Summary: While HIPAA rules benefit both patients and providers, failure to comply with these standards can result in significant penalties and negative outcomes for both parties. That’s why it is important to understand how HIPAA works and what key areas it covers. In this article, we’ll review the three primary parts of HIPAA regulation, why these rules matter, and how organizations can ensure compliance at every level. The Health Insurance Portability and Accountability Act (HIPAA) was originally introduced in 1996 to protect health insurance coverage for employees that lost or changed jobs. Today, HIPAA also includes mandates and standards for the transmission and protection of sensitive patient health information by providers and relevant health care organizations. HIPAA regulates the privacy, security, and breaches of sensitive healthcare information. These regulations enable the healthcare industry to securely and efficiently store and share patient data, protect patient privacy, and secure protected health information (PHI) from unauthorized use and access.HIPAA rules ensure that: So, what are three major things addressed in the HIPAA law? The HIPAA Privacy Rule outlines standards to protect all individually identifiable health information handled by covered entities or their business associates. This protected health information (PHI) includes a wide range of sensitive data, such as social security numbers, credit card information, and medical history, including prescriptions, procedures, conditions, and diagnoses. PHI has long been a target for identity theft, so establishing strong privacy rules around its use, access, and security is critical for protecting patient data in an increasingly digital world. The Privacy Rule addresses this risk by: The Privacy Rule also includes limiting the release of PHI to the minimum required for disclosure (aka the Minimum Necessary Rule). In other words, under the Privacy Rule, information isn’t disclosed beyond what is reasonably necessary to protect patient privacy. To ensure patient records and information are kept private, the Privacy Rule outlines: The organizations bound by HIPAA rules are called covered entities. Covered entities include any organization or third party that handles or manages protected patient data, for example: Additionally, business associates of covered entities must comply with parts of HIPAA rules. Business associates are third-party organizations that need and have access to health information when working with a covered entity. Business associates can include contractors and subcontractors, companies that help doctors bill and process claims, lawyers and accountants, IT specialists, and companies that store or dispose of medical data. A covered entity cannot use or disclose PHI unless permitted under the Privacy Rule or by written authorization from the subject of the information. Covered entities must disclose PHI to the individual if they request access or to HHS for compliance investigations or enforcement. Covered entities can use or disclose PHI without prior authorization from the patient for their own treatment, payment, and health care operations activities. They are always allowed to share PHI with the individual. The Privacy Rule also makes exceptions for disclosure in the interest of the public, such as in cases required by law, or for public health. The HIPAA Security Rule establishes standards for protecting the electronic PHI (ePHI) that a covered entity creates, uses, receives, or maintains. While the Privacy Rule governs the privacy and confidentiality of all PHI, including oral, paper, and electronic, the Security Rule focuses on guidelines specific to securing electronic data. A key goal of the Security Rule is to protect individuals’ private health information while still allowing covered entities to innovate and adopt new technologies that improve the quality and efficiency of patient care. The Security Rule considers flexibility, scalability, and technological neutrality. This means there are no specific requirements for the types of technology covered entities must use. Instead, covered entities can use any security measures that allow them to implement the standards appropriately. It is up to the covered entity to decide which security measures and technologies are best for its organization. Under the Security Rule, covered entities must: The Security Rule covers three main areas of security: administrative, physical, and technical. Administrative safeguards are administrative actions, policies, and procedures that develop and manage security measures that protect ePHI. Administrative safeguards make up more than half of the Security Rule regulations and lay the foundation for compliance. Covered entities must implement the following administrative safeguards: HIPAA physical safeguards are any physical measures, policies, and procedures used to protect a covered entity’s electronic information systems from damage or unauthorized intrusion—including the protection of buildings and equipment. In other words, HIPAA rules require covered entities to consider and apply safeguards to protect physical access to ePHI. HIPAA physical safeguard requirements include: Under the Security Rule, technical safeguards apply to the technology itself, as well as the policies and procedures that govern its use, protect its electronic protected health information, and control access to it. Technical safeguards include: Together, these safeguards help covered entities provide comprehensive, standardized security for all ePHI they handle. The HIPAA Breach Notification Rule requires covered entities and business associates to provide notification of a breach involving unsecured PHI. A breach is any impermissible use or disclosure of PHI under the Privacy and Security Rules. If a potential breach occurs, the organization must conduct a risk assessment to determine the scope and impact of the incident—and confirm whether it falls under the notification requirement. The risk assessment should be based on the following factors: A covered entity is required to make a notification unless it can demonstrate a low probability that PHI was compromised. Breach notifications include individual notice, media notice, and notice to the secretary. Following a breach, the organization must notify all impacted individuals. The notice must include a description of the breach and the types of information involved, what steps individuals should take to protect themselves from potential harm, and what the covered entity is doing to investigate and address the breach. Covered entities must also notify the media—typically through a press release to local or regional outlets—if the breach affects 500 or more residents of a state or jurisdiction. The notice must include the same information as the notice to individuals and must be issued promptly, no later than 60 days following the discovery of the breach. Covered entities are required to notify the Secretary of Health and Human Services whenever a breach occurs. If the breach affects fewer than 500 individuals, the covered entity must notify the Secretary within 60 days of the end of the calendar year in which the breach was discovered. If the breach affects 500 or more individuals, the covered entity must notify the Secretary within 60 days from the discovery of the breach. The three Rules of HIPAA represent a cornerstone regulation that protects the healthcare industry—and consumers—from fraud, identity theft, and violation of privacy. Through privacy, security, and notification standards, HIPAA regulations: Failure to comply with HIPAA regulations can lead to costly penalties and even criminal liability. That’s why it’s important to rely on comprehensive solutions like StrongDM to ensure end-to-end compliance across your network. StrongDM enables automated evidence collection for HIPAA, SOC 2, SOX, and ISO 27001 audits so you can ensure compliance at every level.Easily configure your Kubernetes, databases, and other technical infrastructure with granular, least-privileged access based on roles, attributes, or just-in-time approvals for resources. Then capture and record all sessions across your entire stack—so you have full visibility into your risk landscape and can implement compliancestandards every step of the way.Want to simplify your HIPAA Compliance? Try a 14-day free trial of StrongDM today.What is the Purpose of HIPAA Rules?
HIPAA Rule 1: The Privacy Rule
What is a covered entity?
When can covered entities use or disclose PHI?
Permitted Uses and Disclosures
HIPAA Rule 2: The Security Rule
Administrative safeguards
Physical safeguards
Technical safeguards
HIPAA Rule 3: The Breach Notification Rule
Individual notice
Media notice
Notice to the Secretary
StrongDM Makes Following HIPAA Rules Easy
About the Author
Andrew Magnusson, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.
💙 this post?
Then get all that StrongDM goodness, right in your inbox.