Key Points
- HIPAA compliance depends on proving safeguards are in place and effective: Evidence is required to avoid violations, even when controls exist.
- Incomplete knowledge of PHI locations is the leading cause of violations: Visibility into where PHI lives and how it’s used is essential.
- Technical safeguards must protect PHI in storage, transit, and access: Encryption, access control, backups, and retention are mandatory.
- Audit logs and recurring evidence reviews support audit readiness: Continuous documentation demonstrates compliance over time.
- Reducing PHI exposure lowers violation and breach risk: Minimizing where PHI is stored simplifies compliance and security.
Evidence of compliance is vital for businesses that must avoid HIPAA violations, as even if the correct compliance controls are implemented, you can still be found in violation if you can’t prove them. This affects both healthcare businesses and those that manage IT infrastructure and data on their behalf.
This guide explains how you can implement HIPAA compliance controls that help prevent HIPAA violations, while generating evidence that can be used to demonstrate compliance in case of an audit.
What is the most common reason for HIPAA violations?
HIPAA is the law in the United States that stipulates how protected health information (PHI) should be handled by healthcare providers and other organizations. Failure to comply with HIPAA can have severe legal, financial, and reputational repercussions.
The most common reason for HIPAA violations is simply not having a complete understanding of the data you hold, where it is, and how it is used. Stakeholders should be fully aware of their responsibilities toward protecting PHI so the correct safeguards can be maintained, and staff should be trained in handling PHI safely to prevent HIPAA violations by reducing the chances of misuse or disclosure.
What are the technical safeguards for HIPAA?
The technical safeguards will depend on where PHI is stored and how it is used. It is your responsibility to understand the data you hold and the laws that apply to it, and apply the required controls and other technical safeguards to protect it. These include:
- Encryption: Sensitive data must be protected in transit and at rest
- Role-based access control: Access to data should be granted only to those who need it
- Backups: Data must be backed up for HIPAA compliance
- Discoverability: Users need to be able to access their PHI, which requires being able to find all data about a particular person
- Retention: Data including records, policies, and agreements, may need to be stored for up to 6 years under HIPAA
You should regularly review the technical safeguards you have in place and compare them against the latest revisions to the HIPAA law, as it is subject to change.
What you need to (continuously) generate and store evidence of your HIPAA compliance
When choosing tools that will process or store PHI, look for those with audit logging functionality. You can then leverage IT automation tools that can collect, parse, and format this data into HIPAA compliance evidence reports, and then centrally store them for audit readiness.
To effectively prove compliance, you’ll need a defined PHI data map that includes:
- Systems, flows, custodians, and retention policies
- An access control policy with role definitions and exception workflow
- Baseline configurations for devices, email, storage, and other services that handle PHI
This will help you ensure that PHI is covered by appropriate controls that realize the following HIPAA and PHI protection best practices:
| HIPAA best practice | Purpose | Value delivered |
| PHI discovery and minimization | Reduces PHI exposure | Smaller data breach and violation surface area |
| Principle of least privilege and multifactor authentication | Access control and user account protection | Fewer unauthorized PHI disclosures |
| Secure communication and file exchange | Safer PHI sharing | Reduced risk when emailing or communicating internally or with partners |
| Configuration enforcement on endpoints | Ensures devices are correctly configured to protect PHI | Consistent secure configurations at scale |
| HIPAA compliance evidence packets and reviews | Proof of compliance and audit readiness | Faster audits and continuous improvement |
Compliance cannot be achieved by just reading a single online guide: you must refer directly to the HIPAA rules that cover your organization and anyone you store personal or healthcare data about. You may also have to consider other privacy or data protection laws that may apply to your industry, use case, or your customers. Seek legal and technical assistance to ensure that your implementation reaches all compliance requirements.
Method 1: Discover PHI locations and reduce surface area
Ensuring PHI remains stored only in approved locations means you can target control measures at them and reduce the risk they pose. Email, file shares, electronic health record (EHR) platforms, SaaS, and archives and backups are all potential PHI resources.
