Join thousands of product people at Insight Out Conf on April 11. Register free.

Try for free
GuidesPatient experienceWhat are the three main rules of HIPAA?

What are the three main rules of HIPAA?

Last updated

13 September 2023


Dovetail Editorial Team

The Health Insurance Portability and Accountability Act (HIPAA) has three main rules to protect patient health information:

  1. The Privacy Rule

  2. The Security Rule

  3. The Breach Notification Rule

Businesses and covered entities can face up to $1.5 million in fines for failing to comply. This is why there are so many training and regulatory safeguards to ensure everyone understands HIPAA compliance.

The Privacy rule

The Privacy Rule has the following purposes:

  • Dealing with protected health information (PHI) and how it’s disclosed or used

  • Explaining which organizations need to adhere to HIPAA standards

  • Defining PHI

  • Showing organizations how to use and share PHI

  • Setting out the disclosure and usage of PHI permitted by HIPAA standards

  • Outlining patients’ health information rights

What is a covered entity?

HIPAA defines covered entities as health plans, healthcare clearinghouses, and care providers that use and transmit patients’ health information.

When can covered entities use or disclose PHI?

PHI can be disclosed and used in the following cases:

  • When required by law or for essential government functions

  • For workers’ compensation

  • For public health activities

  • For any judicial or administrative proceeding

  • For health oversight activities

  • For domestic violence or abuse/neglect reports

  • For law enforcement purposes or research investigations

  • For organ or cadaveric donations

  • In certain aspects that cover deceased persons

Permitted uses and disclosures

The use or disclosure of PHI is permitted if:

  • The covered entity is required to do so or is permitted

  • The patient gives written permission that allows their PHI to be accessed

Security Rule

The Security Rule gives ePHI minimum standards for protection. It’s much like the Privacy Rule but is solely for digitally transmittable data.

The Security Rule covers:

  • What organizations are deemed covered entities and need to follow the rule

  • The policies and procedures that can be implemented for HIPAA compliance

  • The information that falls under the Security Rule’s protection.

There are administrative safeguards, technical safeguards, and physical safeguards.

Administrative safeguards

Administrative safeguards include the following:

  • Dealing with security personnel (officers tasked with overseeing the covered entity’s policies and procedures)

  • Information access management

  • Workforce training

  • Managing the security process and evaluation

The security management process is implemented to lower any vulnerability risk and other factors that may hinder ePHI control.

Policies and procedures for ePHI access and usage must be consistent with HIPAA rules. The workplace’s training and management should have conditions for anyone who violates the HIPAA rules.

Physical safeguards

A covered entity’s physical safeguards include facility access and workspace and device security.

Limiting physical access to any healthcare facility that deals with ePHI is crucial to keeping patients’ sensitive data safe and secure. This element of the Security Rule also covers how ePHI is removed and disposed of.

Technical safeguards

Below are the four main aspects of technical safeguards:

  • Access control—the policies that only allow authorized individuals to access and process ePHI

  • Audit control—the hardware and software that keeps ePHI contained

  • Integrity control—deals with ensuring that ePHI is not altered or destroyed electronically

  • Transmission security—transmission security is intended to keep ePHI from being sent over any unsecured networks that may allow unauthorized access

All these safeguards should be in place and monitored to prevent breaches and/or mishandling of information.

Breach Notification Rule

The Breach Notification Rule states that the Department of Health and Human Services should be notified after any data breach, no matter the nature. The department needs to be alerted within 60 days of the breach being found.

Individual notice

The patient must be notified if their information has been accessed in a breach. They should be told what type of breach it was, what could have been accessed, the date of access, and what has been done since the breach.

Media notice

In the event of a large data breach involving over 500 patient records in a set jurisdiction, there must be plans in place to inform the media. The Office for Civil Rights may issue fines if the media are not notified.

Notice to the secretary

If a large-scale breach occurs involving over 500 individuals, the Health and Human Services Department should be notified. These notifications should be as detailed as possible and outline what is being done to control the breach and keep it from happening again.

What is the “HIPAA minimum necessary” standard?

The HIPAA minimum necessary standard is for all organizations and companies that are HIPAA compliant. It limits the amount of PHI they can share.

This standard can be met by limiting access to patient records by specific job roles. Access to patient data that is more sensitive, such as birth dates and location information, should also be limited.

Sharing only what is absolutely necessary means less information can be accessed in a breach. This safety feature allows patients to be safer and allows for better data control.

Who needs to comply with the three HIPAA rules?

Covered entities and business associates must be HIPAA-compliant, including private medical clinics and hospitals, health insurance companies, and third-party health organizations. Agencies where there is no patient interaction or processing of patient files do not need to comply.

Reportable breaches and exemptions

PHI breaches are when the company or organization is out of compliance and discloses or uses the information improperly. These breaches can occur due to unauthorized access, mishandled data, or improper storage and disposal. In the event of a breach caused by a lack of encryption, the covered entity is required to send out an alert.

The Breach Notification Rule is more relaxed in the following instances:

  • The breach occurred in good faith, was in the scope of the authority of use, and was caused unintentionally

  • The breach was caused unintentionally and occurred between two people in the same organization who were permitted to access the data

  • The company or organization believed in good faith that the unauthorized entity receiving the data would not be able to retain it

In these cases, the company or organization needs to ensure that the incident will not happen again. It will also need to put corrective measures in place and create an alert if there is unsecured PHI.


What type of encryption does HIPAA require?

Businesses and covered entities need to have end-to-end encryption (E2EE) to comply with HIPAA. E2EE ensures encrypted data is only transferred from the sender (the business or covered entity) to the authorized recipient. Only the intended recipient can access and view the data that is transferred.

How does security differ from privacy within HIPAA?

The Security Rule deals with ePHI protection, its creation, and how it is received, maintained, and used. The Privacy Rule deals with the security of all forms of PHI (not just electronic) and its confidentiality.

What information can be shared without violating HIPAA?

The HIPAA Privacy Rule allows covered entities and business associates with permission to share patient care information with family members and people who are responsible for the patient’s healthcare payment—as long as the patient has given their permission.

What is the most severe HIPAA violation?

The most severe HIPAA violation occurs if a person wrongfully accesses PHI and sells, transfers, or uses it to maliciously harm the individual, gain an advantage, or personally profit.

This violation is a crime and is punishable by up to 10 years in prison, $250,000 in fines/penalties, or both.

What entity is responsible for HIPAA?

The HIPAA Privacy and Security Rules are enforced by the US Department of Health and Human Services (HHS) Office for Civil Rights. The organization started enforcing the rules on April 15, 2003.

Breach notifications are sent to the HHS, which is also where compliance issues are handled for all HIPAA-regulated agencies and companies.

Get started today

Go from raw data to valuable insights with a flexible research platform

Try for freeContact sales

Editor’s picks

What does ‘access to healthcare’ mean?

Last updated: 27 June 2023

What is healthcare management?

Last updated: 18 July 2023

What is patient-centered care?

Last updated: 19 July 2023

What are the 18 HIPAA identifiers?

Last updated: 16 November 2023

PHI vs. PII: What’s the difference?

Last updated: 28 September 2023

Related topics

Product developmentPatient experienceResearch methodsEmployee experienceSurveysMarket researchCustomer researchUser experience (UX)

Your customer insights hub

Turn data into actionable insights. Bring your customer into every decision.

Try for free


InsightsAnalysisAutomationIntegrationsEnterprisePricingLog in


About us

© Dovetail Research Pty. Ltd.
TermsPrivacy Policy

Log in or sign up

Get started with a free trial


By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy