Health Insurance Portability and Accountability Act (HIPAA) Now Available on Whistic

March 22, 2021

The Health Insurance Portability and Accountability Act of 1996, or  HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

What is Protected Health Information?

Protected health information (PHI) is any demographic information that can be used to identify a patient or client of an entity subject to HIPAA. Examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos.

Who needs to be HIPAA compliant?

HIPAA regulation identifies two types of organizations that must be HIPAA compliant.

  • Covered Entities: Any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
  • Business Associates: Any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. Common examples include: billing companies, practice management firms, third-party consultants, IT providers, physical storage providers, cloud storage providers, email hosting services, and accountants.

What is required for Compliance?

  • Self-Audits: HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. The HIPAA Questionnaire is your roadmap to HIPAA compliance Certification.

  • Remediation Plans: Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to address any identified gaps. The remediation plans must be documented and include calendar dates by which gaps will be remedied.

  • Policies, Procedures, Training: Covered entities and business associates must have documented Policies and Procedures corresponding to HIPAA regulatory standards. Annual staff training on these Policies and Procedures is required, along with documented employee attestation.

  • Incident Management: If a covered entity or business associate has a data breach, they must have a process to document the breach and notify patients that their data has been compromised.

To learn more about HIPAA go here:

To start your HIPAA self-audit today or to learn more about working toward a HIPAA Compliance Certification, contact Whistic.

standards vendor assessment third party risk mgmt vendor security management hipaa

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.