What Do HIPAA Requirements Include? Privacy, Security & Breach Notification Rules

HIPAA requirements set national standards for how you handle health data across privacy, security, and breach notification. They apply to Covered Entities and their Business Associates, and cover both Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). This guide breaks down what you must implement and how to operationalize it.

HIPAA Privacy Rule Overview

The Privacy Rule governs how PHI is used and disclosed in any form (paper, verbal, or electronic). It establishes patient rights and requires policies, processes, and documentation that limit access and sharing to what is permissible and necessary.

Who must comply and what is protected

• Covered Entities: health plans, most healthcare providers, and healthcare clearinghouses.
• Business Associates: vendors and partners that create, receive, maintain, or transmit PHI on a Covered Entity’s behalf.
• Protected Health Information: individually identifiable health information tied to a person’s identity plus their health status, care, or payment details.

Permitted uses and disclosures

• Treatment, Payment, and Healthcare Operations are permitted without authorization.
• Other disclosures may require written authorization or must be specifically allowed by law.
• Apply the Minimum Necessary Standard to restrict PHI access and disclosure to the least amount needed to achieve the purpose (with limited exceptions, such as treatment and disclosures to the individual).

Individual rights you must support

• Right of access to records and to obtain copies in the requested format when feasible.
• Right to request amendments and to receive an accounting of certain disclosures.
• Right to request restrictions and confidential communications.
• Notice of Privacy Practices that clearly explains uses, rights, and contacts.

Operationalize the Privacy Rule with clear policies, workforce training, Business Associate Agreements, role-based access, and routine audits of disclosures.

HIPAA Security Rule Requirements

The Security Rule protects ePHI’s confidentiality, integrity, and availability through risk-based controls. You must implement Administrative, Physical, and Technical Safeguards, documenting decisions for “required” and “addressable” specifications.

• Conduct and document a comprehensive Risk Analysis to identify threats and vulnerabilities to ePHI across systems and workflows.
• Perform Risk Management to prioritize and remediate findings, with timelines and accountability.
• Establish security incident procedures and an Incident Response Plan that defines detection, triage, containment, notification, and lessons learned.
• Train the workforce, enforce sanctions, and monitor adherence with ongoing evaluations.
• Ensure Business Associates implement comparable protections via written agreements.

Breach Notification Obligations

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. If PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals (for example, through strong encryption), notification is generally not required.

Risk assessment and presumption

• There is a presumption of breach unless you document a low probability of compromise based on four factors: the PHI type and sensitivity, the unauthorized person, whether the PHI was actually acquired or viewed, and mitigation steps taken.

Who to notify and by when

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Notify HHS: immediately for incidents affecting 500+ individuals in a state or jurisdiction; for fewer than 500, log and submit annually.
• Notify prominent media outlets when a breach affects 500+ residents of a state or jurisdiction.
• Business Associates must notify the Covered Entity without unreasonable delay and provide details needed for individual notices.

Content of notices

• What happened (including the breach date and discovery date), the types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate, and contact methods for questions.

Administrative Safeguards

• Security Management Process: formal Risk Analysis and Risk Management, plus a sanction policy for violations.
• Assigned Security Responsibility: designate a security official with authority to oversee the program.
• Workforce Security and Training: authorize, supervise, and terminate access appropriately; deliver ongoing, role-based education.
• Information Access Management: grant role-based minimum access aligned to the Minimum Necessary Standard.
• Security Incident Procedures: detection, reporting channels, and a tested Incident Response Plan.
• Contingency Plan: data backup, disaster recovery, emergency mode operations, and periodic testing.
• Evaluation: periodic technical and nontechnical evaluations to validate effectiveness and adapt to changes.
• Business Associate Agreements: require safeguards, breach reporting, and flow-down obligations to subcontractors.

Physical Safeguards

• Facility Access Controls: facility security plans, visitor management, and maintenance records; ensure access during emergencies without exposing ePHI.
• Workstation Use and Security: define acceptable use, placement, screen privacy, and automatic lockouts.
• Device and Media Controls: secure disposal and media reuse, chain-of-custody, and backup before movement.
• Portable Devices: encrypt laptops and mobile media, enable remote wipe, and restrict local storage of ePHI.

Technical Safeguards

• Access Control: unique user IDs, emergency access procedures, automatic logoff, and encryption of ePHI (addressable but expected when Risk Analysis indicates).
• Audit Controls: log access and activity across EHRs, databases, and applications; routinely review alerts and anomalies.
• Integrity: controls to prevent improper alteration or destruction of ePHI, such as hashing and write protections.
• Person or Entity Authentication: verify user identities, preferably with multi-factor authentication.
• Transmission Security: protect ePHI in transit with strong encryption and secure protocols; prevent unauthorized modification.
• Data Minimization: segment systems, use least-privilege access, and apply the Minimum Necessary Standard in technical workflows.

Compliance and Enforcement

OCR enforces HIPAA through complaints, breach investigations, and audits. Outcomes can include corrective action, monitoring, and civil monetary penalties that scale with culpability and remediation efforts.

To demonstrate diligence, document everything: your Risk Analysis, Risk Management plans, policies and procedures, workforce training, access reviews, vendor oversight, and incident/breach decisions. Regularly test your Incident Response Plan and contingency capabilities.

Common pitfalls include outdated risk assessments, unencrypted portable devices, missing Business Associate Agreements, excessive PHI access, and delays in breach notification. Address these with governance, metrics, and executive accountability.

Conclusion

Effective HIPAA compliance means knowing where PHI and ePHI live, applying the Minimum Necessary Standard, executing a current Risk Analysis, hardening controls across all safeguards, training your workforce, and proving it through documentation and a tested Incident Response Plan.

FAQs.

What information is protected under HIPAA Privacy Rule?

The Privacy Rule protects Protected Health Information—any individually identifiable health information about a person’s past, present, or future health, care, or payment, in paper, verbal, or electronic form. De-identified data is not PHI, while ePHI is PHI stored or transmitted electronically.

How does HIPAA Security Rule protect electronic health records?

It requires a risk-based security program for Electronic Protected Health Information, including Administrative, Physical, and Technical Safeguards. Core measures include Risk Analysis and remediation, access controls and authentication, encryption, audit logging, integrity protections, workforce training, and a tested Incident Response Plan.

When must a breach notification be sent under HIPAA?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured PHI. You must also notify HHS (and, for large breaches, the media). Business Associates must notify the Covered Entity promptly and provide necessary details.

What are administrative safeguards under HIPAA?

They are organizational measures that govern how you manage security: Risk Analysis and Risk Management, assigned security leadership, workforce security and training, information access management aligned to the Minimum Necessary Standard, incident procedures with an Incident Response Plan, contingency planning, periodic evaluations, and Business Associate oversight.