Guide to HIPAA Compliance

Information Security for Electronic Patient Health Information (ePHI)

What is HIPAA Compliance?

HIPAA stands for the Health Insurance Portability and Accountability Act. HIPAA provides data privacy and security provisions for safeguarding medical information. HIPAA is divided into five titles but adherence to HIPAA Title II is what is commonly known as HIPAA Compliance.

Who needs to be HIPAA Compliant?

Health Care Providers

The term Health Care Provider includes any medical professional from primary care physicians to pharmacies and clinics. 

Health Plans

Every health plan that offers medical services to its members, stores and transfers PHI.

Health Care Clearinghouses

health care clearinghouse is a billing service, repricing company, or community health information system.

What is considered PHI?

  • A patient’s name, address, birth date and Social Security number;

  • An individual’s physical or mental health condition;

  • Any care provided to an individual; or

  • Information concerning the payment for the care provided to the individual that identifies the patient, or information for which there is a reasonable basis to believe could be used to identify the patient.

5 Rules and Standards for HIPAA Compliance 

National Provider Identifier Standard

Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit national provider identifier number, or NPI.

Transactions and Code Sets Standard

Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.

HIPAA Privacy Rule

The HIPAA Privacy Rule is officially known as the Standards for Privacy of Individually Identifiable Health Information. This rule establishes national standards to protect patient health information.

This rule was issued to limit the use and disclosure of sensitive PHI. It protects the privacy of patients by requiring doctors to provide patients with an account of each entity to which the doctor discloses PHI for billing and administrative purposes. This provides accountability while still allowing health information to go through the proper channels.

The privacy rule also guarantees patients the right to receive their own PHI from healthcare providers.

HIPAA Security Rule

The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security.

HIPAA Enforcement Rule

This rule establishes guidelines for investigations into HIPAA compliance violations.

HIPAA Security Rule as it pertains to IT Security

The security rule requires covered entities to use three types of safeguards to protect ePHI:

  • Security Management Process
  • Security Personnel
  • Information Access Management
  • Workforce Training and Management
  • Evaluation
  • Facility Access and Control

  • Workstation and Device Security

  • Access Control
  • Audit Controls
  • Integrity Controls
  • Transmission Security

What is our approach to compliance?

Compliance Audit

Our team conducts a series of interviews and a network audit to determine data access and usage.

Gap Analysis

A Gap Analysis identifies the missing pieces necessary to achieve compliance.

Remediation Plan

A remediation plan is put forth and executed with action steps towards compliance based on priority level.


ITonDemand then monitors system usage and provides the service and support to maintain compliance.

Compliance+ in Action / Florida Manufacturing Firm

A small north Florida manufactures CNC close tolerance machined parts, custom components, and assemblies for the defense sector. Given the sensitive nature of the parts being manufactured, it was vital that communications and manufacturing specifications were secure while organizational infrastructure was put in place and maintained to NIST Compliance.

Read how ITonDemand made it happen.

Contact Us

HIPAA Compliance

The Health Insurance Portability and Accountability Act or HIPAA is the standard for protecting sensitive patient data. Any company that deals with electronic protected health information or (ePHI) must have physical, network, and process security measures in place and enforce them to ensure HIPAA Compliance.

Who should be HIPAA Compliant?

Health Plans

Those using online portals should ensure XYZ blah blah blah

Health Care Clearinghouses

Businesses receiving payment via credit card

Health Care Providers

business blah


Are you Aware?

When an EMR system is deployed by a medical facility, patient data is stored in the cloud. Unless the documents are encrypted and sent directly to the cloud server without any other system, JPEG’s and PDF’s can be stored locally in the cache, unsecured.

To remediate this, use a local on-site server in addition and implement the same security protocols to that server to prevent the breach of printable ePHI.

PCI Compliance

Secure payment systems ensure your customers that you can be trusted with their payment information. PCI Compliance puts measures in place to prevent a data breach or loss of consumer financial information.

The 12 Points to meet PCI Compliance

PCI Compliance can be achieved by meeting 12 points that follow the usage, storage, and transportation of information.

SOC-2 Compliance

SOC-2 compliance is a necessary security 

Who should be SOC-2 Compliant?


Those using online portals should ensure XYZ blah blah blah


Businesses receiving payment via credit card

Service Providers

business blah