- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: While HIPAA rules benefit both patients and providers, failure to comply with these standards can result in significant penalties and negative outcomes for both parties. That’s why it is important to understand how HIPAA works and what key areas it covers. In this article, we’ll review the three primary parts of HIPAA regulation, why these rules matter, and how organizations can ensure compliance at every level.
What is the Purpose of HIPAA Rules?
The Health Insurance Portability and Accountability Act (HIPAA) was originally introduced in 1996 to protect health insurance coverage for employees that lost or changed jobs. Today, HIPAA also includes mandates and standards for the transmission and protection of sensitive patient health information by providers and relevant health care organizations.
HIPAA regulates the privacy, security, and breaches of sensitive healthcare information. These regulations enable the healthcare industry to securely and efficiently store and share patient data, protect patient privacy, and secure protected health information (PHI) from unauthorized use and access.
HIPAA rules ensure that:
- PHI is only accessed by authorized parties.
- Patients have access to copies of their personal records upon request.
- Covered entities safeguard PHI through reasonable physical, administrative, and technical measures.
- Covered entities promptly report and resolve any breach of security.
So, what are three major things addressed in the HIPAA law?
HIPAA Rule 1: The Privacy Rule
The HIPAA Privacy Rule outlines standards to protect all individually identifiable health information handled by covered entities or their business associates. This protected health information (PHI) includes a wide range of sensitive data, such as social security numbers, credit card information, and medical history, including prescriptions, procedures, conditions, and diagnoses.
PHI has long been a target for identity theft, so establishing strong privacy rules around its use, access, and security is critical for protecting patient data in an increasingly digital world.
The Privacy Rule addresses this risk by:
- Giving patients more control over their health information, including the right to review and obtain copies of their records.
- Setting boundaries on the use and release of health records.
- Requiring standard safeguards that covered entities must implement to protect PHI from unauthorized use or access.
The Privacy Rule also includes limiting the release of PHI to the minimum required for disclosure (aka the Minimum Necessary Rule). In other words, under the Privacy Rule, information isn’t disclosed beyond what is reasonably necessary to protect patient privacy.
To ensure patient records and information are kept private, the Privacy Rule outlines:
- Which organizations must follow the HIPAA rules (aka covered entities).
- How covered entities can use and share PHI.
- Permitted uses and disclosures of health information.
What is a covered entity?
The organizations bound by HIPAA rules are called covered entities.
Covered entities include any organization or third party that handles or manages protected patient data, for example:
- Health plans, such as health insurance companies, HMOs, and government programs like Medicare and Medicaid.
- Health care providers that conduct business electronically, such as most doctors, hospitals, clinics, nursing homes, and pharmacies.
- Health care clearinghouses, which are entities that process or facilitate the processing of nonstandard data elements of health information into standard data elements.
Additionally, business associates of covered entities must comply with parts of HIPAA rules.
Business associates are third-party organizations that need and have access to health information when working with a covered entity. Business associates can include contractors and subcontractors, companies that help doctors bill and process claims, lawyers and accountants, IT specialists, and companies that store or dispose of medical data.
When can covered entities use or disclose PHI?
A covered entity cannot use or disclose PHI unless permitted under the Privacy Rule or by written authorization from the subject of the information.
Covered entities must disclose PHI to the individual if they request access or to HHS for compliance investigations or enforcement.
Permitted Uses and Disclosures
Covered entities can use or disclose PHI without prior authorization from the patient for their own treatment, payment, and health care operations activities. They are always allowed to share PHI with the individual. The Privacy Rule also makes exceptions for disclosure in the interest of the public, such as in cases required by law, or for public health.
HIPAA Rule 2: The Security Rule
The HIPAA Security Rule establishes standards for protecting the electronic PHI (ePHI) that a covered entity creates, uses, receives, or maintains. While the Privacy Rule governs the privacy and confidentiality of all PHI, including oral, paper, and electronic, the Security Rule focuses on guidelines specific to securing electronic data.
A key goal of the Security Rule is to protect individuals’ private health information while still allowing covered entities to innovate and adopt new technologies that improve the quality and efficiency of patient care.
The Security Rule considers flexibility, scalability, and technological neutrality. This means there are no specific requirements for the types of technology covered entities must use. Instead, covered entities can use any security measures that allow them to implement the standards appropriately. It is up to the covered entity to decide which security measures and technologies are best for its organization.
Under the Security Rule, covered entities must:
- Ensure the confidentiality, integrity, and availability of the ePHI they receive, maintain, create or transmit.
- Identify and protect against threats to the security or integrity of the information.
- Reasonably protect against impermissible uses or disclosures.
- Ensure compliance by their workforce.
