HIPAA Basics for Providers: Privacy, Security, and Breach Notification Explained

HIPAA Privacy Rule Overview

What the Privacy Rule Covers

The HIPAA Privacy Rule governs how Covered Entities and their Business Associates use and disclose Protected Health Information (PHI). PHI is a subset of Individually Identifiable Health Information that relates to a person’s past, present, or future physical or mental health, the provision of care, or payment for care, when the individual can be identified.

PHI can exist in any form—paper, verbal, or electronic. When PHI is created, received, maintained, or transmitted electronically, it is Electronic Protected Health Information (ePHI) and also falls under the Security Rule.

Permitted Uses and Disclosures

You may use or disclose PHI without authorization for treatment, payment, and health care operations, and for specified public interest purposes. Uses outside these purposes generally require the individual’s written authorization. Apply the minimum necessary standard to limit PHI access and disclosure to what is needed for the task.

Impermissible Disclosures and Safeguards

An impermissible disclosure is any use or disclosure not allowed by the Privacy Rule or state law. You must mitigate harmful effects, document the event, and evaluate whether it constitutes a reportable breach. Consistent privacy policies, workforce training, and role-based access help prevent such events.

HIPAA Security Rule Requirements

Objectives and Scope

The Security Rule protects the confidentiality, integrity, and availability of ePHI. It requires risk-based Security Safeguards across three categories—administrative, physical, and technical—and distinguishes between “required” and “addressable” implementation specifications. Addressable controls must still be assessed and either adopted or replaced with an equivalent measure.

Core Expectations

• Conduct an enterprise-wide risk analysis for ePHI systems and workflows.
• Implement access controls, authentication, audit controls, integrity protections, and transmission security.
• Establish contingency plans, including data backup, disaster recovery, and emergency mode operations.
• Train the workforce, manage vendors through Business Associate Agreements, and document decisions and procedures.

Breach Notification Rule Procedures

When an Incident Becomes a Breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises its security or privacy. Three exceptions apply: unintentional, good-faith workforce access; inadvertent disclosure to an authorized recipient within the same organization; and disclosures where the recipient could not reasonably retain the information.

Risk Assessment and Presumption

For each impermissible disclosure, perform a risk assessment considering: the nature and extent of PHI involved, the unauthorized person, whether the PHI was actually acquired or viewed, and mitigation measures. If Unsecured Protected Health Information is involved—PHI not rendered unusable or unreadable (for example, unencrypted data)—a breach is presumed unless your assessment shows a low probability of compromise.

Notification Requirements

• Individuals: Notify without unreasonable delay and no later than 60 calendar days after discovery. Include a description of the incident, types of PHI, steps individuals should take, your mitigation and prevention actions, and contact methods.
• HHS: Report breaches affecting 500 or more individuals without unreasonable delay (no later than 60 days). Breaches under 500 may be logged and submitted annually.
• Media: If 500 or more individuals in a single state or jurisdiction are affected, notify prominent media outlets.
• Business Associates: Must notify the Covered Entity without unreasonable delay, providing the identity of affected individuals and information needed for notices.
• Law Enforcement Delay: You may delay notification if law enforcement states it would impede an investigation or threaten national security; document the request and resume notices when the delay lifts.

Patient Rights and Consent

Key Individual Rights

• Access and Copies: Individuals can access and obtain copies of their PHI, including ePHI, in the requested readily producible format.
• Amendments: Patients may request corrections to inaccurate or incomplete PHI.
• Accounting of Disclosures: Upon request, provide a record of certain disclosures not related to treatment, payment, or operations.
• Restrictions and Confidential Communications: Patients can request limits on disclosures and alternative communication channels or locations.
• Notice of Privacy Practices: Provide clear notice describing uses, disclosures, and rights.

Consent vs. Authorization

HIPAA does not require patient consent for treatment, payment, and health care operations, although organizations may choose to obtain it. For uses and disclosures beyond those purposes—such as most marketing—written authorization is required and may be revoked by the individual.

Administrative Safeguards Implementation

Build the Governance Foundation

• Assign a privacy officer and a security officer with defined authority and accountability.
• Establish a security management process: risk analysis, risk management, sanction policy, and activity review.
• Define information access management with role-based access and documented approvals.
• Implement security awareness and training, including phishing and mobile device security.
• Create incident response procedures for detection, containment, investigation, and post-incident review.
• Develop contingency plans with tested backups and disaster recovery procedures.
• Execute and manage Business Associate Agreements; monitor vendor performance.

Documentation and Oversight

Maintain written policies and procedures, keep documentation for at least six years, and conduct periodic evaluations. Use metrics—such as training completion, patch timelines, and audit log reviews—to verify control effectiveness and drive improvement.

Technical and Physical Safeguards

Technical Safeguards for ePHI

• Access Control: Unique user IDs, least privilege, emergency access, automatic logoff, and encryption.
• Audit Controls: Centralized logging, alerting on anomalous activity, and routine log review.
• Integrity: Hashing, version control, and validation to prevent improper alteration or destruction.
• Authentication: Strong authentication and, where feasible, multi-factor authentication.
• Transmission Security: Encrypt ePHI in transit; protect APIs, email, telehealth, and remote access.

Physical Safeguards

• Facility Access Controls: Badge access, visitor logs, and contingency site protections.
• Workstation Use and Security: Secure locations, privacy screens, and auto-locking configurations.
• Device and Media Controls: Inventory, secure storage, encryption at rest, transfer tracking, and verified disposal or media reuse procedures.

Risk Assessment and Compliance Strategies

Conducting a Practical Risk Analysis

• Scope: Identify systems, locations, vendors, and workflows that create, receive, maintain, or transmit ePHI.
• Data Flow and Assets: Map where PHI lives and moves; include cloud services and mobile devices.
• Threats and Vulnerabilities: Consider human error, insider threats, ransomware, misconfigurations, and physical hazards.
• Evaluate Controls: Compare existing Security Safeguards to requirements; note gaps.
• Risk Rating: Estimate likelihood and impact to prioritize remediation.
• Plan and Track: Assign owners, set timelines, test fixes, and reassess after changes or incidents.

Operationalizing Compliance

Embed privacy and security into daily operations: enforce minimum necessary access, standardize onboarding and termination, perform vendor due diligence, and run tabletop exercises for incident response. Use encryption to reduce Unsecured Protected Health Information and lower breach risk. Regular training, auditing, and leadership oversight sustain a resilient compliance program.

In short, apply clear policies, risk-based controls, and vigilant monitoring to protect PHI, meet Privacy and Security Rule obligations, and respond effectively under the Breach Notification Rule.

FAQs.

What information does the HIPAA Privacy Rule protect?

The Privacy Rule protects PHI, which is Individually Identifiable Health Information related to health status, care, or payment that can reasonably identify a person. It covers all formats—paper, verbal, and electronic. De-identified data and limited data sets without direct identifiers are generally not PHI.

How do providers implement HIPAA Security Rule safeguards?

Start with an organization-wide risk analysis of ePHI. Implement administrative, technical, and physical Security Safeguards—access control, authentication, audit logging, encryption, workforce training, vendor management, and contingency planning. Document decisions, monitor effectiveness, and update controls as systems and threats evolve.

What steps must be taken under the Breach Notification Rule?

Immediately contain and investigate the incident, then perform a risk assessment using the four-factor test. If Unsecured Protected Health Information was compromised, notify affected individuals without unreasonable delay (no later than 60 days), report to HHS as required, and notify media for large incidents. Coordinate with Business Associates, document actions, and implement remediation to prevent recurrence.