<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

What Are the Three Rules of HIPAA? Explained

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Summary: While HIPAA rules benefit both patients and providers, failure to comply with these standards can result in significant penalties and negative outcomes for both parties. That’s why it is important to understand how HIPAA works and what key areas it covers. In this article, we’ll review the three primary parts of HIPAA regulation, why these rules matter, and how organizations can ensure compliance at every level.    

What is the Purpose of HIPAA Rules? 

The Health Insurance Portability and Accountability Act (HIPAA) was originally introduced in 1996 to protect health insurance coverage for employees that lost or changed jobs. Today, HIPAA also includes mandates and standards for the transmission and protection of sensitive patient health information by providers and relevant health care organizations. 

HIPAA regulates the privacy, security, and breaches of sensitive healthcare information. These regulations enable the healthcare industry to securely and efficiently store and share patient data, protect patient privacy, and secure protected health information (PHI) from unauthorized use and access.

HIPAA rules ensure that: 

  • PHI is only accessed by authorized parties.
  • Patients have access to copies of their personal records upon request.
  • Covered entities safeguard PHI through reasonable physical, administrative, and technical measures.
  • Covered entities promptly report and resolve any breach of security.  

So, what are three major things addressed in the HIPAA law?

HIPAA Rule 1: The Privacy Rule

The HIPAA Privacy Rule outlines standards to protect all individually identifiable health information handled by covered entities or their business associates. This protected health information (PHI) includes a wide range of sensitive data, such as social security numbers, credit card information, and medical history, including prescriptions, procedures, conditions, and diagnoses. 

PHI has long been a target for identity theft, so establishing strong privacy rules around its use, access, and security is critical for protecting patient data in an increasingly digital world.

The Privacy Rule addresses this risk by:

  • Giving patients more control over their health information, including the right to review and obtain copies of their records.
  • Setting boundaries on the use and release of health records. 
  • Requiring standard safeguards that covered entities must implement to protect PHI from unauthorized use or access. 

The Privacy Rule also includes limiting the release of PHI to the minimum required for disclosure (aka the Minimum Necessary Rule). In other words, under the Privacy Rule, information isn’t disclosed beyond what is reasonably necessary to protect patient privacy.

To ensure patient records and information are kept private, the Privacy Rule outlines:

What is a covered entity?

The organizations bound by HIPAA rules are called covered entities. 

Covered entities include any organization or third party that handles or manages protected patient data, for example:

  • Health plans, such as health insurance companies, HMOs, and government programs like Medicare and Medicaid.
  • Health care providers that conduct business electronically, such as most doctors, hospitals, clinics, nursing homes, and pharmacies.
  • Health care clearinghouses, which are entities that process or facilitate the processing of nonstandard data elements of health information into standard data elements.

Additionally, business associates of covered entities must comply with parts of HIPAA rules. 

Business associates are third-party organizations that need and have access to health information when working with a covered entity. Business associates can include contractors and subcontractors, companies that help doctors bill and process claims, lawyers and accountants, IT specialists, and companies that store or dispose of medical data.

When can covered entities use or disclose PHI?

A covered entity cannot use or disclose PHI unless permitted under the Privacy Rule or by written authorization from the subject of the information.

Covered entities must disclose PHI to the individual if they request access or to HHS for compliance investigations or enforcement.  

Permitted Uses and Disclosures 

Covered entities can use or disclose PHI without prior authorization from the patient for their own treatment, payment, and health care operations activities. They are always allowed to share PHI with the individual. The Privacy Rule also makes exceptions for disclosure in the interest of the public, such as in cases required by law, or for public health. 

HIPAA Rule 2: The Security Rule

The HIPAA Security Rule establishes standards for protecting the electronic PHI (ePHI) that a covered entity creates, uses, receives, or maintains. While the Privacy Rule governs the privacy and confidentiality of all PHI, including oral, paper, and electronic, the Security Rule focuses on guidelines specific to securing electronic data. 

A key goal of the Security Rule is to protect individuals’ private health information while still allowing covered entities to innovate and adopt new technologies that improve the quality and efficiency of patient care.

The Security Rule considers flexibility, scalability, and technological neutrality. This means there are no specific requirements for the types of technology covered entities must use. Instead, covered entities can use any security measures that allow them to implement the standards appropriately. It is up to the covered entity to decide which security measures and technologies are best for its organization.

Under the Security Rule, covered entities must: 

  • Ensure the confidentiality, integrity, and availability of the ePHI they receive, maintain, create or transmit.
  • Identify and protect against threats to the security or integrity of the information.
  • Reasonably protect against impermissible uses or disclosures.
  • Ensure compliance by their workforce.

The Security Rule covers three main areas of security: administrative, physical, and technical. 

Administrative safeguards

Administrative safeguards are administrative actions, policies, and procedures that develop and manage security measures that protect ePHI.

Administrative safeguards make up more than half of the Security Rule regulations and lay the foundation for compliance. 

Covered entities must implement the following administrative safeguards:  

  • Conduct thorough security management and risk analysis.
  • Assign a privacy officer.
  • Manage workforce security.
  • Manage information access.
  • Conduct HIPAA security training.
  • Establish security incident procedures.
  • Develop contingency plans.
  • Obtain proper contract agreements with business associates.
  • Evaluate security safeguards regularly.

Physical safeguards

HIPAA physical safeguards are any physical measures, policies, and procedures used to protect a covered entity’s electronic information systems from damage or unauthorized intrusion—including the protection of buildings and equipment.

In other words, HIPAA rules require covered entities to consider and apply safeguards to protect physical access to ePHI. 

