Skip to main content

Getting Started with HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting the privacy and security of individually identifiable health information in the United States. HIPAA applies to covered entities (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their business associates. HIPAA compliance is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Matproof maps HIPAA requirements to controls, policies, and evidence workflows so you can demonstrate compliance during OCR audits and respond to breach investigations.
Activate HIPAA under Settings - Frameworks - HIPAA. Controls are pre-populated across the Privacy Rule, Security Rule, and Breach Notification Rule.

Am I in Scope?

Entity TypeDefinitionKey Obligations
Covered EntityHealth plans, healthcare clearinghouses, healthcare providers who transmit PHI electronicallyFull compliance with Privacy, Security, and Breach Notification Rules
Business AssociateAny entity that creates, receives, maintains, or transmits PHI on behalf of a covered entitySecurity Rule compliance, breach notification, Business Associate Agreement (BAA) required
If you handle Protected Health Information (PHI) for a US healthcare organization - even as a technology vendor or cloud provider - you are likely a business associate and must comply with HIPAA.

HIPAA Rules in Matproof

Privacy Rule

Policies, ControlsGoverns the use and disclosure of PHI. Requires a Notice of Privacy Practices, patient rights (access, amendment, accounting of disclosures), and minimum necessary standards.

Security Rule

Controls, EvidenceRequires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Includes risk analysis, access controls, audit controls, transmission security, and encryption.

Breach Notification Rule

IncidentsRequires notification to affected individuals, HHS, and (for breaches affecting 500+ individuals) the media. Notification deadlines: 60 days for individuals and HHS, without unreasonable delay for business associates to covered entities.

Business Associate Agreements

Vendor RiskTrack BAAs with all business associates. Ensure agreements include required provisions for PHI handling, breach notification, and termination.

Security Rule Safeguards

The Security Rule organizes requirements into three categories:

Administrative Safeguards

StandardRequirementMatproof Control
Security Management ProcessRisk analysis, risk management, sanction policy, information system activity reviewRisk Management, Controls
Assigned Security ResponsibilityDesignate a security officialPeople
Workforce SecurityAuthorization, supervision, clearance procedures, termination proceduresPeople, Controls
Information Access ManagementAccess authorization, access establishment and modificationControls
Security Awareness and TrainingSecurity reminders, malicious software protection, log-in monitoring, password managementPeople, Controls
Security Incident ProceduresResponse and reportingIncidents
Contingency PlanData backup, disaster recovery, emergency mode operations, testing, criticality analysisPolicies, Controls
EvaluationPeriodic technical and nontechnical evaluationAudit Programs

Physical Safeguards

StandardRequirement
Facility Access ControlsContingency operations, facility security plan, access control and validation, maintenance records
Workstation UsePolicies for workstation use and security
Workstation SecurityPhysical safeguards for workstations accessing ePHI
Device and Media ControlsDisposal, media re-use, accountability, data backup and storage

Technical Safeguards

StandardRequirement
Access ControlUnique user identification, emergency access procedure, automatic logoff, encryption and decryption
Audit ControlsMechanisms to record and examine activity in information systems containing ePHI
IntegrityMechanisms to authenticate ePHI and protect against improper alteration or destruction
Person or Entity AuthenticationVerify the identity of persons seeking access to ePHI
Transmission SecurityIntegrity controls and encryption for ePHI transmitted over networks
1
Step 1 - Conduct a risk analysis
2
The Security Rule requires a thorough risk analysis as the foundation for all other safeguards:
3
  • Go to Risk Management - New Risk Assessment
  • Identify all systems that create, receive, maintain, or transmit ePHI
  • Identify threats and vulnerabilities to each system
  • Assess the likelihood and impact of each threat
  • Document current safeguards and identify gaps
  • Determine the risk level for each threat-vulnerability combination
    • 4
    Risk analysis is the single most common HIPAA deficiency cited in OCR enforcement actions. It must be thorough, documented, and updated regularly - not a one-time checkbox exercise.
    5
    Step 2 - Generate HIPAA policies
    6
    Go to Policies - Generate and create the required HIPAA policy set:
    7
  • Privacy Policy (Notice of Privacy Practices)
  • Information Security Policy
  • Access Control Policy
  • Incident Response and Breach Notification Policy
  • Business Continuity and Disaster Recovery Policy
  • Workforce Security and Training Policy
  • Device and Media Controls Policy
    • 8
    Assign each policy to an owner and ensure management approval is documented.
    9
    Step 3 - Implement Security Rule safeguards
    10
    Work through the controls in Controls - HIPAA:
    11
  • Implement administrative safeguards (risk management, workforce security, access management, training)
  • Implement physical safeguards (facility access, workstation security, device controls)
  • Implement technical safeguards (access controls, audit logging, encryption, transmission security)
  • For each control, document the implementation and link supporting evidence
    • 12
    Step 4 - Business Associate management
    13
  • Go to Vendor Risk and identify all business associates (any entity handling PHI on your behalf)
  • Ensure a signed BAA is in place for each business associate
  • Upload BAAs as evidence against the relevant controls
  • Conduct periodic assessments of business associate security practices
  • Track BAA renewal dates and maintain a current register
    • 14
    Step 5 - Workforce training
    15
  • Go to People - Training
  • Assign HIPAA privacy and security training to all workforce members with access to PHI
  • Provide role-specific training for staff with elevated access
  • Track completion and document refresher training schedules
  • Link training records as evidence against the Security Awareness and Training controls
    • 16
    Step 6 - Breach notification setup
    17
    Configure your breach response workflow:
    18
  • Go to Incidents and set up HIPAA breach classification criteria
  • Define the breach risk assessment methodology (the four-factor test for determining if notification is required)
  • Establish notification templates and workflows for individuals, HHS, and media (for breaches of 500+ records)
  • Document the process for the annual submission of breaches affecting fewer than 500 individuals
    • 19
    Step 7 - Audit and evaluation
    20
  • Go to Audit Programs - New Audit - HIPAA
  • Conduct a periodic evaluation of your security safeguards (required by the Evaluation standard)
  • Review audit log data from systems containing ePHI
  • Document findings as Corrective Actions with remediation timelines
  • Update your risk analysis based on audit findings and environmental changes

    • Penalties

    TierViolation TypePenalty per ViolationAnnual Maximum
    1Lack of knowledge137137 - 68,928$2,067,813
    2Reasonable cause1,3791,379 - 68,928$2,067,813
    3Willful neglect (corrected within 30 days)13,78513,785 - 68,928$2,067,813
    4Willful neglect (not corrected)$68,928+$2,067,813
    Penalty amounts are adjusted annually for inflation. Criminal penalties (up to $250,000 and imprisonment) may apply for knowing misuse of PHI.

    Next Steps

    • Risk Management - conducting your HIPAA risk analysis
    • Vendor Risk - managing Business Associate Agreements
    • Incidents - configuring breach notification workflows
    • People - workforce training tracking and access management