hipaa privacy and security rules

Updated HIPAA Privacy and Security Rules for 2020

The Department of Health and Human Services (DHHS) issued a release in response to COVID-19. Telehealth providers are now exempt from HIPAA violations. As long as providers practice good faith, they will not receive fines for any violations that occur. 

With that said, HIPAA privacy and security rules still apply to all other healthcare organizations. The same goes for business associates of healthcare organizations. 

Are you prepared to adhere to those rules? After all, 2020 has brought about some of the most stringent patient data requirements yet.

Not to worry because we’ve created this guide to help you out. If you’re wondering what your business needs to do to prevent a huge HIPAA fine in 2020, check out this guide. 

HIPAA Safeguards

New in the 2020 HIPAA mandates are the latest safeguard standards for patient health information (PHI). These safeguards must be technical, physical, and administrative in nature. That way, they encompass each PHI touchpoint during the patient experience.

Technical Safeguards

Cybersecurity measures such as encryption and firewalls are ideal technical safeguards. Any device that stores, transfers, or accesses PHI should have one or more technical safeguard in place to protect patient data.

If your organization fails to implement technical safeguards, you could be fined over $1 million like Lifespan.

Physical Safeguards

Whether you utilize a modern security system or not, your place of business should be secure in case of a break-in. That way, breaches of PHI stored physically or electronically at your facility will be protected. 

Administrative Safeguards

Administrative safeguards are policies that ensure safe PHI handling practices. Keep in mind that simply having procedures in place isn’t enough. You must also train your employees to use these procedures on a daily basis.

HIPAA Self-Audits for 2020

HIPAA also passed a new regulation requiring healthcare organizations to conduct self-audits. Self-audits help organizations evaluate privacy and security practices for HIPAA compliance. 

Specifically, healthcare organizations must conduct six or more self-audits in a calendar year. At the same time, business associates of healthcare organizations must conduct five or more self-audits per year. 

Here are the six audits you must perform each year. Note that the sixth and final audit is required only for healthcare organizations. Business associates are not required to perform a privacy assessment audit.

Security Risk Assessment

A security risk assessment (SRA) is a standard evaluation of the total security picture. This includes looking at all the strategies and processes you have in place to protect the transfer of sensitive PHI. 

The purpose of the SRA is to locate any gaps in your organization’s HIPAA security strategy and come up with a plan to remediate these issues. 

Security Standards Audit

A security standards audit evaluates whether security policies are up to HIPAA standards. 

The purpose of the security standards audit is to prevent HIPAA security violations. 


Subtitle D of the HITECH act requires electronically-stored documents to adhere to HIPAA. The HITECH audit makes sure a process is in place to ensure adherence. Also, that the organization has a breach notification strategy in place. 

The purpose of the HITECH audit is twofold:

Asset and Device Audit

During an asset and device audit, an organization must compile a list of any device that accesses or stores electronic PHI. The list must include users of each device as well as a description of security measures in place to protect the PHI on the device. 

The purpose of the asset and device audit is to ensure your organization keeps track of electronic PHI. Plus, it helps identify any devices across which safeguards are not in place or robust enough.

Physical Site Audit

Physical site audits are as their name suggests— organizations must make sure its brick and mortar business site is secure. A full audit will include:

  • Testing alarm systems
  • Installing or replacing cameras
  • Adding modern keypads in place of outdated locks

The purpose of the physical site audit is to secure physical PHI that may be stored at your place of business. 

Privacy Assessment

Business associates aren’t required to complete a privacy assessment.

The privacy assessment helps healthcare organizations review privacy policies surrounding PHI. This includes making sure employees know about the proper use and disclosure of PHI. 

The purpose of the privacy assessment is to remind employees about when, to whom, and how PHI can be legally disclosed. That way, you can prevent expensive lawsuits surrounding a patient’s right to privacy. 

Other HIPAA Changes 2020

HIPAA has updated its business associate vetting and breach reporting requirements for 2020. 

Evaluating Business Associates

Does your organization share PHI with any outside entity (known as a business associate)? If so, you must properly evaluate the company’s HIPAA practices.

HIPAA added two new requirements for vendor evaluations:

  1. Vendor questionnaires
  2. Business associate agreements

The questionnaire helps vendors evaluate their own security practices. Once they’ve filled out the questionnaire, it’s your job to identify any weaknesses that may risk a violation. Then, make sure your associate addresses these weaknesses.

If you fail to vet your business associate, your organization will be held liable for any PHI breaches that occur. For example, a Utah-based private practice recently paid $100k for failing to properly vet its business associate.

You can reduce your liability for your associate’s mistakes with a legally enforceable business associate agreement. 

Reporting HIPAA Violations

HIPAA now requires you to report breaches affecting 500+ patients within 60 days. Any breaches affecting fewer than 500 patients can be reported by the end of the year. 

Remember that, in addition to reporting breaches to the DHHS, your organization must report the breach to any patient affected and the media. 

A HIPAA Security Suite for Your 2020 HIPAA Privacy and Security Rules Needs

As long as you follow the latest HIPAA privacy and security rules, you won’t have to be like other organizations that have been fined big time. 

Are you looking for a foolproof strategy for staying up to date with the latest HIPAA security policies? Then sign up for our free HIPAA security compliance reminders or check out our security suite products today!

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top