The Security Rule covers three main areas of security: administrative, physical, and technical.
Administrative safeguards are administrative actions, policies, and procedures that develop and manage security measures that protect ePHI.
Administrative safeguards make up more than half of the Security Rule regulations and lay the foundation for compliance.
Covered entities must implement the following administrative safeguards:
- Conduct thorough security management and risk analysis.
- Assign a privacy officer.
- Manage workforce security.
- Manage information access.
- Conduct HIPAA security training.
- Establish security incident procedures.
- Develop contingency plans.
- Obtain proper contract agreements with business associates.
- Evaluate security safeguards regularly.
HIPAA physical safeguards are any physical measures, policies, and procedures used to protect a covered entity’s electronic information systems from damage or unauthorized intrusion—including the protection of buildings and equipment.
In other words, HIPAA rules require covered entities to consider and apply safeguards to protect physical access to ePHI.
HIPAA physical safeguard requirements include:
- Facility access controls. Ensure that only authorized users can access your facilities by implementing contingency operations, facility security plans, access control and validation procedures, and maintenance records. This might include controlling building access through photo ID cards and locking offices or storage files with ePHI.
- Workstation use and security. Implement policies and procedures to standardize functions that are performed and the physical setup to protect ePHI. This includes setting parameters on access and storage for ePHI on mobile devices, properly arranging the physical workspace (e.g., can unauthorized people see information on the screen?), and limiting what information is stored on station devices.
- Devices and media controls. Establish policies for receiving and handling devices with ePHI stored on them and moving these items within the facility. This includes procedures for proper disposal of data, as well as backup and storage policies.
Under the Security Rule, technical safeguards apply to the technology itself, as well as the policies and procedures that govern its use, protect its electronic protected health information, and control access to it.
Technical safeguards include:
- Access control. Grant access only to those with permission.
- Audit controls. Implement a system to monitor, record, and review all activity.
- Integrity. Ensure ePHI has not been altered or destroyed improperly.
- Person or entity authentication. Confirm user identity before granting access.
- Transmission security. Protect access to ePHI through encryption.
Together, these safeguards help covered entities provide comprehensive, standardized security for all ePHI they handle.
HIPAA Rule 3: The Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities and business associates to provide notification of a breach involving unsecured PHI. A breach is any impermissible use or disclosure of PHI under the Privacy and Security Rules.
If a potential breach occurs, the organization must conduct a risk assessment to determine the scope and impact of the incident—and confirm whether it falls under the notification requirement.
The risk assessment should be based on the following factors:
- The nature and extent of the PHI involved
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually obtained or viewed
- The extent to which the risk to the PHI has been mitigated
A covered entity is required to make a notification unless it can demonstrate a low probability that PHI was compromised. Breach notifications include individual notice, media notice, and notice to the secretary.
Following a breach, the organization must notify all impacted individuals. The notice must include a description of the breach and the types of information involved, what steps individuals should take to protect themselves from potential harm, and what the covered entity is doing to investigate and address the breach.
Covered entities must also notify the media—typically through a press release to local or regional outlets—if the breach affects 500 or more residents of a state or jurisdiction. The notice must include the same information as the notice to individuals and must be issued promptly, no later than 60 days following the discovery of the breach.
Notice to the Secretary
Covered entities are required to notify the Secretary of Health and Human Services whenever a breach occurs. If the breach affects fewer than 500 individuals, the covered entity must notify the Secretary within 60 days of the end of the calendar year in which the breach was discovered.
If the breach affects 500 or more individuals, the covered entity must notify the Secretary within 60 days from the discovery of the breach.
strongDM Makes Following HIPAA Rules Easy
The three Rules of HIPAA represent a cornerstone regulation that protects the healthcare industry—and consumers—from fraud, identity theft, and violation of privacy.
Through privacy, security, and notification standards, HIPAA regulations:
- Improve standardization and efficiency across the industry.
- Strengthen data security among covered entities.
- Deliver better access control across networks.
- Provide greater transparency and accountability to patients.
Failure to comply with HIPAA regulations can lead to costly penalties and even criminal liability. That’s why it’s important to rely on comprehensive solutions like strongDM to ensure end-to-end compliance across your network.
strongDM enables automated evidence collection for HIPAA, SOC 2, SOX, and ISO 27001 audits so you can ensure compliance at every level.
Easily configure your Kubernetes, databases, and other technical infrastructure with granular, least-privileged access based on roles, attributes, or just-in-time approvals for resources. Then capture and record all sessions across your entire stack—so you have full visibility into your risk landscape and can implement compliancestandards every step of the way.
Want to simplify your HIPAA Compliance? Try a 14-day free trial of strongDM today.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish 'Practical Vulnerability Management' with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.