Blog BCDR Shield
April 02, 2019
Cloud-to-Cloud BackupData Retention

The IT Directors’ Guide to HIPAA Compliance

HIPAA compliance adds an additional level of complexity to the responsibilities of IT directors working in healthcare. While CTOs and IT directors are responsible for behind-the-scenes business success through data security, digital safety, and data availability, those working in healthcare also must address the unique needs determined by HIPAA regulations.

Whether you’re getting up to speed on HIPAA or improving your HIPAA compliant IT processes, this guide will teach you what you need to know for HIPAA compliance in IT.

Read on to learn:

  • The HIPAA basics for IT directors
  • HIPAA compliance mistakes you can avoid
  • Steps to ensure HIPAA compliance for IT professionals

Following IT best practices for HIPAA compliance is the first step to keeping your health care data secure and accessible. Let’s get started!

HIPAA Basics for IT Directors

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. When the electronic storage of data became commonplace for businesses, the healthcare industry needed to stay ahead of the curve and prevent protected health information (PHI) theft and tampering. HIPAA is the philosophical underpinnings of the Privacy and Security Rules (enforced started in 2003 and 2005, respectively). Essentially, they are the rules that protect patients, providers and businesses alike.

HIPAA’s Privacy and Security rules are the tactical implementations of HIPAA’s PHI security and privacy strategy.

As an IT professional in health care, you’re responsible for performing the majority of HIPAA compliance functions for your organization, including:

  • The security CIA triad of data confidentiality, integrity, and availability
  • e-PHI training for staff with access to digital records
  • Physical security of devices and servers housing protected health information
  • Data encryption and technical security

Am I a beholden to HIPAA’s Privacy and Security Rules?

The following are most of the groups held accountable for adherence to HIPAA’s Privacy and Security Rules:

  • Health plans (Group health  plans, HMOs, Medicare): Organizations or people who “provide or pay the cost of medical care”
  • Healthcare clearinghouses: Public and private entities who process data from standard to non-standard formats or vice versa
  • Health care providers: Organizations and individuals providing health care services or paid for health care services
  • Hybrid entities: HIPAA Rules cover some functions of the entity, other functions do not require HIPAA compliance
  • Business associates: When you or your organization has access to the “individually identifiable health  information” of a HIPAA-covered entity as part of your operational functions

You can read the Department of Health and Human Services (HHS)’s guidelines to confirm whether you’re a covered entity under HIPAA or not. The answer is, if you think you might be responsible for following HIPAA’s Security and Privacy rules, you probably are.

Common HIPAA Non-Compliance Risks and Fixes

Learn the most frequently encountered IT non-compliance risks, how to correct them, and what you can do to prevent them.

IT failures can create HIPAA non-compliance

SecOps is critical for any organization, but especially for protecting health information. Common risks to data security in healthcare include:

  • Data threats: Ransomware, phishing, and security threats run rampant in health information security, partly due to the increasing value of health information sold on the dark web
  • Software security vulnerabilities: Just because your e-PHI software markets itself as HIPAA-compliant doesn’t mean you can dial-in your risk analysis practices for other software in the building
  • User error: This roughly translates to “you need to train your staff better and more often.” Even though it was not your fault an employee clicked on a malicious email or left the e-PHI program open when stepping away from their desk, most organizations hold IT Directors responsible for any data security failures
  • Migration from one data storage platform to another: Whether you’re moving from an on-site server to AWS or migrating to Office 365, your data is at risk any time you transfer it

Make HIPAA Security an ongoing process

Your organization is growing and changing alongside the IT and HIPPA landscape, so keeping up can feel like a mammoth effort. You can maintain the highest level of security for your PHI by taking the following steps and making sure data security is on everyone’s mind.

Train everyone

Although  SecOps and IT team members heed IT Directors’ advice and follow security protocols, most of the other staff members do not. Make it your mission to give HIPAA compliance training to each member of your staff and be available to discuss questions or review IT security practices to ensure HIPAA compliance from every single staff member. Get creative and fit your company culture — for example, you could hold quarterly seminars or avail yourself to all staff members an hour a month for “office hours.”

Point out mistakes

Despite the best of intentions and solid SecOps best practices, missteps will happen. When that occurs, correct it immediately and do a post-mortem for the bigger ones. It takes time to stop and point out what went wrong, but pointing out mistakes (and focusing on the error rather than the person) creates an atmosphere of direct accountability and honesty.

When HIPAA changes, you change

HIPAA’s Security and Privacy rules are responsive to changes in the IT sector and enforced differently based on your organization’s type and size. A rule that you weren’t required to follow last month may have changed by adding 10 more employees. Stay abreast of changes in and enforcement of HIPAA Rules with regular training from HHS and using data platforms that are HIPAA-compliant.

Make your protocols HIPAA-secure and document them

Begin with your IT training and SecOps best practices, and enhance these with the HIPAA guide to risk analysis. Mistakes will happen, but protocols and documentation will save your company many headaches (and may save your job).

You should also understand the steps to solidify your IT HIPAA compliance plan.

Steps to Ensure IT HIPAA Compliance

Be proactive

Research HIPAA security best practices for your organization. Read articles like 3 Tactics to Thwart Office 365 Ransomware Attacks to learn how to protect your data in the most-used cloud applications.

Watch yourself

Study your practices and be sure that you and your team aren’t getting too comfortable. HIPAA noncompliance by IT professionals is less often due to a significant flaw in the protocols than it is to a series of small failures to follow protocol, leading to a data breach.

Use failsafe data protection measures

SecOps are vital to business continuity. Get buy-in from the executive team and across your organization, so everyone understands the importance of data security for your bottom line.

Use a third-party data backup platform to house PHI. The risks and repercussions of failed data security are too high to put all of your eggs in one basket and rely on your data storage platform alone. By using a HIPAA-secure storage backup for all PHI, not only will you be HIPAA-compliant, but you’ll also gain data security and better data access.

Be HIPAA-Compliant ASAP

Keeping IT practices compliant with HIPAA standards doesn’t have to be overwhelming. Remember, using typical IT security best practices will put you on the right track. With data protection tools and HIPAA training, you’ll have much less to worry about when it comes to HIPAA compliance.

Make your data protection practices HIPAA compliant. Use Backupify to protect your organization’s protected health data today.


SaaS Data Under Siege: Ransomware’s Rising Threat

Your cloud data could be just as vulnerable to the next wave of cyberattacks as data hosted on-premises

Office 365 logo

Secure Office 365 data protection. Backupify delivers fast recovery of Exchange, OneDrive, SharePoint Online, Calendar, Contacts and Microsoft Teams data.


Office 365 logo

Google Vault alone does not ensure your G Suite data is recoverable. Quickly restore lost data from Gmail, Calendars & Contacts, Drive and Shared Drives with Backupify.


See Why Backupify Wins SaaS Backup