Breaking Down the Essentials of HIPAA Compliance

Ash Bassili
Aug 25
9 min read

Managing and protecting health information is no longer just a technical responsibility. For healthcare organizations and research institutions, it is a legal and ethical obligation. With evolving federal regulations and increasing risks, institutions must build privacy and security into their systems and researchers need to be aware of these requirements as they put together their data management plans.

Understanding HIPAA’s requirements helps organizations prevent costly breaches, safeguard sensitive data, and support compliant research environments.

What is HIPAA, and Why Does It Exist?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that sets standards for protecting personal health information. It was designed to:

Protect patient records and individually identifiable health information
Give individuals rights over their own medical data
Enable secure, compliant data sharing for care, payment, or operations

HIPAA applies to a wide range of entities, including hospitals, insurance providers, and any business that touches patient data. It defines this data as “protected health information” (PHI), which includes:

Medical histories and diagnoses
Insurance details and billing records
Any information that can identify a patient (e.g. address, birthdate, Social Security Number (SSN), etc.)

Who Does HIPAA Apply To?

HIPAA applies to two main groups:

Covered Entities
- Health care providers - Hospitals, doctors, dentists, and pharmacies
- Health plans - Insurance companies, HMOs, company health plans
- Health care clearinghouses - Entities that process nonstandard health information they receive from from another entity into a standard format
Business Associates - These are organizations that handle PHI on behalf of a covered entity, including:
- Cloud storage providers
- Billing and legal services
- Research data platforms

In research, this means platforms like myLaminin typically operate as business associates. When handling Protected Health Information (PHI), they are bound by Business Associate Agreements (BAAs). The covered entity, such as a hospital or academic institution, remains the data owner responsible for authorizing access.

The Core Rules of HIPAA

HIPAA’s main safeguards are structured around three key rules:

Privacy Rule - This rule outlines when Protected Health Information (PHI) can be used or disclosed, and ensures patient control.

Key requirements include:

Use PHI only for care, payment, or operations unless authorized otherwise
Share the minimum necessary information
Maintain safeguards to prevent unauthorized disclosures

Patients also have the right to:

Access and request corrections to their records
Receive an accounting of disclosures
Choose how they want information shared

Security Rule - This rule is scalable, allowing organizations to choose appropriate protections based on size and resources.

Key requirements include:

Administrative safeguards - risk assessments, employee training
Physical safeguard - controlled access to systems and devices
Technical safeguards - encryption, user authentication, audit trails
Breach Notification Rule - Organizations must notify individuals and regulators if PHI is compromised.

Key steps include:

Notifying affected individuals within 60 days
Reporting large breaches to the Department of Health and Human Services
Informing the media if over 500 people are affected

A breach includes any unauthorized access or disclosure that risks patient privacy.

Where Organizations Struggle

Despite the rules being clear, compliance challenges are common.

Human Error and Training Gaps

Staff are unaware of PHI handling protocols
Conversations in public spaces or unlocked workstations
Poor understanding of access limitations

Technology and Infrastructure Risks

Lost devices with unencrypted data
Ransomware attacks on health systems
Insecure file transfers or outdated software

Administrative Pressures

Managing multiple Business Associate Agreements
Conducting regular risk assessments
Tracking evolving federal requirements

What Researchers Have to Do to Ensure Compliance

To ensure their research protocols and teams are compliant with HIPAA rules and regulations, researchers in the healthcare and social science sectors need to take a more comprehensive approach that addresses both the Privacy Rule and the Security Rule. These rules apply whenever "protected health information" (PHI) is created, received, maintained, or transmitted. Specifically, they must:

Understand and Obtain Authorization for PHI Researchers must be able to use and disclose PHI in one of the following ways:
1. Individual Authorization - The patient or research participant must sign a specific, written authorization form that meets all the elements required by the Privacy Rule. This is separate from, but can be combined with, the informed consent form required by the Institutional Review Board (IRB) or Research Ethics Board (REB).
2. Waiver or Alteration of Authorization - In certain circumstances, an IRB/REB or Privacy Board can waive or alter the requirement for individual authorization. To grant a waiver, the board must determine that the research poses no more than a minimal risk to privacy, could not be practicably conducted without the waiver, and includes an adequate plan to protect identifiers and destroy them at the earliest opportunity.
3. De-identification - If the data is completely de-identified according to the HIPAA standard, it is no longer considered PHI and the Privacy Rule does not apply.
4. Limited Data Sets - Researchers can use a "limited data set," which removes certain direct identifiers but may still contain indirect identifiers (like a zip code or date of birth). This requires a "Data Use Agreement" with the covered entity that specifies the permitted uses and disclosures of the data and requires the recipient to protect it.
5. Preparatory to Research - In specific cases, researchers can use PHI to prepare a research protocol without authorization, as long as they do not remove the PHI from the covered entity.
Implementing the HIPAA Security Rule The Security Rule requires that organizations and researchers handling electronic PHI (ePHI) implement specific administrative, physical, and technical safeguards to ensure its confidentiality, integrity, and availability.
1. Administrative safeguards include:
  1. Security Management Process - This includes conducting regular risk assessments to identify vulnerabilities and potential threats to ePHI, and then implementing safeguards to mitigate those risks.
  2. Workforce Training - All members of the research team who will have access to PHI must receive regular HIPAA training. This training should cover privacy and security policies, how to handle PHI, and how to report security incidents.
  3. Policies and Procedures - The research institution and the research team must have clear, unambiguous, and documented policies and procedures for handling PHI, including disciplinary actions for violations.
2. Physical safeguards include:
  1. Workstation Security - Physical workstations used to access PHI must be protected. This includes positioning screens away from public view and ensuring workstations are logged off when left unattended.
  2. Facility Access Controls - Researchers must have policies and procedures in place to limit physical access to facilities where ePHI is stored.
3. Technical safeguards include:
  1. Access Controls - Researchers must have systems in place to ensure that only authorized individuals can access ePHI. This includes unique user IDs, and strong password policies (or other authentication methods like multi-factor authentication).
  2. Encryption - ePHI must be encrypted both "in transit" (when it's being sent) and "at rest" (when it's being stored). This is a fundamental requirement to protect data from unauthorized access.
  3. Audit Controls - Systems must have mechanisms to record and examine activity in information systems that contain or use ePHI. This creates an audit trail that can be used to detect and investigate potential breaches.
  4. Integrity Controls - Researchers must implement measures to ensure that ePHI is not improperly altered or destroyed.
Additional Key Considerations for Research Teams
1. Business Associate Agreements (BAAs) - If a research team or a "covered entity" (like a hospital) works with an external organization that will create, receive, maintain, or transmit PHI on its behalf, a BAA is required. The BAA is a contract that ensures the business associate will comply with HIPAA rules.
2. IRB/REB Oversight - The IRB/REB (or a Privacy Board) is the primary oversight body for human subjects research. They play a critical role in reviewing and approving research protocols to ensure they comply with HIPAA, especially when considering waivers of authorization or the use of limited data sets.
3. Data Minimization - Researchers should always adhere to the "minimum necessary" standard, which means they should only use, disclose, or request the minimum amount of PHI required to achieve the research's purpose.
4. Breach Notification - Researchers must have a plan in place to detect, respond to, and report any potential data breaches, as required by the HIPAA Breach Notification Rule.

By following these guidelines, research teams can create a robust framework that protects participant privacy, upholds ethical standards, and ensures legal compliance.

How myLaminin Supports HIPAA-Aligned Compliance

myLaminin is a research data platform designed to help institutions manage compliance while supporting collaboration and innovation. As a business associate, it has undertaken a self-assessment against HIPAA criteria and shows over 80% alignment with key requirements. Items on the roadmap would put myLaminin in excess of 90%.

myLaminin Logo

Note: Some HIPAA requirements are the responsibility of the Health Information Custodian or in the case where data is stored on-prem, the Custodian organization retains responsibilities for some requirements related to data storage and physical security of the data, and consent management for example.

Security and Privacy Features

Role-based access controls that limit who can view and edit PHI
Full audit trails for all data interactions
End-to-end encryption during storage and transmission

Consent and Documentation

Tools to manage participant consent and track authorizations
Support for institution-specific templates and workflows
Built-in compliance reports and policy alignment

Research Collaboration Tools

Secure sharing with internal and external researchers
e-Signature tools for legal and consent documents
Communication tracking for full auditability

Appendix A - myLaminin Support of HIPAA Compliance for Researchers presents how the myLaminin platform supports the research team’s and institutional responsibilities. This allows researchers to focus on the conduct of research and not the administrative aspects of compliance.

myLaminin also supports broader regulatory frameworks like SOC 2, GDPR, and Canadian laws such as PIPEDA and PHIPA.

