What is HIPAA? The Main Rules of HIPAA

HIPAA is a vast regulation. We’ve broken down the core rules that you need to know and live by in order to be considered HIPAA Compliant.

 What does HIPAA Stand for?

HIPAA stands for the Health Insurance Portability and Accountability Act, and was signed into law in 1996 with the original intention of helping more Americans gain health insurance coverage and to ensure that employees would not lose their health insurance if they changed jobs. Over the three decades that the law has been in effect it has gone through numerous changes and has greatly expanded in scope. The Act is enforced by the Department of Health and Human Services´ Office for Civil Rights (OCR). Generally, the OCR will be made aware of violations via complaints, via audits, or when it has been notified of a breach of an organizations compliance program. Investigations and Enforcement of breaches is ongoing, and fines of $2 million-plus have been issued to organizations found to be in violation of HIPAA.

When putting together your organization’s HIPAA compliance program, it is important to know and understand the rules of the Act to ensure that you are meeting all the standards. The HIPAA Laws and Regulations are segmented into five main rules that your entire organization should be well aware of. This is a brief look at each rule and what they mean.

The Privacy Rule 

The Privacy Rule was passed in 2003 to set restrictions and standards for how PHI can be shared, including what PHI is shared, when it is shared, and under circumstances, it can be used or disclosed. 

The primary goal of the Privacy Rule is to guarantee that an individual’s PHI is held in a system that allows it to flow between parties such as doctors or insurance companies who need access to it in order to achieve the best healthcare outcomes for the patient while  simultaneously protecting the data. Additionally, the Privacy Rule states that patients should have access to the same information about their healthcare that their doctors do, and they should have a measure of authority over where that information goes and who can access it.

What is PHI

The Privacy Rule laid out 18 identifiers for PHI that identify the information as PHI. Broadly speaking, is any personal health information that can potentially identify an individual that was created, used, or disclosed in the course of providing healthcare services, whether it was a diagnosis or treatment. PHI also includes billing information and any information that could be used to identify an individual in a health insurance company's records. When PHI is found in an electronic format, like a computer or a digital file, it is called electronically Protected Health Information (ePHI).

Additionally, the Privacy Rule included standards for covered entities to safeguard PHI and release them to their owners.

Minimum Necessary Rule

The Minimum Necessary Rule essentially mandates that employees working with PHI should only have access to the very minimum amount of PHI that allows them to perform their assigned work. Rather than having access to the full file of an individual’s health records, they should only be given what is truly needed at that time. 

There are some exceptions to the minimum necessary rule in a routine healthcare environment. For example, it is often necessary for a healthcare provider to access a patient's full medical history in order to diagnose or treat an illness, but non-routine requests must be reviewed on a case by case basis.

Right of Access

The text of the HIPAA Privacy Rule provides each patient with the legal right to access and receive copies of their medical records and other health information when requested. 

When it was originally enacted, the Privacy Rule only applied to Covered Entities, but following addendums to the HIPAA law have expanded its standards and regulations to business associates and subcontractors of business associates.

The Security Rule 

Whereas the Privacy Rule deals with the overall integrity and privacy of PHI, the Security Rule deals with electronic Protected Health Information (ePHI). The Security Rule requires the implementation of three types of safeguards:

Administrative Safeguards

Administrative Safeguards  outline documentation processes, roles and responsibilities, training requirements, and data maintenance. Typically Administrative Safeguards  are used to define and ensure the following two safeguards are implemented properly.

Physical Safeguards

Physical Safeguards are meant to ensure data is physically protected. This can include security systems, access control systems, as well as policies concerning accessing ePHI from mobile devices or other hardware that can be moved.

Technical Safeguards

Technical Safeguards: These are the technologies and policies that ensure the integrity of PHI from unauthorized access.

