Security compliance Designing security programs Security compliance Designing security programs HIPAA

What are the 3 rules of HIPAA?

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

When you hear people discuss HIPAA, it’s likely you’ve noticed them mentioning three very important rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. 

Why do these rules matter? Because failure to adhere to them can result in civil money penalties of up to $1.5 million — and even criminal penalties — not to mention a loss of reputation for your organization. That’s why it’s essential that you follow the three rules of HIPAA if your business is considered a covered entity under HIPAA.  

So you’re better informed, let’s dive into what each rule covers and what steps you need to take to be compliant.

The HIPAA Privacy Rule sets national standards to protect patients' medical records and other personal health information (PHI) — like summary health information — and requires reliable measures to protect PHI privacy. It also gives individuals rights over their health information — including rights to access and review a copy of their records and request modifications — and establishes authorized actions and the required disclosures that apply to such data.

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity — which includes clearinghouses, health plans, and other healthcare providers — or its business associate, in any form or media, whether electronic, paper, or oral.

In short, the Privacy Rule restricts the extent to which medical records can be shared without explicit consent and allows patients and their next of kin (aka “representatives”) to access their medical records.

Is your business following all three HIPAA rules? Learn how Strike Graph can ensure you’re in compliance. Schedule a demo today.


The HIPAA Security Rule

The HIPAA Security Rule specifically sets the standards for the protection of PHI in an electronic format (ePHI) and covers all healthcare providers who use ePHI as well as their business associates. They must take the following actions to protect all ePHI that they create, receive, store, or send:

  • Ensure the confidentiality, integrity, and availability of the PHI
  • Protect the ePHI against impermissible use or disclosure
  • Protect the ePHI against all threats to its security and integrity
  • Train employees and ensuring compliance with the Security Rule
  • Adapt suitable policies and procedures

Covered entities must also identify potential risks to patient health information, create a risk management plan, put administrative, physical, and technical safeguards in place, conduct HIPAA training and train workers, document the risk analysis process, and conduct a yearly risk analysis to identify and mitigate new risks.

The Breach Notification Rule

The Breach Notification Rule applies when there’s been a PHI breach, which is defined as an unpermitted use or disclosure that compromises the security or privacy of PHI.

If this happens, your organization must notify affected individuals, the US Department of Health and Human Services (HHS), and, in some cases, the media. Which actions must be taken in response to the breach depends on how many people were affected.

Fewer than 500 people affected

If the breach affects fewer than 500 people, it must be reported to HHS OCR and affected patients within 60 days from the end of the calendar year (March 1) in which the breach was discovered.

500 or more people affected

If a breach affects 500 patients or more people, it must be reported to the HHS OCR, affected patients, and the media within 60 days of discovery. It will also be publicly displayed on the OCR breach portal.

Reportable breaches and exceptions to the rule

While all impermissible uses and disclosures are a breach of PHI, alerts only need to be sent for unsecured PHI.

PHI is considered secure when it’s been rendered unusable, unreadable, or indecipherable to unauthorized individuals. This is accomplished when ePHI has been encrypted as specified in the HIPAA Security Rule, and/or if the media on which the PHI is stored or recorded has been destroyed.

The Breach Notification Rule is also flexible if a breach meets the following criteria:

  1. 1. Was unintentional or done in good faith and was within the scope of the authority
  2. 2. Was done unintentionally between two people permitted to access the PHI
  3. 3. If the organization has a good faith belief that the person to whom the disclosure was made would not be able to retain the PHI

Before HIPAA, there wasn’t much of a consensus around best practices for PHI. When HIPAA was signed into law in 1996, organizations finally had some guidance. With the Privacy, Security, and Breach Notification Rules — first introduced in 2003, 2005, and 2009, respectively — HIPAA set industry standards for how to address PHI while improving the health care experience for patients.

HIPAA also helps organize healthcare services and makes it easier for covered entities to protect their client information and transfer information between one another, thereby reducing paperwork, improving workflows, and aiding health insurance portability.

Who needs to comply with the 3 HIPAA rules

Remember, all covered entities must abide by the HIPAA regulations and security standards, including the three rules. Covered entities can include everyone from medical discount providers and private hospitals to health insurance companies. And don’t forget, all rules also apply to business associates, which are companies or organizations that provide third-party health and human services to covered entities.

For more information, including definitions of covered entities and business associates, see the Code of Federal Regulations (CFR) Title 45, Section 160.103.

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.