Strategies for Strong HIPAA Compliance

Organizations that succeed with HIPAA tend to focus on three key areas:

1. Planning and Policy

Build data protection into project planning
Train staff regularly and keep documentation up to date
Prepare for audits and incidents in advance

2. Smart Technology

Encrypt everything, from laptops to emails
Monitor access through automated logs
Limit PHI access to only those who need it

3. Culture and Accountability

Make privacy a shared responsibility
Encourage reporting of potential violations
Reward strong data handling practices

Conclusion

HIPAA is more than a regulation; it provides an ethical framework that both protects individuals and enables institutions to act responsibly.

Platforms like myLaminin offer institutions and scientists the ability to meet HIPAA obligations without delaying research. For example, myLaminin not only helps organizations to establish appropriate safeguards but also tracks compliance and administers consent, creating space for organizations to focus on impact while remaining fully grounded in privacy and security compliance.

When compliance is embedded, organizations can establish safeguards for those things they care most about, including patient trust, organizational credibility, and the future of ethical research.

Appendix A - myLaminin Support of HIPAA Compliance for Researchers

Concept	Description	myLaminin Support	Notes
Understand and Obtain Authorization for PHI
Individual Authorization	The patient or participant must sign a specific, written authorization form. This can be combined with the informed consent form from an IRB/REB.	Yes	myLaminin allows researchers to create authorization forms.
Waiver or Alteration of Authorization	An IRB/REB or Privacy Board can waive or alter the authorization requirement if the research poses minimal risk, couldn't be conducted without the waiver, and has a plan to protect and destroy identifiers.	Yes	myLaminin has a complete REB module that supports these reviews and waivers.
De-identification	If data is completely de-identified according to HIPAA standards, it is no longer considered PHI and the Privacy Rule doesn't apply.	Yes	myLaminin allows researchers to tailor their research methodology as they see fit.
Limited Data Sets	Researchers can use data with some direct identifiers removed but that may still contain indirect identifiers. This requires a Data Use Agreement with the covered entity.	Yes	myLaminin allows researchers to tailor their research methodology as they see fit.
Preparatory to Research	PHI can be used to prepare a research protocol without authorization, as long as it's not removed from the covered entity.	NA	This is solely the responsibility of the researcher to ensure compliance.
Implementing the HIPAA Security Rule
Administrative Safeguards
Security Management Process	Conduct regular risk assessments and implement safeguards to mitigate threats to ePHI.	Yes	While these responsibilities are jointly owned, myLaminin undertakes these assessments on platform security management protocols.
Workforce Training	All team members with access to PHI must receive regular HIPAA training.	Yes	All research team members and myLaminin staff are required to undertake this HIPAA training.
Policies and Procedures	The research team must have clear, documented policies for handling PHI, including disciplinary actions for violations.	Yes	All research team members and myLaminin staff are required to undertake this HIPAA training.
Physical Safeguards
Workstation Security	Protect physical workstations used for PHI access (e.g., position screens away from public view, log off when unattended).	NA	This is a responsibility all researchers must be cognizant of.
Facility Access Controls	Have policies to limit physical access to facilities where ePHI is stored.	Yes	myLaminin restricts access to all our systems.
Technical Safeguards
Access Controls	Implement systems (like unique user IDs and strong passwords) to ensure only authorized individuals can access ePHI.	Yes
Encryption	ePHI must be encrypted both "in transit" (when sent) and "at rest" (when stored).	Yes
Audit Controls	Have mechanisms to record and examine activity in systems with ePHI to create an audit trail.	Yes
Integrity Controls	Implement measures to prevent ePHI from being improperly altered or destroyed.	Yes
Additional Key Considerations
Business Associate Agreements (BAAs)	A contract required when an external organization creates, receives, maintains, or transmits PHI on behalf of a covered entity.	Yes
IRB/REB Oversight	The IRB/REB is the primary oversight body for human subjects research, ensuring compliance with HIPAA.	Yes	myLaminin has a complete IRB/REB module with support for configuration of institutional forms, workflows, alerts, notifications, and reporting.
Data Minimization	Use and request only the minimum amount of PHI necessary for the research purpose.	NA	This is a responsibility of all research teams.
Breach Notification	Have a plan to detect, respond to, and report any potential data breaches.	Yes	myLaminin has a complete Incident Response Plan and protocols to address any potential data breaches.