HIPAA Cheat Sheet: Your Quick Guide to the Privacy, Security & Breach Notification Rules

This HIPAA cheat sheet gives you a fast, practical grasp of the Privacy, Security, and Breach Notification Rules. You will learn what counts as Protected Health Information (PHI) and Electronic Protected Health Information (ePHI), what Covered Entities and Business Associates must do, and which patient rights you need to honor.

Use this as a concise reference to design policies, train your workforce, and operationalize safeguards—without losing sight of the fundamentals that keep PHI secure and compliant.

HIPAA Privacy Rule Overview

Scope and key definitions

The Privacy Rule governs how you use, disclose, and safeguard Protected Health Information (PHI) in any form—paper, oral, or electronic. Electronic Protected Health Information (ePHI) is simply PHI in electronic form. The rule applies to Covered Entities and, by extension, to Business Associates that handle PHI on their behalf.

Permitted uses and disclosures

• Treatment, payment, and health care operations (TPO) uses and disclosures are broadly permitted.
• Disclosures are required to the individual upon request and to HHS for compliance investigations.
• Other uses and disclosures (for example, marketing or sale of PHI) generally require a valid, written authorization.

Minimum necessary standard

Limit PHI to the minimum necessary to accomplish the purpose for most uses and disclosures. This standard does not apply to treatment, disclosures to the individual, or uses/disclosures authorized by the individual or required by law.

Notices, policies, and workforce duties

• Provide a clear Notice of Privacy Practices (NPP) that explains how you use PHI and how patients can exercise their rights.
• Adopt and enforce privacy policies, train your workforce, apply sanctions for violations, and mitigate harmful effects of improper uses/disclosures.

De-identification and limited data sets

• De-identified data (no reasonable basis to identify an individual) is not PHI.
• Limited data sets exclude certain direct identifiers and may be shared for specific purposes under a Data Use Agreement.

HIPAA Security Rule Requirements

What the Security Rule covers

The Security Rule sets standards to protect the confidentiality, integrity, and availability of ePHI. It is risk-based and flexible so you can tailor safeguards to your size, complexity, and technical environment.

Administrative Safeguards

• Conduct an enterprise-wide risk analysis and implement risk management plans.
• Designate a Security Officer; manage workforce access, training, and sanctions.
• Establish security incident procedures and a contingency plan (backup, disaster recovery, emergency operations).
• Review system activity (audit logs, access reports) and evaluate your program periodically.

Physical Safeguards

• Control facility access and secure workstations.
• Govern device and media handling (secure disposal, media reuse, and tracking).

Technical Safeguards

• Access controls (unique user IDs, role-based access, emergency access procedures).
• Audit controls to record and examine system activity.
• Integrity protections to prevent improper alteration or destruction.
• Authentication of users and devices.
• Transmission security; encryption is “addressable,” but strongly expected for ePHI in transit and, where feasible, at rest.

Documentation essentials

Maintain written policies, procedures, and assessments; retain required documentation for at least six years and review/update it regularly or upon major environmental or operational changes.

Breach Notification Rule Procedures

What is a breach?

A breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. Exceptions include certain good-faith or inadvertent disclosures within the scope of authority, and situations in which the recipient could not reasonably retain the information.

Risk assessment

Perform a documented assessment considering: (1) the nature and extent of PHI involved, (2) the unauthorized person, (3) whether PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated. If there is not a low probability of compromise, notification is required.

Timelines and recipients

• Individuals: Notify without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: For 500 or more affected individuals in a state or jurisdiction, notify HHS without unreasonable delay (no later than 60 days). For fewer than 500, log and report to HHS within 60 days after the end of the calendar year.
• Media: For breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media outlets within 60 days.
• Business Associates: Must notify the Covered Entity without unreasonable delay and no later than 60 days, providing details to support individual notices.

What to include in notices

• A brief description of what happened and the discovery date.
• Types of PHI involved (for example, names, Social Security numbers, diagnoses).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact methods for questions (toll-free number, email, address, or website).

Safe harbor and documentation

If PHI is encrypted to current standards, the incident may not be a reportable breach. Keep thorough incident logs, risk assessments, and mailing/publication records to demonstrate compliance and support investigations.

Roles of Covered Entities

Who is a Covered Entity?

• Health care providers that transmit health information electronically in standard transactions (for example, billing).
• Health plans, including insurers, HMOs, employer-sponsored health plans, and government programs.
• Health care clearinghouses that process nonstandard data into standard formats and vice versa.

Core responsibilities

• Issue an NPP, honor patient rights, and respond within required timeframes.
• Apply the minimum necessary standard and role-based access.
• Implement Administrative, Physical, and Technical Safeguards for ePHI.
• Execute and manage Business Associate Agreements (BAAs).
• Train the workforce, monitor compliance, and enforce sanctions.
• Investigate incidents and provide Breach Notification as required.

