Skip to content

什麼是 HIPAA? 範圍、目的和如何遵守

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the federal law that created national standards for protecting sensitive patient health information from being disclosed without the patient’s knowledge or consent. Read more about this US regulation and find out how to comply.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was primarily about solving insurance coverage for individuals that are between jobs. Without this law, employees would have faced the risk of losing their insurance coverage for the period between jobs.

Another goal was to ensure that all data is properly secured and no unauthorized individuals can access healthcare data.

HIPAA applies in the United States and is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR).

Purpose of HIPAA

The HIPAA was created in order to modernize the flow of healthcare information and to make sure that Personally Identifiable Information gathered in healthcare and insurance companies are protected against fraud and theft, and cannot be disclosed without consent.

Patients’ healthcare information is treated more sensitively and can be quickly accessed by various healthcare providers. HIPAA regulations require that records are better secured and protected against leakage.

What is Protected Health Information?

Any company or individual that works with Protected Health Information (PHI) needs to be compliant with HIPAA. PHI is created when any health data is combined with personally identifiable information, such as the following:

  • Names 
  • Geographical identifiers 
  • Phone and fax numbers 
  • Email addresses 
  • Medical record numbers 
  • Account numbers 
  • Vehicle information 
  • Website URLs 
  • Fingerprints, retinal and voice prints 
  • Social security numbers 
  • Health insurance beneficiary numbers 
  • Certificate and license numbers 
  • Device information, IP addresses 
  • Full face photographs 

      When PHI is stored electronically, it’s called ePHI. 

      The Scope of HIPAA

      There are several entities that regularly work with Protected Health Information and therefore must follow The Health Insurance Portability and Accountability Act: 

      • Healthcare providers 
      • Health plans 
      • Healthcare clearinghouses 
      • Business associates 

        HIPAA Rules

        HIPAA consists of the following rules: 

        • Privacy Rule 
        • Security Rule 
        • Breach Notification Rule 
        • Omnibus Rule 
        • Enforcement Rule 

        HIPAA Privacy Rule 

        The Privacy Rule defines how, when and under what circumstances PHI can be used and disclosed. Without a patient’s prior consent, the use of information about the patient is limited. Patients and their representatives are allowed to obtain a copy of their health records and request corrections in case of errors.

        HIPAA Security Rule 

        The Security Rule sets standards to protect ePHI. The Security Rule must be followed by anyone who works with ePHI. Security Officers and Privacy Officers must perform risk assessments and audits to identify any threats to PHI integrity.

        Breach Notification Rule 

        The Department of Health and Human Services must be notified in case of a data breach, as must the affected individuals. If more than five hundred patients in a particular jurisdiction are affected, a press release must be issued in a news outlet covering the area.

        Omnibus Rule 

        The Omnibus Rule is a part of the HITECH Act (Health Information Technology for Economic and Clinical Health Act) that came into force in 2009 and was created to encourage the use of electronic health records by healthcare providers.

        The Omnibus Rule prohibits the use of PHI for marketing or fundraising purposes without authorization.

        Enforcement Rule 

        The Enforcement Rule is about determining the appropriate fine when a breach occurs. A fine can be lower in case of negligence, however if the violation happens due to willful neglect it can be much higher. 

          The Rights of Individuals

          Within the HIPAA Privacy Rule, individuals have the legal right to see and receive copies of medical information.  

          Individuals have the right to: 

          • Access PHI 
          • Amend PHI 
          • Request restriction on who uses PHI and how it is disclosed
          • Request confidential communications 
          • Request accounting of disclosures 
          • File a complaint 

          Even though patients have the right to access their records, some types of information are excluded from the Right to Access. The following information is excluded:

          Excluded information is the following: 

          • Quality assessment or improvement records 
          • Safety activity records
          • Business and management records 
          • Psychotherapy notes 
          • Information compiled for use in civil, criminal, or administrative action or proceedings 

            HIPAA Violations

            A HIPAA violation occurs when a HIPAA entity or a business associate fails to comply with any of the HIPAA Rules. Penalties for HIPAA violations are issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. HIPAA uses four categories of penalties:

            • Tier 1: Lack of Knowledge 

            The entity was not aware of the violation; therefore, it could not have been avoided. The penalty per such violation is $120—$30,113.

            • Tier 2: Reasonable Cause 

            The entity should have been aware of the violation, however, could not have avoided it. The penalty per such violation is $1,205—$60,226. 

            • Tier 3: Willful Neglect 

            The entity willfully neglected HIPAA Rules, but tried to correct the violation. The penalty per such violation is $12,045—$60,226.