HIPAA physical safeguard requirements include: 

  • Facility access controls. Ensure that only authorized users can access your facilities by implementing contingency operations, facility security plans, access control and validation procedures, and maintenance records. This might include controlling building access through photo ID cards and locking offices or storage files with ePHI.   
  • Workstation use and security. Implement policies and procedures to standardize functions that are performed and the physical setup to protect ePHI. This includes setting parameters on access and storage for ePHI on mobile devices, properly arranging the physical workspace (e.g., can unauthorized people see information on the screen?), and limiting what information is stored on station devices.
  • Devices and media controls. Establish policies for receiving and handling devices with ePHI stored on them and moving these items within the facility. This includes procedures for proper disposal of data, as well as backup and storage policies.

Technical safeguards

Under the Security Rule, technical safeguards apply to the technology itself, as well as the policies and procedures that govern its use, protect its electronic protected health information, and control access to it. 

Technical safeguards include:

  • Access control. Grant access only to those with permission.  
  • Audit controls. Implement a system to monitor, record, and review all activity.  
  • Integrity. Ensure ePHI has not been altered or destroyed improperly. 
  • Person or entity authentication. Confirm user identity before granting access. 
  • Transmission security. Protect access to ePHI through encryption. 

Together, these safeguards help covered entities provide comprehensive, standardized security for all ePHI they handle. 

HIPAA Rule 3: The Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and business associates to provide notification of a breach involving unsecured PHI. A breach is any impermissible use or disclosure of PHI under the Privacy and Security Rules. 

If a potential breach occurs, the organization must conduct a risk assessment to determine the scope and impact of the incident—and confirm whether it falls under the notification requirement. 

The risk assessment should be based on the following factors

  • The nature and extent of the PHI involved
  • The unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually obtained or viewed
  • The extent to which the risk to the PHI has been mitigated

A covered entity is required to make a notification unless it can demonstrate a low probability that PHI was compromised. Breach notifications include individual notice, media notice, and notice to the secretary.

Individual notice

Following a breach, the organization must notify all impacted individuals. The notice must include a description of the breach and the types of information involved, what steps individuals should take to protect themselves from potential harm, and what the covered entity is doing to investigate and address the breach.

Media notice

Covered entities must also notify the media—typically through a press release to local or regional outlets—if the breach affects 500 or more residents of a state or jurisdiction. The notice must include the same information as the notice to individuals and must be issued promptly, no later than 60 days following the discovery of the breach.

Notice to the Secretary 

Covered entities are required to notify the Secretary of Health and Human Services whenever a breach occurs. If the breach affects fewer than 500 individuals, the covered entity must notify the Secretary within 60 days of the end of the calendar year in which the breach was discovered. 

If the breach affects 500 or more individuals, the covered entity must notify the Secretary within 60 days from the discovery of the breach. 

StrongDM Makes Following HIPAA Rules Easy 

The three Rules of HIPAA represent a cornerstone regulation that protects the healthcare industry—and consumers—from fraud, identity theft, and violation of privacy. 

Through privacy, security, and notification standards, HIPAA regulations:

  • Improve standardization and efficiency across the industry. 
  • Strengthen data security among covered entities. 
  • Deliver better access control across networks.
  • Provide greater transparency and accountability to patients. 

Failure to comply with HIPAA regulations can lead to costly penalties and even criminal liability. That’s why it’s important to rely on comprehensive solutions like StrongDM to ensure end-to-end compliance across your network. 

StrongDM enables automated evidence collection for HIPAA, SOC 2, SOX, and ISO 27001 audits so you can ensure compliance at every level.

Easily configure your Kubernetes, databases, and other technical infrastructure with granular, least-privileged access based on roles, attributes, or just-in-time approvals for resources. Then capture and record all sessions across your entire stack—so you have full visibility into your risk landscape and can implement compliancestandards every step of the way.

Want to simplify your HIPAA Compliance? Try a 14-day free trial of StrongDM today.


About the Author

, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

What Are the ISO 27001 Requirements?
What Are the ISO 27001 Requirements in 2022?
To become ISO 27001 certified, organizations must align their security standards to 11 clauses covered in the ISO 27001 requirements. In this article, you’ll discover what each clause in part one of ISO 27001 covers. We’ll also take a big picture look at how part two of ISO 27001—also known as Annex A—can help your organization meet the ISO/IEC 27001 requirements.
HIPAA Compliance Checklist
HIPAA Compliance Checklist: Easy to Follow Guide for 2022
Following a HIPAA compliance checklist can help HIPAA-covered entities comply with the regulations and become HIPAA compliant. In this HIPAA compliance guide, we’ll review the 8 primary steps to achieving HIPAA compliance, tips on how to implement them, and frequently asked questions.
How to maintain ISO 27001 Certification
How to Maintain ISO 27001 Certification in 2022 and Beyond
This article examines what happens after companies achieve IT security ISO 27001 certification. We’ll answer questions about how to maintain ISO certification, how long ISO 27001 certification is valid, and the costs and risks of failing to maintain compliance. By the end of this article, you’ll know the certifying body requirements and what your checklist should look like for staying on top of your ISO 27001 certification.
HITRUST vs. HIPAA: Understanding the Difference
HITRUST vs. HIPAA: Understanding the Difference
HITRUST and HIPAA often go hand-in-hand when talking about security compliance. But what are they, and how do they compare? In this article, we’ll review HITRUST vs. HIPAA, including their differences, similarities, and advantages, and we’ll explain how and when to use them in compliance efforts.
PCI Compliance Checklist: The 12 Requirements
PCI Compliance Checklist: The 12 Requirements (Step-by-Step)
In this article, we will take a big-picture look at the Payment Card Industry (PCI) Data Security Standards (DSS). You’ll learn what is required to be PCI compliant and what’s involved in each of the 12 PCI DSS requirements. You’ll also find a handy PCI Compliance Checklist for easy reference, including new PCI compliance requirements.