The storage and services that contain PHI should all be assigned ownership to ensure that the correct protective measures are maintained for each. Regularly revise retention policies to meet legal requirements, and clear out ROT (redundant, obsolete, or trivial) data, especially duplicate PHI, to prevent the spread of protected data to unmonitored and unprotected infrastructure.
Evidence can be generated throughout this process using automated scans for PHI indicators that log their findings, along with technicians logging the actions they take.
Method 2: Enforce least-privilege access
The principle of least privilege should be followed, granting users and services access only to the data they require to perform their role, and nothing more. Multifactor authentication and conditional access that prompts for additional verification for suspicious sessions should be enforced across all accounts that can access PHI. Authentication activity should be logged for auditing, alongside actions taken, for the prescribed period (currently 6 years for HIPAA).
Method 3: Secure email, communication, and file exchange
Email is a common channel through which PHI is unintentionally leaked (often through a wrong sender or mistyped address). Disabling auto-forwarding and displaying warnings when sending to external domains can help fight this.
Email encryption, as well as encrypting attachments with a pre-shared key, also helps ensure only the intended recipient can read them. File transfers should use encrypted HTTPS or SFTP connections and not use free public file sharing services.
Configuring email monitoring and SIEM that logs (and blocks) suspicious activity will enforce and prove the effectiveness of these measures.
Method 4: Harden endpoints and configuration compliance
Use remote monitoring and management (RMM) tools to enforce technical safeguards such as device/disk encryption, screen lock, and endpoint detection and response (EDR) on all endpoints. Patch management should also be deployed to ensure all devices and operating systems have the latest security updates. Limit the use of remote access and backup tools to HIPAA-compliant solutions that log technician activity and administrative actions. Monitor for configuration drift using automation, and use the output of this to capture configuration snapshots to prove compliance, stored in your IT documentation platform.
Method 5: Control shadow IT and third-party risk
Shadow IT is a continuous threat to data security. Monitor for unsanctioned hardware and software and block its use, or provide tested and approved alternatives. Log findings and results as evidence.
Document HIPAA Business Associate Agreements (BAAs) from vendors, and regularly review what data is being stored or processed by them. Track the egress of all PHI and configure alerts on unusual usage (for example, by automatically generating support tickets with details and escalating them directly to the relevant technician).
Method 6: Train for real-world scenarios and near-misses
Educate your staff about the importance of protecting PHI and remaining HIPAA-compliant. Document training materials and with it, proof that staff have completed them, and store them securely. Training should include secure email and file transfer practices, incident reporting, and the dangers of shadow IT. Run simulations (for example, what to do if an email is mis-sent or a device is lost).
Method 7: Prove compliance with recurring evidence
Use the data collected during the operation of your HIPAA-compliant IT infrastructure to generate monthly or quarterly evidence packets that prove compliance.
Review each packet, and if outstanding actions are identified, assign owners and due dates, and make sure any overdue exceptions are closed out. During each review, use HIPAA compliance evidence to reinforce control effectiveness and prevent potential future HIPAA violations by identifying gaps and potential improvements. These packets can then be stored alongside the raw data in your IT documentation platform for ready access in case of audit.
IT tools that secure PHI and help prevent HIPAA violations, while automating response and evidence
NinjaOne is a comprehensive IT management and MSP platform that covers everything from RMM and mobile device management (MDM) to monitoring, patch management, endpoint security, backup, and archiving, all with HIPAA compliance built in. With NinjaOne, you start with a compliant foundation for your IT operations.
Automation is integrated across the NinjaOne toolchain, allowing you to script and schedule scans for PHI indicators, set permissions, export access review lists, and check and enforce security measures such as encryption and baseline configuration settings. Logging and monitoring are centralized in a web-based interface, and everything can be compiled into evidence packets and stored in NinjaOne Documentation for later review or for ready presentation during an audit.