            • Tier 4: Willful Neglect and not corrected 

            The entity willfully neglected HIPAA Rules and didn’t make any attempt to correct the violation. The penalty per such violation is $60,226—$1,806,757. 

            The Most Common HIPAA Risks


            Keeping unsecured records 

            Employees leave sensitive documents at their desks or don’t use passwords to access digital data. Make sure that the workspace is secured, and passwords are used at your company.


            Unencrypted data 

            Encryption of your data is not mandatory by HIPAA, but it is highly recommended. Even if data is leaked, when it is encrypted it can’t be accessed without authorization.


            Hacking or phishing campaigns 

            Keep your anti-virus software up to date, regularly change passwords and use a DLP solution to protect your data against leakage.


            Loss or Theft of Devices 

            Valuable devices can be lost in the blink of an eye. Encrypt your data, so even if a device is lost, no one unauthorized can access it.


            Sharing PHI 

            Always keep in mind that people like to talk. Very often employees don’t even realize that they have been sharing sensitive information with each other. Educate them about sensitive data handling, and make sure that only authorized individuals can access the data. 


            Lack of employee training 

            Employees might not even realize that they have been working with PHI and the violation can be harmful to both the company and patients. Educate them regularly and make sure they understand what PHI and HIPAA are, as well as the consequences of violation.


            Unauthorized Access 

            Employees who are not authorized to process sensitive information can still access it and go through the documents. Set the proper security policies and make sure your employees are aware of them.

            Insider Threats in the Healthcare

            As you can see above, violations often stem from mistakes made by employees, whether they lose a device, click on a phishing campaign, or just talk with their colleagues about patients. HIPAA violations can happen easily. Insider threats can be either unintentional or malicious. However, 56% of insider threat incidents are caused by negligent employees.

            And according to Ponemon Institute, the average total cost of a data breach for healthcare companies jumped 29% to $9.23 million. Health and pharmaceuticals are among the industries with the highest annual insider threat costs, at over $10M per year (Ponemon Institute, 2022). 

            Read more about insider threats here.

            How to Secure Data For HIPAA Compliance?

              1. Encrypt your data 
              2. Adopt security policies and define authorized employees to access your PHI 
              3. Use a DLP solution to protect your data against insider threats and to enforce security policies. 
              4. Educate your employees on a regular basis 
              5. Secure your workplace, adopt policies on how to work with sensitive documents 

              How Safetica Secures Your Data For HIPAA Compliance?

              1. Safetica encrypts your data and keeps it protected in case of device loss or theft. 
              2. Safetica is a DLP solution that protects your data against insider threats. Define which operations can be risky and block them or make Safetica notify you and your employees about potential risks.
              3. With Safetica it is easy to adopt security policies and define authorized employees that can work with PHI. You can set your security policies and monitor whether your company’s sensitive data is being misused, and only allow authorized individuals to access it.
              4. Educate your employees on a regular basis. Safetica notifies your employees in the event of risky operations, so they are more aware of data security.
              5. Secure your workplace, and adopt policies on how to work with sensitive documents. Safetica performs security audits and provides you with regular reports that allow you to adjust your security policies.

              Customer Stories:
              How Safetica Helps in Healthcare

              Gyncentrum Clinic protects their clients’ sensitive data with Safetica. Read more here.

              Our staff, both administrative and medical, has access to our patients’ sensitive data on a daily basis. These are personal and medical information, examination results and psychological evaluations. Thanks to Safetica, I can, as the person responsible for data protection in the clinic, decide who has access, how data is processed and whether it can be shared with third parties or not. Employees’ activities are reported, and patients’ data protected.

              Says Paweł Czerwiński, Owner of Gyncentrum.

              Top 3 HIPAA Violations

              #1 Tricare 

              Number of records leaked: 5 million 

              Tricare is a healthcare program for active-duty troops, their family members, and military retirees. In September 2011, the company experienced a data breach. Backup tapes of electronic health records were stolen from the car of the person who was responsible for transporting these records.

              Types of data exposed:  

              • Social security numbers 
              • Names 
              • Addresses 
              • Phone numbers 
              • Personal health data 
              • Clinical notes 
              • Lab tests 
              • Prescription information 

                #2 Community Health Systems Data Breach 

                Number of records leaked: 4.5 million 

                In 2014, malware software was deployed and sensitive patient data was stolen. Patients who received treatment from the company in the previous 5 years were impacted.

