Blog

What Are the 3 Rules of HIPAA? Understanding HIPAA Compliance

HIPAA

The Office for Civil Rights (OCR) has dealt nearly $6 million1 in fines for HIPAA non-compliance in 2024. However, for many healthcare cybersecurity teams, the regulations are highly complex, and the “three rules” of HIPAA are still unclear, making a violation far more likely.highly complex and the “three rules” of HIPAA are still unclear – making a violation far more likely. 

So, what are the 3 rules of HIPAA? And how can you ensure your organization is compliant with them? 

The following article answers these questions in plain language, based on 20 years of industry expertise. 

HIPAA – An Overview 

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that sets national standards for the protection of sensitive patient health information. It is a vital part of any cybersecurity strategy due to: 

  • Increased Public Scrutiny: Patients are more concerned about the privacy of their healthcare data than ever, with 75% expressing fears over its protection in a recent survey. As a result, a failure to comply with HIPAA and keep sensitive information secure leads to serious reputational damage and often higher patient churn. 
  • Financial Penalties: Data breaches can lead to eye-watering fines from the OCR, especially if they deem your organization to have willfully ignored HIPAA requirements. This article explains the full scope of these penalties and how they are determined. 
  • Legal Fallout: Non-compliance with HIPAA can even lead to jail time for the individuals responsible, with a maximum sentence of ten years. 

Who Does HIPAA Apply to? 

HIPAA applies to two categories of healthcare organizations: 

1. Covered Entities: 

HIPAA defines a “covered entity” as any organization or individual that electronically transmits health information in connection with transactions for which the U.S. Department of Health and Human Services (HHS) has adopted standards. 

This includes: 

  • Healthcare Providers: Such as hospitals, psychologists, and dentists 
  • Health Plan: Such as insurance companies and health maintenance organizations (HMOs) 
  • Healthcare clearinghouses: Such as billing services and repricing companies

2. Business Associates. 

These are individuals or entities that work with a covered entity in a way that involves the use or disclosure of protected health information (PHI). Examples include: 

  • Third-party administrators: This includes any organization that provides administrative services to a covered entity, such as claims processors and pharmacy benefit managers (PBMs). 
  • External auditors: This includes any organization that audits covered entities for cybersecurity, clinical trials, or financial compliance. 
  • Technology vendors: This ranges from electronic health record (EHR) software to telehealth providers. 

How Did HIPAA Lead to the “Three Rules”? 

When HIPAA was signed into law on August 21st, 1996, the National Library of Medicine reports that the legislation had two primary goals: 

  1. To make healthcare delivery more efficient
  2. To increase the number of Americans who have health insurance coverage 

These goals required three sets of provisions: 

1. Portability Provisions 

HIPAA’s portability provisions granted individuals a series of rights that made it easier to maintain health insurance coverage when moving between providers or switching jobs, as well as guaranteeing insurance for employees with pre-existing conditions. 

The goal was to eliminate bugs in the existing system, such as “job lock,” where employees would stay in jobs they don’t enjoy out of fear of losing their medical coverage. Most of these provisions came into effect within a year of HIPAA’s enactment. 

2. Tax Provisions 

The portability provisions led to significant cost increases for insurers, and it was feared that these costs would be passed onto plan members or employers through increased premiums or deductibles. As a result, HIPAA’s tax provisions established a series of changes to the way health insurance was taxed to avoid such possibilities. 

The law popularized medical savings accounts (MSAs), which are tax-advantaged accounts designed to help individuals save for medical expenses. They also expanded the tax deductibility of health insurance premiums for small business owners and the self-employed. The majority of these measures came into effect as soon as HIPAA passed into law, with Health Savings Accounts (HSAs) introduced in 2003 to offer tax advantages specifically to individuals enrolled in high-deductible private insurance plans. 

3. Administrative Provisions 

The portability and tax provisions could have created a serious headache for insurers, plan members and employers – which is why HIPAA also introduced administrative provisions to simplify eligibility checks, authorizations, remittances, and payments.  

However, there were also growing concerns around the privacy and security of healthcare data – which led to the creation of what is now known within cybersecurity communities as the “three rules of HIPAA.” 

