Navigating HIPAA cybersecurity requirements: A guide for healthcare providers

Healthcare data is a prime target for hackers. It often includes personal identifying information (PII), medical records, insurance details, and financial information, which can be used for identity theft, insurance fraud, and other malicious activities. The high value of this data on underground forums makes healthcare organizations frequent targets for cybercriminals.

This is why regulations such as HIPAA exist, to help keep the data of healthcare providers and the people who rely on them safe. However, according to the HIPAA journal, last year was on track to be the worst on record for breached healthcare data. So there’s still plenty of defensive work for healthcare organizations to do. We’ll run through the key things you need to know about HIPAA cybersecurity requirements and offer some practical tips on keeping your data safe.

What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, is a U.S. federal law enacted in 1996 to protect the privacy and security of individuals’ health information. It sets national standards for the protection of medical records and other personal health information (PHI) held by covered entities (any organization that handles PHI).  

Key components of HIPAA

1. Privacy rule: Sets national standards for the protection of individuals’ medical records and other personal health information. Gives rights to patients over their health records, including the right to access and request corrections.
2. Security rule: Sets national standards for the protection of electronic personal health information (ePHI). It requires covered entities and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
3. Breach notification rule: Requires covered entities and their business associates to notify individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media, of any breach of unsecured PHI.
4. Enforcement rule: This rule outlines the procedures for investigating complaints, conducting compliance reviews, and imposing penalties for violations of HIPAA.
5. Omnibus rule: Finalized in 2013, this rule updated and strengthened the existing HIPAA regulations, including expanding the definition of business associates and increasing penalties for non-compliance.

What’s the status of HIPAA in 2025?

As of 2025, HIPAA continues to be a critical regulation in the healthcare industry. The focus remains on ensuring the privacy and security of personal health information, but there have been some notable developments and trends over the years:

1. Increased penalties: The penalties for HIPAA violations have been increased to reflect the severity of breaches and the importance of compliance. This includes both financial penalties and potential criminal charges for willful neglect.
2. Technological advancements: With the rise of telehealth, wearable devices, and other digital health technologies, HIPAA has been adapted to address new challenges and ensure that these technologies comply with privacy and security standards.
3. Regulatory updates: The Department of Health and Human Services (HHS) continues to issue guidance and updates to HIPAA to address emerging issues and technological changes. For example, there have been updates to address the use of cloud computing and mobile health applications.
4. International considerations: As healthcare becomes more global, there is a growing need to align HIPAA with international data protection laws, such as the General Data Protection Regulation (GDPR) in the European Union.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. Business associates are entities that perform services for covered entities involving the use or disclosure of PHI. This can include IT providers, billing companies, and other third-party vendors. HIPAA also extends to subcontractors of business associates who handle PHI.

Would your organization pass a HIPAA audit?

Medical data is a lucrative target and there’s a greater need to comply with HIPAA cybersecurity requirements than ever before. It’s estimated personal medical information is now worth ten times more than credit card data on the black market. Many HIPAA breaches in the past showed that fraudsters obtained the records and filed false claims with insurers or bought drugs that were later resold using fake IDs.

Whether you’re undergoing an HIPAA audit or not, it’s important to make sure you have the proper security processes and measures in place to safeguard your data. Here are five questions to keep in mind if you’re preparing for an IT audit:

1.      Do you have a documented security policy?

When evaluating the adequacy and reliability of a security policy, auditors will compare measures outlined in the policy with a company’s internal processes to ensure that they are being properly carried out. It’s important to have your security policy mapped out with owners for key roles.

2.      Are access privileges in your organization adequately protected?

IT auditors will not only verify who has access to what (and why), but they’ll also check a company’s ability to detect insider misuse or abuse of access privileges. Multi-factor authentication adds an extra layer of security to protect against fraud and identity theft. If a bad actor steals a user’s account information and password, requiring a second or third form of authentication such as a mobile verification code or security token could stop unauthorized access.

3.      What methods do you use to protect your data?

Be ready to present reports about your methods of data classification and segregation and prove that your most valuable assets cannot be easily compromised. For example, are you placing data into a 24/7 protected network? Do you have a HIPAA compliant password policy in place for creating, changing, and safeguarding passwords?

If you’re interested to know whether your current password policy aligns with HIPAA, run a read-only scan of your Active Directory with our free tool, Specops Password Auditor.

4.      Do you have a disaster recovery plan?

A good disaster recovery plan includes information about employees’ roles and responsibilities, how they should react if a security breach occurs, and what they should do to stop data leaks and minimize their negative consequences. We’ve recently shared a guide on how to build an incident response plan in the wake of a credential-based attack. 

5.      Are your employees familiar with existing security procedures and policies?

A company will often need to prove that its employees are regularly trained and are informed about existing security procedures. For example, training them on the dangers of sharing passwords in a healthcare setting. Even the best technologies can’t protect your data if your employees continue to engage in insecure practices such as responding to phishing emails or reusing work passwords on personal devices.

6.      Ensure your user’s Active Directory passwords are secure

While HIPAA Privacy Rules do not have explicit requirements on user passwords, there is a strong emphasis on the storage of and access control to electronic protected health information (ePHI). Sections 164.308(a)(5)(i) and 164.308(a)(5)(ii)(D) require that the following plan is in place when appropriate:

• A security awareness and training program for all members of its workforce
• Procedures for creating, changing, and safeguarding passwords

The HIPAA cybersecurity requirements may be ambiguous but healthcare organizations are subject to the full extent of its rules. The burden falls on individual healthcare organizations’ IT teams to figure out how to put these into practice, so seeking third-party help can make things simpler. Head here for a full walkthrough on password security in a healthcare environment.

How can Specops Password Policy facilitate HIPAA compliance?

Specops Password Policy helps organizations meet HIPAA requirements by allowing IT departments to create rich password policies that enhance password security in Active Directory and enforce those rules beyond Active Directory. On top of that, your Active Directory will be continuously scanned against our database of over 4 billion unique breached passwords. Try Specops Password Policy for free.