HIPAA Cheat Sheet for the Patient Safety Officer: Quick Reference to Privacy, Security, and Breach Requirements

HIPAA Privacy Rule Overview

The Privacy Rule sets the ground rules for how Protected Health Information (PHI) may be used and disclosed by covered entities and their business associates. PHI includes any individually identifiable health information in any format—paper, verbal, or electronic.

Permitted uses and disclosures primarily cover treatment, payment, and health care operations. Most other purposes require a valid patient authorization. Apply the minimum necessary standard to routine disclosures and ensure role-based access controls limit who sees what.

Patients have key rights: to access and obtain copies of their PHI, request amendments, receive an accounting of disclosures, request restrictions, and obtain a Notice of Privacy Practices. Your responsibilities include workforce training, sanctions for violations, and verifying business associate agreements.

HIPAA Security Rule Safeguards

The Security Rule focuses on electronic PHI (ePHI) and requires you to implement appropriate Administrative, Physical, and Technical Safeguards based on risk. Start with a formal risk analysis and document ongoing risk management.

Administrative Safeguards

• Perform risk analysis and continuous risk management; implement policies, procedures, and contingency plans.
• Designate a security official; define workforce security, training, and sanctions; manage business associate security obligations.
• Establish incident response, evaluation, and periodic security reviews to drive Risk Mitigation.

Physical Safeguards

• Control facility access; secure workstations and devices; manage visitor access and environmental protections.
• Govern device and media controls, including inventory, movement, reuse, disposal, and media sanitization.

Technical Safeguards

• Implement unique user IDs, access controls, and automatic logoff; use encryption for data at rest and in transit when reasonable and appropriate.
• Enable audit controls and activity review; ensure integrity protections and transmission security.

Definition of a Breach

Under the Breach Notification Rule, a breach is an impermissible acquisition, access, use, or disclosure of Unsecured PHI that compromises its security or privacy. A breach is presumed unless you demonstrate a low probability of compromise through a documented risk assessment.

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through approved encryption or destruction methods. If PHI is properly “secured,” the incident may not constitute a reportable breach.

Breach Notification Requirements

When a breach of Unsecured PHI occurs, notifications must be made without unreasonable delay and no later than 60 calendar days after discovery.

• Individuals: Provide written notice describing what happened, the types of information involved, steps individuals should take, what you are doing (including Risk Mitigation), and contact information.
• U.S. Department of Health and Human Services (HHS): For breaches affecting 500 or more individuals, notify HHS contemporaneously; for fewer than 500, report to HHS no later than 60 days after the end of the calendar year.
• Media: If 500 or more residents of a state or jurisdiction are affected, notify prominent media outlets in that area within 60 days.
• Business Associates: Must notify the covered entity without unreasonable delay and no later than 60 days, including identification of affected individuals when known.

Use first-class mail (or electronic notice if the individual has agreed). Provide substitute notice if contact information is insufficient. Document your decisions, timelines, and communications.

Risk Assessment Factors

Evaluate and document these four factors to determine the probability of compromise and whether notification is required:

1. Nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification.
2. The unauthorized person who used the PHI or to whom the disclosure was made, and their obligations to protect confidentiality.
3. Whether the PHI was actually acquired or viewed, or only potentially exposed.
4. The extent to which the risk has been mitigated, such as obtaining satisfactory assurances of destruction or return.

Use the results to guide Risk Mitigation steps—containment, retrieval, password resets, and workforce re-education—and to justify your final determination.

Exceptions to Breach Definition

Three narrow exceptions mean an incident is not a breach:

• Unintentional acquisition, access, or use of PHI by a workforce member acting in good faith and within the scope of authority.
• Inadvertent disclosure by a person authorized to access PHI to another person authorized to access PHI within the same organization (or organized health care arrangement).
• A good-faith belief that the unauthorized recipient could not reasonably retain the information (for example, a returned unopened letter or quickly retrieved misdirected email).

Even when an exception applies, assess and document the event and implement appropriate Risk Mitigation.

Encryption Safe Harbor Benefits

If PHI is encrypted or destroyed consistent with recognized standards, it is treated as “secured,” and loss or theft typically does not trigger breach notification. Encryption should protect data at rest and in transit, with keys safeguarded and access controls enforced.

Safe harbor reduces regulatory exposure, limits follow-on obligations, and streamlines incident response. It does not replace your duty to investigate, document, and apply Risk Mitigation when something goes wrong—especially if encryption was misconfigured or keys were compromised.

Conclusion

This HIPAA cheat sheet equips you to quickly spot Privacy Rule boundaries, confirm Security Rule safeguards, and navigate the Breach Notification Rule. Lead with risk analysis, document every decision, and act fast on containment and communication.

FAQs

What is the HIPAA Privacy Rule?

The Privacy Rule governs how covered entities and business associates use and disclose PHI, requires the minimum necessary standard, and grants patients rights such as access, amendment, and an accounting of disclosures. It also mandates notices, workforce training, and appropriate administrative controls.

What are the main components of the Security Rule?

The Security Rule requires Administrative Safeguards (risk analysis, policies, training), Physical Safeguards (facility, device, and media protections), and Technical Safeguards (access control, audit, integrity, and transmission security), all tailored to your risks and operations.

When must a breach be reported?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Notify HHS and, for large breaches, the media within the same 60-day window, following thresholds and content rules set by the Breach Notification Rule.

How does encryption affect breach notification?

Properly encrypted PHI qualifies for safe harbor, meaning that loss or theft of the encrypted data typically does not require breach notification. If encryption was absent, misapplied, or keys were compromised, treat the event as involving Unsecured PHI and conduct a full risk assessment.