The Three Rules of HIPAA 

Personally Identifiable Information (PII) and protected health information (PHI) are highly sensitive, and there is a large black market for them. Equally, digitization meant that healthcare organizations increasingly transmitted this information electronically – and there were very few protections in place to ensure it did not fall into the wrong hands. 

Lawmakers knew this risk would only become more prevalent: research papers published in 1996 were already proposing “solutions” to the question of the security (and responsibility for that) of electronic health information. The three primary rules of HIPAA sought to resolve these issues by laying out clear requirements across multiple areas: 

The Privacy Rule 

The HIPAA Privacy Rule sets national standards for the protection of individuals’ medical records and other PHI. It was published in 2002 and is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), with a proviso to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare and to protect public health. 

A few key factors all healthcare professionals should be aware of include: 

  • Mitigating Circumstances: The Privacy Rule specifies the circumstances under which PHI may be used and disclosed without patient authorization. These include disclosures for treatment, payment, and healthcare operations, as well as certain public interest and benefit activities, such as public health reporting and law enforcement purposes. 
  • Administrative Requirements: The Privacy Rule outlines administrative, technical, and physical safeguards that covered entities must implement to protect the privacy of PHI. They are also required to train their workforce on privacy policies and procedures, designate a privacy officer, and establish complaint mechanisms. 
  • Patient Rights: The Privacy Rule grants individuals several rights regarding their PHI. These rights include the right to access and obtain a copy of their health records, request corrections to their information, receive an accounting of disclosures, and request restrictions on certain uses and disclosures of their information. Patients also have the right to receive confidential communications and to file complaints regarding Privacy Rule violations. 

The Security Rule 

The HIPAA Security Rule expands upon the Privacy Rule by establishing national standards specifically for the protection of electronic PHI (ePHI). It was published in 2003 and requires all health plans, healthcare clearinghouses, and covered entities to: 

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; 
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information; 
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and 
  4. Ensure compliance by their workforce. 

The Security Rule has three main components: 

  1. Physical Safeguards: Physical measures intended to prevent unauthorized access to ePHI, such as limiting access to workstations and implementing guidelines for the safe disposal of hardware that contained ePHI 
  2. Administrative Safeguards: Administrative policies and procedures designed to protect ePHI, such as workforce training and contingency planning 
  3. Technical Safeguards: Guidelines to ensure the IT hardware and software within an organization align with HIPAA requirements and protect ePHI 

Given the evolving nature of healthcare technology, the Security Rule has proven to be a major challenge for healthcare organizations. The adoption rate of basic electronic health records (EHRs) grew from 6.6% to 81.2% between 2009 and 2020; such rapid adoption makes compliance more daunting, as expert teams may not be in place to manage the Security Rule’s full range of requirements. 

Ultimately, the OCR has received over 361,498 HIPAA complaints and has initiated over 1,188 compliance reviews since 2003 – and recent announcements suggest that such non-compliance will lead to a higher volume of fines in the future.  

Compliant

The Breach Notification Rule 

The HIPAA Breach Notification Rule establishes clear responsibilities for cover entities and business associates when a data breach takes place. In this context, a breach is defined as any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule – unless the organization can prove there is a low probability the PHI has been compromised. 

The rule requires covered entities to notify: 

  • Individuals: Any individual affected must be notified without unreasonable delay and in no case later than 60 days after the breach is discovered. The notification must include clear information about how the breach took place and what the individual can do to protect themselves, as well as what steps the covered entity is taking to mitigate the impact of the breach. 
  • The HHS: Covered entities must also notify the HHS Secretary if the breach affects unsecured PHI, which means data that has not been rendered unusable or indecipherable to unauthorized individuals. Covered entities must also notify the HHS if a breach affects 500 or more people. 
  • The Media: If a breach affects more than 500 residents of a state, the covered entity is required to alert media outlets within the affected area. This must be done within the same timeframe as affected individuals are notified.  

The Breach Notification Rule also requires business associates to notify the covered entity when a breach of unsecured PHI occurs. This notification must include the identity of every affected individual, as well as any further information that will help the covered entity mitigate the impact of the breach. 

