Beginner’s Guide to the Core Rules of HIPAA: Key Privacy, Security & Breach Requirements

If you handle health information in the United States, the Health Insurance Portability and Accountability Act (HIPAA) sets the baseline rules for protecting patient privacy and securing data. This guide explains the core Privacy, Security, and Breach Notification requirements in plain language.

By the end, you’ll understand what counts as Protected Health Information, who HIPAA applies to, and the safeguards you must implement to manage risk, respond to incidents, and stay compliant.

Overview of the HIPAA Privacy Rule

What the Privacy Rule covers

The Privacy Rule protects “Protected Health Information” (PHI)—any individually identifiable health data held or transmitted by Covered Entities or their Business Associates, in any form. It governs how PHI may be used or disclosed and sets the “minimum necessary” standard to limit unnecessary sharing.

Individual rights

• Access and copies: Individuals can access and obtain copies of their PHI, including in electronic form when available.
• Amendments: You must review and, when appropriate, amend PHI upon request.
• Restrictions and confidential communications: Patients may request limits on disclosures and choose how you communicate with them.
• Accounting of disclosures and Notice of Privacy Practices: You must track certain disclosures and provide clear notices explaining your privacy practices.

Permitted uses and disclosures

Without written authorization, PHI may be used or disclosed for treatment, payment, and health care operations, and for specific public interest purposes (for example, public health reporting). Any other use generally requires patient authorization.

De-identification

Properly de-identified data is not PHI. If you remove identifiers or apply expert determination so individuals cannot be identified, the Privacy Rule’s restrictions no longer apply to that dataset.

Understanding the HIPAA Security Rule

Scope and approach

The Security Rule applies to electronic PHI (ePHI) and requires you to implement “reasonable and appropriate” safeguards based on your size, complexity, and risk profile. It is risk-based and flexible, focusing on outcomes rather than one-size-fits-all controls.

Administrative Safeguards

• Risk analysis and risk management: Identify threats and vulnerabilities to ePHI and implement measures to reduce risks to acceptable levels.
• Policies, procedures, and workforce training: Define responsibilities, train your team, and apply sanctions when policies are violated.
• Contingency planning: Create and test backup, disaster recovery, and emergency operations plans.
• Vendor oversight: Execute Business Associate Agreements (BAAs) and manage third-party risks.

Physical Safeguards

• Facility access controls: Protect areas where systems or records are stored.
• Workstation and device security: Secure workstations, mobile devices, and media; use secure disposal and re-use procedures.

Technical Safeguards

• Access controls: Enforce unique user IDs, role-based access, and multi-factor authentication when feasible.
• Audit controls and integrity: Monitor activity logs and protect data from improper alteration or destruction.
• Transmission security: Use encryption and secure channels to protect ePHI in transit; apply strong encryption at rest when reasonable and appropriate.

Ongoing evaluation

Security is not “set and forget.” Conduct periodic evaluations, document decisions (including addressable specifications), and update safeguards as your environment, threats, and technologies change.

Exploring the Breach Notification Rule

What counts as a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises its privacy or security. An incident is presumed a breach unless you show, via risk assessment, a low probability that PHI was compromised.

Risk assessment factors

• Nature and extent of PHI involved (types of identifiers and likelihood of re-identification).
• Unauthorized person who used or received the PHI.
• Whether PHI was actually acquired or viewed.
• Extent to which the risk has been mitigated.

Breach Notification Requirements

• Individuals: Notify without unreasonable delay and no later than 60 calendar days after discovery, describing what happened, types of data, steps they should take, your mitigation measures, and contact points.
• HHS: Report breaches affecting 500 or more individuals within 60 days; report smaller breaches annually within prescribed timelines.
• Media: If a breach affects 500 or more residents of a state or jurisdiction, notify prominent media outlets there.
• Business Associates: Notify the Covered Entity without unreasonable delay (no later than 60 days) and provide details to support onward notices.

