What are the three main rules of HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) has three main rules to protect patient health information:

1. The Privacy Rule

2. The Security Rule

3. The Breach Notification Rule

Businesses and covered entities can face up to $1.5 million in fines for failing to comply. This is why there are so many training and regulatory safeguards to ensure everyone understands HIPAA compliance.

The Privacy Rule has the following purposes:

• Dealing with protected health information (PHI) and how it’s disclosed or used

• Explaining which organizations need to adhere to HIPAA standards

• Defining PHI

• Showing organizations how to use and share PHI

• Setting out the disclosure and usage of PHI permitted by HIPAA standards

• Outlining patients’ health information rights

What is a covered entity?

HIPAA defines covered entities as health plans, healthcare clearinghouses, and care providers that use and transmit patients’ health information.

When can covered entities use or disclose PHI?

PHI can be disclosed and used in the following cases:

• When required by law or for essential government functions

• For workers’ compensation

• For public health activities

• For any judicial or administrative proceeding

• For health oversight activities

• For domestic violence or abuse/neglect reports

• For law enforcement purposes or research investigations

• For organ or cadaveric donations

• In certain aspects that cover deceased persons

Permitted uses and disclosures

The use or disclosure of PHI is permitted if:

• The covered entity is required to do so or is permitted

• The patient gives written permission that allows their PHI to be accessed

The Security Rule gives ePHI minimum standards for protection. It’s much like the Privacy Rule but is solely for digitally transmittable data.

The Security Rule covers:

• What organizations are deemed covered entities and need to follow the rule

• The policies and procedures that can be implemented for HIPAA compliance

• The information that falls under the Security Rule’s protection.

There are administrative safeguards, technical safeguards, and physical safeguards.

Administrative safeguards

Administrative safeguards include the following:

• Dealing with security personnel (officers tasked with overseeing the covered entity’s policies and procedures)

• Information access management

• Workforce training

• Managing the security process and evaluation

The security management process is implemented to lower any vulnerability risk and other factors that may hinder ePHI control.

Policies and procedures for ePHI access and usage must be consistent with HIPAA rules. The workplace’s training and management should have conditions for anyone who violates the HIPAA rules.

Physical safeguards

A covered entity’s physical safeguards include facility access and workspace and device security.

Limiting physical access to any healthcare facility that deals with ePHI is crucial to keeping patients’ sensitive data safe and secure. This element of the Security Rule also covers how ePHI is removed and disposed of.

Technical safeguards

Below are the four main aspects of technical safeguards:

• Access control—the policies that only allow authorized individuals to access and process ePHI

• Audit control—the hardware and software that keeps ePHI contained

• Integrity control—deals with ensuring that ePHI is not altered or destroyed electronically

• Transmission security—transmission security is intended to keep ePHI from being sent over any unsecured networks that may allow unauthorized access

All these safeguards should be in place and monitored to prevent breaches and/or mishandling of information.

The Breach Notification Rule states that the Department of Health and Human Services should be notified after any data breach, no matter the nature. The department needs to be alerted within 60 days of the breach being found.

Individual notice

The patient must be notified if their information has been accessed in a breach. They should be told what type of breach it was, what could have been accessed, the date of access, and what has been done since the breach.

Media notice

In the event of a large data breach involving over 500 patient records in a set jurisdiction, there must be plans in place to inform the media. The Office for Civil Rights may issue fines if the media are not notified.

Notice to the secretary

If a large-scale breach occurs involving over 500 individuals, the Health and Human Services Department should be notified. These notifications should be as detailed as possible and outline what is being done to control the breach and keep it from happening again.

The HIPAA minimum necessary standard is for all organizations and companies that are HIPAA compliant. It limits the amount of PHI they can share.

This standard can be met by limiting access to patient records by specific job roles. Access to patient data that is more sensitive, such as birth dates and location information, should also be limited.

Sharing only what is absolutely necessary means less information can be accessed in a breach. This safety feature allows patients to be safer and allows for better data control.

Covered entities and business associates must be HIPAA-compliant, including private medical clinics and hospitals, health insurance companies, and third-party health organizations. Agencies where there is no patient interaction or processing of patient files do not need to comply.

PHI breaches are when the company or organization is out of compliance and discloses or uses the information improperly. These breaches can occur due to unauthorized access, mishandled data, or improper storage and disposal. In the event of a breach caused by a lack of encryption, the covered entity is required to send out an alert.

The Breach Notification Rule is more relaxed in the following instances:

• The breach occurred in good faith, was in the scope of the authority of use, and was caused unintentionally

• The breach was caused unintentionally and occurred between two people in the same organization who were permitted to access the data

• The company or organization believed in good faith that the unauthorized entity receiving the data would not be able to retain it

In these cases, the company or organization needs to ensure that the incident will not happen again. It will also need to put corrective measures in place and create an alert if there is unsecured PHI.

Businesses and covered entities need to have end-to-end encryption (E2EE) to comply with HIPAA. E2EE ensures encrypted data is only transferred from the sender (the business or covered entity) to the authorized recipient. Only the intended recipient can access and view the data that is transferred.

The Security Rule deals with ePHI protection, its creation, and how it is received, maintained, and used. The Privacy Rule deals with the security of all forms of PHI (not just electronic) and its confidentiality.

The HIPAA Privacy Rule allows covered entities and business associates with permission to share patient care information with family members and people who are responsible for the patient’s healthcare payment—as long as the patient has given their permission.

The most severe HIPAA violation occurs if a person wrongfully accesses PHI and sells, transfers, or uses it to maliciously harm the individual, gain an advantage, or personally profit.

This violation is a crime and is punishable by up to 10 years in prison, $250,000 in fines/penalties, or both.

The HIPAA Privacy and Security Rules are enforced by the US Department of Health and Human Services (HHS) Office for Civil Rights. The organization started enforcing the rules on April 15, 2003.

Breach notifications are sent to the HHS, which is also where compliance issues are handled for all HIPAA-regulated agencies and companies.