Importance of HIPAA Compliance 

Now that we understand what the three HIPAA Rules are, we can look at how they work in combination to offer healthcare organizations a range of benefits: 

Protecting Patient Privacy 

Patient privacy is a clear moral imperative for any healthcare organization. Not only is privacy an intrinsic part of human dignity and liberty, but it is also essential to maintain trust in healthcare institutions and protect patients’ faith in physician-patient privilege. This is reflected in research that shows 92% of patients believe data privacy is a basic right, and 80% want to be able to opt out of sharing their health data with companies.  

The HIPAA rules support stronger patient privacy in a few ways: 

  • The Privacy Rule sets robust limits on the use and disclosure of PHI without patient authorization, ensuring that patient information is only shared for specific purposes such as treatment, payment, or healthcare operations, or with the patient’s consent. It also enforces the principle that only the minimum necessary PHI should be used or disclosed for a given purpose. 
  • The Security Rule ensures that organizations establish robust controls over access to ePHI and the ways in which it is transmitted.  

As a result, HIPAA compliance ensures that patients have control and transparency regarding who can access their private information.  

Safeguarding Sensitive Health Information 

A data breach involving sensitive health information can put patients at risk for a variety of reasons. From identity theft used to obtain expensive medical services to targeted advertising based on private medical diagnoses, these breaches can cause significant distress and harm to individuals. 

The three rules of HIPAA are designed to safeguard patients’ data. A few examples include: 

  • Proper Disposal: Hardware that contains ePHI might be sent to a scrapheap, and the data might still be recoverable. But the physical safeguards of the HIPAA Security Rule create requirements for the safe disposal of such machinery. 
  • Integrity Controls: The HIPAA Security Rule also ensures ePHI is not altered by unauthorized individuals, which ensures it is not tampered with for malicious purposes. Equally, the HIPAA Privacy Rule ensures patients have the right to correct information at any time. 
  • Extra Protections: Particularly sensitive information, such as psychotherapy notes, have extra protections. The Privacy Rule requires an organization to obtain the patient’s consent before using such documentation for any reason at all. 

Preventing Unauthorized Access and Breaches 

Healthcare data breaches range wildly in scope, from one incident that affected the ePHI of 3,000,000 patients to an employee accidentally looking at a single patient file without proper authorization. However, both are considered breaches in the eyes of HIPAA, and the regulations provide protections that help reduce the likelihood and mitigate the impact of any such breach occurring. 

The three rules of HIPAA provide a wide range of protections against unauthorized access and data breaches, including: 

  • Risk Assessments: The Security Rule requires ongoing risk assessments to identify possible vulnerabilities that could lead to a breach. Equally, the Breach Notification Rule requires a risk assessment to be run and reported after any data breach. 
  • Employee Training: Roughly a quarter of breaches are the result of unauthorized access from staff. The Security Rule’s administrative safeguards state that any covered entity must Implement a security awareness and training program for all members of its workforce (including management). 
  • Incident Response Planning: The Security Rule requires organizations to have well-documented incident response procedures in place. 

Conclusion: The Three Rules of HIPAA Ensure Trust and Confidence in Healthcare Providers 

The three rules of HIPAA work in tandem to cover a wide range of potential risks to patient privacy, safety and well-being. Compliance is, therefore, not just a “checkbox” exercise – it is a vital step to ensuring patients’ trust and confidence in the healthcare sector as a whole.   

Want a comprehensive guide to ensure organization-wide compliance? 

Read Our Guide 

 

About the Author
Cortney Morgan headshot-Intraprise Health

Cortney Morgan

Cortney Morgan is the Product Manager for Intraprise Health's HIPAA One ™ platform, where she leads the development of advanced privacy and security solutions tailored to meet the regulatory demands of the healthcare industry. Since joining Intraprise Health in 2016, Cortney has leveraged her expertise in security regulations, policy development, and HIPAA compliance to drive initiatives that protect organizations from regulatory risks. Her in-depth knowledge of frameworks like the NIST Cybersecurity Framework ensures compliance and operational efficiency.