HIPAA Cheat Sheet — Your Guide to Understanding HIPAA

Author: Joseph Jachimiec, Security Administrator

Looking for a HIPAA-compliant print and mail provider? Overwhelmed with the confusing HIPAA terms and security mumbo-jumbo? Look no further than this HIPAA cheat sheet.

Let’s take a quick look at HIPAA. By the end of this article, you should know enough HIPAA information to impress even me!

Let’s get to it…

Brief HIPAA History

In 1996, Congress passed the Health Insurance Portability and Accountability Act, otherwise known as HIPAA. In addition, Congress tasked the Office of Civil Rights (OCR) and the Department of Health and Human Services (HHS) with enforcing the new HIPAA laws.

The new HIPAA regulations not only enabled Americans to transfer health coverage between jobs but also detailed the requirements for businesses to protect our personal health information.

This same data protection is a priority for us at Nahan.

PHI and ePHI – What Is It?

These days, it seems like there’s an infinite variety of data and information. For HIPAA purposes, sensitive data revolves around our private and personal health information.

In the HIPAA world, this personal health information is called Protected Health Information (PHI). When PHI is in digital format–when it’s electronically stored, accessed, or transmitted–it’s called electronic PHI or ePHI.

PHI and ePHI can include:

  • Names
  • Addresses
  • Medical Records
  • Photos
  • …and any other health information that can identify an individual

HIPAA specifies two types of organizations that handle PHI and ePHI, and thus must be HIPAA compliant: Covered Entities and Business Associates.

What’s the difference?

Covered Entities vs. Business Associates

Covered Entities collect, create, store, and transmit PHI and ePHI. They are the first line of businesses that are “covered” by the HIPAA regulations, meaning they must follow the HIPAA laws and regulations to avoid fines and other disciplinary actions.

Covered Entities include:

  • Hospitals, Clinics, & Urgent Care
  • Dental, Chiropractic, and other miscellaneous health care services
  • Health Insurance Companies
  • Health Care Clearinghouses

Business Associates, on the other hand, are businesses that provide various services to Covered Entities. For example:

  • IT Support Services
  • Document Shredding
  • Cloud Storage
  • Billing & Invoicing
  • Print & Mail Providers (such as Nahan)

In the course of providing these essential services, Business Associates may encounter PHI and ePHI. Therefore, Business Associates must follow many of the same HIPAA rules and regulations as Covered Entities.

As hinted above, Nahan is a Business Associate to our Covered Entity customers and we take the protection of their PHI and ePHI seriously.

In fact, we’re proud to be HIPAA Compliant!

Additional HIPAA Rules

No cheat sheet explaining the fundamentals of HIPAA would be complete without touching on the HIPAA Rules.

There are four main HIPAA rules. Lawmakers established these rules after the initial adoption of HIPAA in 1996. The rules clarify the older laws and set additional standards, especially for the protection of PHI and ePHI.

Here are the four HIPAA Rules summarized in true cheat sheet style!

Privacy Rule

  • Applies to Covered Entities only
  • Gives patients rights over their own PHI and ePHI
  • Defines steps for keeping confidentiality when communicating with individuals

Security Rule

  • Applies to both Covered Entities and Business Associates
  • Defines administrative, physical, and technical controls for PHI and ePHI data handling
  • Requires training and documentation for Covered Entity and Business Associate employees

Breach Notification Rule

  • Sets standards to follow after a data breach involving PHI/ePHI
  • Establishes conditions based on breach size
  • Sets requirements for reporting incidents to the OCR, HHS, and public media

Omnibus Rule

  • Amends Privacy and Security Rules
  • Prohibits the use of PHI and ePHI for marketing purposes
  • Sets further HIPAA compliance mandates for Business Associates

Conclusion

The HIPAA laws and regulations are a confusing landscape. Breaking it down into bullet points can help with understanding the big picture: protecting PHI and ePHI.

Nahan is a trusted Business Associate and provider of HIPAA-Compliant print and mail services. We meet and exceed HIPAA requirements for protecting our customer’s PHI and ePHI.