                Types of data exposed: 

                • Names 
                • Birth dates 
                • Social security numbers 
                • Phone numbers 
                • Addresses 

                  #3 UCLA Health Data Breach 

                  Number of records leaked: 4.5 million 

                  In October 2014, UCLA experienced a cyberattack in which sensitive patient information was stolen.

                  Types of data exposed: 

                  • Names 
                  • Birth dates 
                  • Social security numbers 
                  • Medicaid 
                  • Health plan identification numbers 
                  • Medical data 

                    As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.

                    Ripple20 are 19 vulnerabilities revealed by Israeli firm JSOF that affect millions of OT and IOT devices. The vulnerabilities reside in a TCP/IP stack developed by Treck, Inc. The TCP/IP stack is widely used by manufacturers in the OT and IoT industries and thus affects a tremendous amount of devices.

                    Among the affected devices are Cisco Routers, HP Printers, Digi IoT devices, PLCs by Rockwell Automation and many more. Official advisories by companies who confirmed having affected devices can be found here, in the “More Information” section.

                    The most critical vulnerabilities are three that can cause a stable Remote Code Execution (CVE-2020-11896, CVE-2020-11897, CVE-2020-11901) and another that can cause the target device’s memory heap to be leaked (CVE-2020-11898).

                    On behalf of our customers, we set out to explore the real impact of these vulnerabilities, which we’re now sharing with the public.

                    The research has been conducted by researchers Maayan Fishelov and Dan Haim, and has been managed by SCADAfence’s Co-Founder and CTO, Ofer Shaked.

                    Exploitability Research
                    We set out to check the exploitability of these vulnerabilities, starting with CVE-2020-11898 (the heap memory leak vulnerability), one of the 19 published vulnerabilities.

                    We created a Python POC script that is based on JSOF official whitepaper for this vulnerability. According to JSOF, the implementation is very similar to CVE-2020-11896, which is an RCE vulnerability that is described in the whitepaper. Also mentioned about the RCE vulnerability: “Variants of this Issue can be triggered to cause a Denial of Service or a persistent Denial of Service, requiring a hard reset.”

                    Trial Results:
                    Test 1 target: Samsung ProXpress printer model SL-M4070FR firmware version V4.00.02.18 MAY-08-2017. This device is vulnerable according to the HP Advisory.

                    Test 1 result: The printer’s network crashed and required a hard reset to recover. We were unable to reproduce the heap memory leak as described, and this vulnerability would have been tagged as unauthenticated remote DoS instead, on this specific printer.

                    Test 2 target: HP printer model M130fw. This device is vulnerable according to the HP Advisory.

                    Test 2 result: Although reported as vulnerable by the manufacturer, we were unable to reproduce the vulnerability, and we believe that this device isn’t affected by this vulnerability. We believe that’s because the IPinIP feature isn’t enabled on this printer, which we’ve verified with a specially crafted packet.

                    Test 3 target: Undisclosed at this stage due to disclosure guidelines. We will reveal this finding in the near future.

                    Test 3 result: We found an unreported vendor and device, on which we can use CVE-2020-11898 to remotely leak 368 bytes from the device’s heap, disclosing sensitive information. No patch is available for this device. Due to our strict policy of using Google’s Responsible Disclosure, we’ve reported this to the manufacturer, to allow them to make a patch available prior to the publication date.

                    Key Takeaways
                    We’ve confirmed the exploitability vulnerabilities on our IoT lab devices.

                    On the negative side: The vulnerabilities exist on additional products that are unknown to the public. Attackers are likely to use this information gap to attack networks.
                    On the positive side: Some devices that are reported as affected by the manufacturers are actually not affected, or are affected by other vulnerabilities. It might require attackers to tailor their exploits to specific products, increasing the cost of exploitation, and prevent them from using the vulnerability on products that are reported as vulnerable.

                    SCADAfence Research Recommendations
                    Check your asset inventory and vulnerability assessment solutions for unpatched products affected by Ripple20.
                    The SCADAfence Platform creates an asset inventory with product and software versions passively and actively, and allows you to manage your CVEs across all embedded and Windows devices.
                    Prioritize patching or other mitigation measures based on: Exposure to the internet, exposure to insecure networks (business LAN and others), criticality of the asset.
                    This prioritization can automatically be obtained from tools such as the SCADAfence Platform.
                    Detect exploitation based on network traffic analysis.
                    The SCADAfence Platform detects usage of these exploits in network activity by searching for patterns that indicate usage of this vulnerability in the TCP/IP communications.
                    If you have any questions or concerns about Ripple20, please contact us and we’ll be happy to assist you and share our knowledge with you or with your security experts.

                    About Version 2 Limited
                    Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

                    About SCADAfence
                    SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.