Back to the Basics: What is the HIPAA Privacy Rule?

As of November 2022, the Office for Civil Rights (OCR) has settled 126 cases of HIPAA violations for over $133 million. 

Complying with the HIPAA Privacy Rule is a critical, ever-evolving piece of healthcare and patient privacy. A breach of HIPAA can – and often does – result in costly fines and reputational damage.  

To understand why HIPAA matters more than ever, it’s important to know how the HIPAA Privacy Rule came to be, who it applies to, what it protects, and what happens when it’s violated. 

Read on for an overview of the HIPAA Privacy Rule and how you can ensure that your organization remains HIPAA compliant. 


A Brief History of the HIPAA Privacy Rule

According to the U.S. Department of Health and Human Services (HHS), the Standards for Privacy of Individually Identifiable Health Information, also known as the
HIPAA Privacy Rule, “establishes, for the first time, a set of national standards for the protection of certain health information.” It also gives patients the right to their own health information. 

The first iteration of the HIPAA Privacy Rule was enacted in August 1996, as a provision of the Health Insurance Portability and Accountability Act (HIPAA). In 1999, HHS began to flesh out the Privacy Rule and issued a final version in 2002. 

The Privacy Rule has seen several modifications throughout the years since, and was last updated in 2021. The goal of these changes is to better protect the sensitive health information of individual patients. 


What Information is Protected Under the HIPAA Privacy Rule?

Any medical information that can be used to identify an individual patient is protected under the HIPAA Privacy Rule. HIPAA refers to this as “protected health information” (PHI), and it includes any medical records related to a patient’s past, present, or future of a patient. 

PHI may include diagnoses, treatment information, medical test results, and prescription information if these records possess a certain one or more of the 18 HIPAA identifiers, such as contact information, birth date, and ethnicity. 

The HIPAA Privacy Rule does not cover information in employment or educational records, and does not apply if there are no PHI identifiers. 


Who Does the HIPAA Privacy Rule Apply To?

The HIPAA Privacy Rule applies to any healthcare entity that possesses patient records, including health plans, healthcare clearinghouses, and certain healthcare providers that conduct certain financial transactions electronically. Even if these covered entities contract out to Business Associates (BAs), they’re still obligated by Congress to abide by the Privacy Rule.

“The HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits,” according to the HHS website. 


What Happens When the HIPAA Privacy Rule is Violated? 


The HHS Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy Rule. They determine whether a covered entity has violated the Privacy Rule by allowing unpermitted disclosure of PHI, which can result in hefty fines, criminal charges, and reputational damage. The OCR may even refer a violation to the Department of Justice (DOJ) to carry out such penalties. 

It is worth noting that while smaller businesses often think they won’t get targeted with fines, the OCR stays on top of businesses of all sizes when it comes to Privacy Rule violations. In fact, in the past 12 months, there have been over 43 settlements for Privacy Rule Right of Access cases. As Melanie Fontes Rainer, OCR director, puts it in her statement, “We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”  

Violations are identified during a risk assessment, and the consequences of the violation are dependent on a number of factors, including the nature of the violation, whether it was done knowingly, how harmful it was, the number of people impacted by it, and more.  

Employers at covered entities are obligated to provide and document HIPAA training to their employees. If an untrained employee caused a Privacy Rule violation, it’s considered the employer’s fault for not providing the mandatory training. 



The HIPAA Privacy Rule is imperative for protecting the digital, written, and oral health information of individuals, and with violations and infractions on the rise, it’s more important than ever for covered entities to take the necessary steps that
ensure full HIPAA compliance

If you want to learn more about ensuring HIPAA Privacy Rule compliance, get in touch with the experts at HIPAA One by Intraprise Health.