If you are looking for a HIPAA-Compliant provider, contact us today!

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by ar130405 from Pixabay

Nahan Printing, Inc. Achieves 2020 PCI DSS Compliance and Certification

SAINT CLOUD, MN – MAY 14, 2020 – Nahan Printing, Inc., award-winning provider of commercial print, direct mail, and digital solutions, announced its achievement of Payment Card Industry Data Security Standard (PCI DSS) Compliance and Certification for 2020.

PCI DSS is an information security framework designed by the Payment Card Industry Security Standards Council (PCI SSC). PCI Compliance is for entities that transmit, process, or store credit card data. The standard guides organizations in protecting cardholder data by preventing fraud and securing Cardholder Data Environments (CDEs).

PCI Logo

2020 marks the fifth year in a row that Nahan has earned the demanding certification. To meet compliance requirements, Nahan performed ongoing management and auditing of physical, technical, and administrative controls of their CDE throughout the year.


The successful audit resulted in Nahan’s Attestation of Compliance (AOC) for Service Providers. The AOC reviews Nahan’s compliance in detail by assessing the 12 main requirements of PCI DSS. Requirements include maintaining a vulnerability management program, implementing strong access control measures, maintaining information security policies, and more.

FRSecure LLC of Minnetonka, Minnesota, conducted Nahan’s PCI audit. As a PCI DSS Qualified Security Assessor (QSA), FRSecure provided the necessary expertise to evaluate and consult Nahan on their PCI DSS compliance.

“Achieving our PCI certification is one of the yearly milestones of Nahan’s ongoing Information Security Program,” stated Curt Tillotson, Nahan’s Chief Operating Officer.

“Our commitment to information security doesn’t stop with our PCI environment, either. It extends throughout our organization. Our customers not only appreciate this, they require it.”

– Curt Tillotson, Chief Operating Officer, Nahan Printing

About Nahan

Nahan Printing is a Minnesota-based, independent, family-owned, world class printer committed to providing end-to-end solutions that add value to clients. Since its inception in 1962, Nahan has specialized in catalog and direct mail printing for industries such as retail, financial services, non-profit, and hospitality. With a client roster of legendary brands, Nahan prints iconic work that represents the highest level of quality and innovation in the industry. For more information about Nahan, please visit https://www.nahan.com/.

Image by Steve Buissinne from Pixabay

Nahan Printing, Inc. Successfully Achieves SOC 2 Compliance for Sixth Time

SAINT CLOUD, MN – APRIL 21, 2020 – Nahan Printing, Inc., award-winning provider of commercial print, direct mail, and digital solutions, has again completed a System and Organization Controls (SOC 2) Type 2 examination.

The achievement marks the sixth time that Nahan has met the SOC 2 compliance requirements as specified by the Association of International Certified Professional Accountants (AICPA).

AICPA SOC 2 Logo

The successful audit resulted in a SOC 2 independent service auditor’s report describing Nahan’s commercial printing and direct mail system and the suitability of the design and operating effectiveness of Nahan’s controls.


Copeland Buhl & Company PLLP of Wayzata, Minnesota, conducted Nahan’s SOC 2 engagement. The audit included a review of Nahan’s policies, procedures, and controls to ensure the protection and security of customer data while in Nahan’s care.

“The SOC 2 audit process is an important engagement for us,” said Curt Tillotson, Chief Operating Officer. He continues:

“One of our core values is to amaze our customers. We do that not only through product quality and superior customer service but also by demonstrating our commitment to data protection and security. Our consistent SOC 2 compliance is a big part of that commitment.”

– Curt Tillotson, Chief Operating Officer, Nahan Printing

About Nahan

Nahan Printing is a Minnesota-based, independent, family-owned, world class printer committed to providing end-to-end solutions that add value to clients. Since its inception in 1962, Nahan has specialized in catalog and direct mail printing for industries such as retail, financial services, non-profit, and hospitality. With a client roster of legendary brands, Nahan prints iconic work that represents the highest level of quality and innovation in the industry. For more information about Nahan, please visit nahan.com.

Image by mohamed Hassan from Pixabay