August 30, 2019

HIPAA was enacted in 1996 to provide data privacy and security provisions for safeguarding medical information. By 2017, 86% of office-based physicians had digitized their patient health records. To provide standards for their confidentiality, integrity and security, the U.S. Department of Health and Human Services (HHS) issued the HIPAA Security Rule. Compliance with this rule is widely regarded as a best practice for securing electronic protected health information (ePHI).

What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

What if your organization doesn’t comply with HIPAA?

The cost of non-compliance can total millions of dollars. But failing to meet HIPAA security requirements can also lead to health data breaches that go beyond financial loss.

How can SailPoint help you comply with HIPAA?

Our open cloud identity governance platform makes it easy for you to stay compliant by seeing and controlling access to all your apps and data for every user.

Discover How

Who does the HIPAA Security Rule apply to?  

HIPAA security rule covers both individuals and organizations. These are often called HIPAA-covered entities. HIPAA covered entities include health insurance companies, HMOs, employer sponsored health plans, government healthcare programs, clearinghouses, and healthcare providers.

HIPAA even extends to business associates who work with covered entities. Examples of business associates include accountants, data analysts, consultants, bill collectors and more.

What are the key HIPAA areas identity governance addresses?

Protect ePHI integrity

Identify and analyze potential risks to ePHI and implement governance, risk and compliance polices to strengthen vulnerabilities 

Information access management/access control

Know who has access to what applications and data, and how that access is being used.

Activity logs and audit controls

Reduce the cost of compliance by automatically generating audit trails and access reports on all key applications and data.


Periodically assess security policies and procedures.

How identity governance helps ensure HIPAA compliance

  • Applying artificial intelligence/predictive analytics to monitor and identify unusual access behavior
  • Consistently enforce access policies and apply controls to all applications containing ePHI
  • Locating and securing structured and unstructured ePHI regardless of where they’re stored
  • Automate periodic reviews of user access rights

Steps to implement data governance

Having a strong governance policy for your healthcare data is extremely important. The healthcare industry deals with an immense amount of personal health information, and without a way to govern who has access, how they got access and the various risks that presents, it’s hard to manage and protect the data.

A data governance solution helps healthcare organizations securely share data, grant user permissions, and manage health data throughout the patient lifecycle.

Follow these steps to implement a data governance policy that works for your healthcare organization.

1. Identify all your data

The first step to any data governance system is performing an audit of sensitive data, in particular, PHI and ePHI. You’ll want to create a data hierarchy to understand the sensitivity of the data, its current permission levels, and the level of risk it would present if compromised.  

It’s especially important to understand permission levels in order to create a least privilege approach to data governance. This is the idea of limiting user access to only what’s needed for their job function. This is particularly important when dealing with highly sensitive data.

2. Clean up data

Another step in the data governance process is data clean up and upkeep. Stale (old) data can be both expensive to store and poses potential security risk. If there’s lack of visibility into where the stale data resides and how it is being used, it opens organizations up to risk of data infringement. Not to mention, if stale data is being used in patient lifecycle management or patient data storage, it could pose a huge risk to their wellbeing.

3. Comply with government standards

Inconsistencies in how your data is being handled can lead to violations in laws like HIPAA. Poor organization and user management limits the ability to protect patient health information.  

Make sure you’re compliant with HIPPA.

Learn how SailPoint can help.

Get Started Today