The goal of these safeguards is to ensure that ePHI is properly secured against all forms of unauthorized access, regardless of whether the data is at rest or in transit. The rule was designed to be flexible to cover all aspects of security without requiring specific technologies or procedures to be implemented. Companies are required to conduct frequent risk assessments in order to identify potential threats to PHI and then adopt appropriate procedures. 

While this flexibility was intended to allow organizations to assess what their security needs are and to implement appropriate policies and procedures based upon their particular needs and resources, the lack of clear guidance has led to confusion and frustration.

Risk Assessment

The Administrative Safeguards provision in the Security Rule require covered entities to perform recurring risk assessments as part of their security management processes. Risk assessments should be an ongoing process so an organization can regularly track access to ePHI and identify security breaches, periodically review how effective its security measures have been, and regularly reevaluate potential risks to ePHI.

The HIPAA Risk Assessment  will help to determine which security measures are reasonable and appropriate for a particular organization, informing applicable safeguard to put into place.

The Breach Notification Rule 

The Breach Notification Rule was a significant expansion to HIPAA in 2009 that updated and modified several aspects of HIPAA.

First, the rule defined a breach as any unauthorized use or sharing of PHI that could potentially jeopardize the security and privacy of an individual’s personal healthcare data. The rule also required covered entities and their business associates to notify all affected individuals within 60 days of the event of a breach. Additionally, the rule required that they notify the Department of Health and Human Services, and in some cases the media, if the breach is of a particular severity.

The HITECH Act

In the first two decades of HIPAA, compliance with the law was fairly easy, primarily because the threat of an audit was low and the penalties for breaches were relatively mild. All of that changed following the passage of the HITECH act.

The “Health Information Technology for Economic and Clinical Health” (HITECH) Act was signed into law in February 2009 as part of the American Recovery and Reinvestment Act by President Obama with the primary purpose of encouraging healthcare providers to adopt Electronic Healthcare Records and supporting technology.  More importantly to PHI, the act also clarified and strengthened the enforcement of HIPAA by increasing penalties for noncompliance and mandated the Privacy and Security rules apply to business associates as well as covered entities. The rule also created a four-tier system for violations of HIPAA:

  • First Tier: The covered entity did not know and could not reasonably know of the breach. Generally, these range to $100 to $50,000 per incident up to $1.5 million in penalties.
  • Second Tier: The covered entity knew or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect.  Fines for the second tier can range up to $1,000 to $50,000 per incident up to $1.5 million.
  • Third Tier: The covered entity “Acted with willful neglect” and corrected the problems with a 30-day period of the breach. Penalties for the third tier can range from $10,000 - $50,000 per incident up to $1.5 million.
  • Fourth Tier: The covered entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident up to $1.5 Million.

Due to these changes, the HITECH act has often been called “HIPAA on steroids”.

The Omnibus Rule 

The HIPAA Omnibus Rule, which was passed in 2012, edited and updated all of the previously passed rules with the intention to create one single, exhaustive document that detailed all the requirements for complying with HIPAA and HITECH.

The key updates included:

Business Associates are now liable for their own compliance with HIPAA. While the HITECH act first mentioned this, it was the Omnibus rule that authorized the Office for Civil Rights (OCR) to begin enforcing compliance on business associates. The Omnibus Rule also required that any unauthorized use or sharing of PHI should be presumed to be a breach, which has led to a significantly higher number of reported data breaches each year.

HIPAA is complex. Accountable makes it simple

As you can see, HIPAA has a lot of moving parts and compliance can feel like it is a moving target.

It’s important to remember that as easy as it is to violate HIPAA, implementing training and policies to safeguard PHI and your organization is easier. That is why we created Accountable: a complete solution designed to help you achieve and maintain your organization’s HIPAA Compliance. We give you the tools you need to train your employees, manage your vendors, and identify risk within your organization.

Oh, and it’s free to get started.



Get started on the road to Compliance

Accountable can help you achieve HIPAA compliance for your company.

Schedule a Call

More Articles