Compliance Requirements for Covered Entities

Who is a Covered Entity

Covered Entities include health plans, healthcare clearinghouses, and healthcare providers that conduct certain electronic transactions. If you fall into one of these categories, HIPAA’s Privacy, Security, and Breach rules apply to your handling of PHI.

Core compliance program elements

• Designate privacy and security officials and maintain written policies and procedures.
• Train the workforce, apply sanctions for violations, and document all compliance activities.
• Conduct regular risk analyses, implement “reasonable and appropriate” safeguards, and review them periodically.
• Manage vendors with BAAs, monitor performance, and address noncompliance.
• Provide required notices and support patient rights to access, amend, and receive an accounting of disclosures.

Safeguards for Protected Health Information

Administrative Safeguards in practice

• Least privilege and role-based access; periodic access reviews.
• Incident response playbooks and breach decision trees aligned to policy.
• Vendor risk management and BA oversight throughout the contract lifecycle.

Physical Safeguards in practice

• Badge or key controls, visitor sign-ins, and camera monitoring where appropriate.
• Secure storage and destruction of paper records and media; clean-desk expectations.
• Device inventories and protections for laptops, tablets, and removable media.

Technical Safeguards in practice

• Strong authentication, session timeouts, and automatic logoff.
• Encryption for data in transit and at rest, endpoint protection, and mobile device management.
• Comprehensive logging, alerting, and periodic audit reviews to detect anomalous access.

Together, these Administrative, Physical, and Technical Safeguards create layered defense for PHI and help you demonstrate due diligence under HIPAA.

Responsibilities of Business Associates

Who is a Business Associate

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI on a Covered Entity’s behalf—such as billing services, cloud providers, and analytics firms. Their subcontractors that handle PHI are also Business Associates.

Key obligations

• Sign and honor Business Associate Agreements specifying permitted uses/disclosures and breach reporting duties.
• Comply directly with the Security Rule and applicable Privacy Rule provisions, including minimum necessary standards.
• Perform risk analysis, implement safeguards, and maintain documentation.
• Report incidents and breaches promptly and support individual rights requests through the Covered Entity.
• Return or securely destroy PHI at contract end when feasible.

Enforcement and Penalties Under HIPAA

How enforcement works

The HHS Office for Civil Rights (OCR) investigates complaints, conducts compliance reviews, and may audit organizations. Outcomes range from voluntary corrective actions and resolution agreements to civil monetary penalties based on the nature and extent of violations and harm.

Civil and criminal exposure

HIPAA establishes a tiered civil penalty structure that accounts for culpability (from lack of knowledge to willful neglect not corrected) with annual caps adjusted for inflation. The Department of Justice can pursue criminal charges for certain wrongful disclosures, which may include fines and imprisonment.

Mitigation and cooperation

Demonstrated risk management, prompt breach response, effective training, and cooperation with investigators can mitigate penalties. Documenting decisions and improvements is essential evidence of a mature compliance program.

Key takeaways

• Know what PHI you hold, where it lives, who accesses it, and why.
• Build safeguards across Administrative, Physical, and Technical layers and test them regularly.
• Prepare for incidents with clear Breach Notification Requirements, roles, and timelines.
• Manage Business Associates with robust BAAs and continuous oversight.

FAQs.

What information is protected under the HIPAA Privacy Rule?

The Privacy Rule protects PHI—any individually identifiable information about a person’s health, care, or payment for care, created or held by Covered Entities or their Business Associates, in any format (electronic, paper, or oral).

How do the Security Rule safeguards work?

They require a risk-based program of Administrative, Physical, and Technical Safeguards for ePHI. You assess risks, choose reasonable and appropriate controls (like access management, encryption, and audit logging), document decisions, train staff, and reevaluate regularly.

When must a breach be reported?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Report to HHS within 60 days if 500 or more individuals are affected (and to the media when required); smaller breaches are reported to HHS annually within prescribed timelines.

What penalties exist for HIPAA violations?

OCR may require corrective actions and impose tiered civil monetary penalties based on culpability and harm, subject to annual caps that are adjusted over time. Certain intentional or wrongful disclosures can trigger criminal penalties enforced by the Department of Justice.