There are 5 main pillars of rules that HIPAA covers:

1. Privacy: Medical records and patient data need to be protected while still being portable enough to be transferred safely where needed. This is also where a patient’s rights are codified in terms of how they manage their own data.
2. Security: This speaks to a company’s obligation to institute appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of patient information.
3. Enforcement: This looks at how the regulator calculates fines for non-compliance, laying out the stakes for when companies get things wrong.
4. Breach Notification: This further defines what a breach looks like and how it should be disclosed and dealt with.
5. Omnibus: This modifies the old HIPAA act, making things more stringent and adding extra detail where it was lacking.

In order to remain compliant, a good starting point is to run through this checklist and ensure that you’re covering your bases:

• Do you have stringent risk assessment policies in place that codify your company’s compliance requirements?
• Is your data storage in line with international best practice?
• Do you minimize your personal data storage to only what is absolutely required?
• Do you encrypt the data that flows through your system?
• Do you have a robust data backup and recovery process in place?
• Do your patients have the right to be forgotten?
• Are there watertight access controls that determine who can access what?
• Do you make use of suitable authentication protocols?
• Do you schedule a regular audit to assess your HIPAA compliance?
• Do you have a remediation plan for what will happen if there is a breach?

This is a great place to start and will help to catalyze the things that need to happen within your organization.