Responsibilities of Business Associates

Who is a Business Associate?

A Business Associate is any person or organization that performs functions or services for a Covered Entity involving PHI (for example, claims processing, IT support, cloud hosting, e-prescribing, billing, or analytics). Subcontractors that handle PHI are also Business Associates.

Business Associate Agreement (BAA) essentials

• Permitted and required uses/disclosures of PHI.
• Implementation of safeguards aligned to the Security Rule.
• Prompt reporting of security incidents and breaches, including necessary details.
• Flow-down requirements to subcontractors handling PHI.
• Provision of access, amendments, and accounting support to the Covered Entity.
• Return or destruction of PHI at contract termination when feasible.
• Right of HHS to audit compliance.

Operational expectations

• Limit PHI to the minimum necessary and use role-based access.
• Maintain audit logs, encryption for ePHI in transit and at rest where feasible, and secure key management.
• Conduct risk analyses, document risk treatments, and train staff on HIPAA obligations.

Patient Rights Under HIPAA

Right of access and copies

Patients can inspect or receive copies of their PHI, including ePHI, typically within 30 days (one 30-day extension permitted with written notice). Provide the requested form and format if readily producible, or a readable alternative. Fees must be reasonable and cost-based.

Right to request amendments

Patients may request corrections to their records. Act within 60 days (one 30-day extension with written notice). If you deny a request, explain why and allow a statement of disagreement to be added.

Accounting of disclosures

Upon request, provide an accounting of certain disclosures of PHI for the prior six years, excluding most TPO uses and other specified exceptions.

Restrictions and confidential communications

Patients can request restrictions on uses/disclosures; you must honor a restriction on disclosures to a health plan for a particular service if the patient pays for that service in full out-of-pocket. Accommodate reasonable requests to communicate by alternative means or locations.

Notice and complaints

Patients are entitled to an NPP and may file complaints with your organization or with HHS without retaliation.

Compliance Best Practices

Governance and risk management

• Maintain an inventory of systems and vendors that create, receive, maintain, or transmit PHI/ePHI.
• Perform a thorough risk analysis at least annually and upon significant changes; track risks to closure.
• Appoint Privacy and Security Officers with clear authority and accountability.

Technical and operational controls

• Use strong identity and access management (unique IDs, MFA where feasible, least privilege).
• Encrypt ePHI in transit and at rest; maintain secure configuration baselines and patch regularly.
• Enable audit logging and centralized monitoring; review anomalous access.
• Harden endpoints and mobile devices; apply device and media controls and secure disposal.

Vendor and data lifecycle management

• Execute BAAs before sharing PHI; assess vendor security and require flow-down controls to subcontractors.
• Apply the minimum necessary standard, data retention schedules, and secure archival or destruction.

Training, testing, and response

• Deliver role-based privacy and security training at hire and at least annually; reinforce with reminders.
• Test backups and incident response plans; practice breach response with tabletop exercises.
• Document incidents, risk assessments, and breach decisions; retain proof of mailings and media notices.

Ongoing assurance

• Conduct internal audits for access appropriateness, minimum necessary, and timely fulfillment of patient requests.
• Update policies and the NPP when operations or laws change; communicate updates to staff and patients.

Conclusion

This HIPAA cheat sheet highlights how the Privacy, Security, and Breach Notification Rules fit together: limit and justify uses of PHI, safeguard ePHI with layered controls, respond swiftly to incidents, and respect patient rights. Embed these requirements into daily operations to reduce risk and demonstrate reliable compliance.

FAQs

What information does the HIPAA Privacy Rule protect?

The Privacy Rule protects PHI—individually identifiable health information—held or transmitted by Covered Entities and their Business Associates in any form (paper, oral, or electronic). ePHI is PHI in electronic form. It includes identifiers linked to past, present, or future health, care, or payment.

How soon must a breach notification be issued?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For incidents affecting 500 or more residents of a state or jurisdiction, notify HHS and prominent media within the same 60-day window. For fewer than 500, log and report to HHS within 60 days after the end of the calendar year. Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 days.

Who is considered a covered entity under HIPAA?

Covered Entities include health care providers that conduct standard electronic transactions, health plans (such as insurers, HMOs, and government programs), and health care clearinghouses that translate data between standard and nonstandard formats.

What rights do patients have regarding their health information?

Patients have the right to access and obtain copies of their PHI (usually within 30 days), request amendments, receive an accounting of certain disclosures, request restrictions and confidential communications, receive a Notice of Privacy Practices, and file complaints without retaliation.