve the efficiency of the United States healthcare system. It does so by standardizing best practices for maintaining the security and privacy of healthcare data. HIPAA required the United States Department of Health and Human Services (HHS) to create new regulations addressing this data. Thus far, the HHS has released two documents, the Privacy Rule and the Security Rule.

The Privacy and Security Rules define requirements for handling all electronic personal health information (e-PHI). Personal health information (PHI) represents any health data that includes identifying information (e.g., name, address, health conditions). Further, under HIPAA, healthcare organizations can no longer request Social Security numbers (SSN) as part of their data collection.

In 2009, the U.S. Congress also passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. This legislation creates definitions for the meaningful use of electronic health records (EHR) that contain PHI. The HITECH Act requires healthcare organizations to report suspected breaches. Increasing awareness around healthcare-related data breaches also prompted Congress to pass the HIPAA Omnibus Rule in 2013. This rule defines required security controls. These controls aim to strengthen the original protections within the HIPAA Privacy and Security Rules.

Covered Entities. HIPAA defines rules for all healthcare organizations (also known as covered entities) that store or transmit PHI data. Covered entities can include health plans, healthcare providers, or individuals assisting with healthcare. HIPAA also acknowledges that covered entities occasionally need to disclose PHI to business associates that support health services.

With the passing of the HITECH Act and HIPAA Omnibus Rule, business associates must adhere to HIPAA requirements in the same fashion as a covered entity. As such, covered entities must get written assurances from business associates that appropriate controls are in place.

What does HIPAA compliance have to do with software security?

The HIPAA Security Rule defines controls that must be implemented to protect PHI. This requires the implementation and documentation of administrative, physical, and technical safeguards. The technical safeguards require appropriate access, audit, and encryption controls. Software handling PHI must have these controls in place and they must be documented.

Conducting tests to ensure an implementation is performed appropriately in software that stores or transmits e-PHI demonstrates that HIPAA-required controls are successfully in place. Provision 164.308(a)(8) of the HIPAA Security Rule requires organizations that transmit and store PHI to regularly perform technical and non-technical evaluations of these systems.

Synopsys can help organizations meet the software security-related regulations set by HIPAA. We can assist in evaluating an organization's overall control environment to determine if the various HIPAA Security Rule requirements are met.

What problems does HIPAA compliance solve?

Any organization handling healthcare data or PHI must ensure that their security program and software controls address the requirements of the HIPAA Security and Privacy Rules. Covered entities that meet these rules are able to process, store, and transmit PHI without fear of civil or criminal penalties.

Note that HIPAA rules establish a minimum standard for the implementation of IT and software security controls. Without these rules, organizations processing PHI have no specific requirements protecting their healthcare data (i.e., for maintaining the confidentiality, integrity, and availability of the data).

The enforcement of HIPAA standards by the U.S. federal government ensures that organizations take the implementation of PHI controls seriously. It also ensures that consumers of healthcare in the U.S. have an outlet if their PHI is mishandled.

How can an organization become HIPAA compliant?

Get started by establishing whether or not your organization is a covered entity. Once PHI is identified within an organization’s software or systems, a review of the covered entity’s security policies and procedures is the next step to identify gaps and implement controls.

The Health Information Trust Alliance (HITRUST) offers a common security framework (CSF) to help organizations implement HIPAA-required controls necessary for compliance. The HITRUST CSF allows for self-assessment to implement appropriate controls. However, some organizations may require a validated assessment that is performed by a HITRUST assessor. This assessment must then be submitted to the HITRUST organization for review and approval. Failure to achieve a HITRUST certification may prevent certain HIPAA-regulated organizations from receiving PHI from organizations requiring HITRUST compliance in their documented security requirements for third parties.

If a violation is reported to the OCR, your organization must be responsive to requests for evidence of HIPAA-required controls. Perform external reviews of your security program and implement technical assessments to demonstrate adherence.

Implement at least the minimum required testing and controls defined by HIPAA. Risks to PHI and the covered entity extend beyond checking a compliance box. As threats to privacy and security evolve and expand, expectations for implementing reasonable controls required by HIPAA will also continue to expand. The easiest way to handle evolving expectations is to be one step ahead.

Continue Reading

Solution
Application Security Solutions for Healthcare
Blog
Five Medical Device Security Best Practices
Solution
Software Security Training
Blog
Medical Device Security In A Pandemic World
Report
Medical Device Security: An Industry Under Attack and Unprepared to Defend
Blog
Building Security Into Connected Medical Devices