HIPAA isn’t one single rule. It’s a set of related rules that work together to protect patient information, guide how it’s secured, define what happens when something goes wrong, and establish accountability for organizations that handle health data. Understanding these core rules at a high level makes HIPAA feel less intimidating and helps you focus on what actually matters for your organization, rather than getting lost in legal language or edge cases.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Always consult a qualified attorney or compliance professional when interpreting HIPAA regulations.
HIPAA documentation can be daunting. If you’re tasked with jumping into a specific section to break it down and apply it, it’s easy to get overwhelmed by the highly technical language and dense definitions. This leads to a situation where HIPAA becomes a source of anxiety. It’s always looming in the background, and it’s hard to tell if you’re truly covered.
However, HIPAA doesn’t have to be so unapproachable. It can help to take a step back and look at the big picture. Understanding what HIPAA is, and how it’s structured can help you understand how to navigate it more easily. This blog will explain a brief history of HIPAA and offer a plain English overview of the rules and standards it creates.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. HIPAA does a few important things, but it’s best known for protecting patient privacy by setting rules for how healthcare organizations handle protected health information (PHI).
HIPAA was passed in 1996, and the requirements most people associate with HIPAA were added over time through additional rules and updates. The Privacy Rule became effective in 2003. The Security Rule followed in 2005. The Enforcement Rule became effective in 2006.
Later, HHS added breach notification requirements through an interim final rule published in 2009, and the Omnibus Rule was published in 2013.
While each update focused on a different part of compliance, they all moved toward stronger protections for patients and clearer expectations for organizations. Compliance matters because patients should be able to trust that their providers handle sensitive information with care, and violations can be costly.
Note: The dates mentioned above refer to the compliance deadlines set by HHS for most covered entities. In some cases, the deadlines may have been earlier or later depending on the type of entity.
The HIPAA Privacy Rule is where most people’s understanding of HIPAA starts. This rule is about who can use protected health information, how they can use it, and when it can be shared.
The Privacy Rule applies to covered entities like healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates that handle PHI. It sets boundaries around the use and disclosure of PHI so that information is shared only when it’s necessary for care, payment, or healthcare operations.
A key idea in the Privacy Rule is the minimum necessary standard. It says that organizations should only access or share PHI that’s needed to get a specific job done. Just because someone can access information doesn’t mean they should.
Example: A web design agency with admin permissions may be able to access intake form submissions that are hosted on a provider’s website. It is incredibly rare to find a situation where a web designer would need an individual’s sensitive health information to do their job, and this means they don’t need access to submissions.
The Privacy Rule also gives patients the right to request copies of their records, ask for corrections, receive notices explaining how their information is used, and get an accounting of certain disclosures. These rights are a big part of giving control back to patients.
If the Privacy Rule explains what needs to be protected, the Security Rule focuses on how that protection should happen with electronic protected health information (ePHI).
The Security Rule requires organizations to implement administrative, physical, and technical safeguards. Rather than requiring an exact solution, HIPAA uses a flexible approach. Organizations are expected to assess their own risks and implement reasonable protections based on their size, complexity, and resources.
Example: It might be reasonable for a large hospital to have extensive security controls that include RFID access cards, tightly monitored digital timesheets, and even dedicated security staff. However, a solo practitioner with no support staff would likely not be reasonably expected to have the same protections.
Administrative safeguards cover the policies and processes behind the scenes. This includes things like risk assessments, workforce training, incident response plans, and regular reviews of security practices.
Physical safeguards focus on preventing unauthorized physical access to systems with sensitive information. That can mean locked offices, monitored sign-in sheets, barriers to prevent accidental viewing, and clear procedures for disposing of hardware and media.
Technical safeguards address how systems protect data electronically. These include access controls, audit logs, authentication controls, and encryption. These help ensure that only authorized users can access ePHI and that their activity can be tracked and reviewed.
The Breach Notification Rule covers what must happen when protected health information is exposed. Simply put, it says that individuals have the right to know when their data has been involved in a breach.
This rule sets requirements for notifying affected individuals, HHS, and in some cases the media. Notifications must include specific information, such as what happened, what data was involved, and what steps individuals can take to protect themselves.
Not every incident automatically counts as a reportable breach. If an organization conducts an assessment and finds that PHI was not exposed, there is no need to notify. However, when notification is required, delays or incomplete disclosures can lead to serious consequences.
Example: An incident is separate from a breach in HIPAA terminology. A cyberattack on a covered entity’s systems should trigger an incident response plan. However, if the response team can document that there’s a low probability that unsecured PHI was compromised, a notification is not required.
The Breach Notification Rule is about transparency. It ensures that organizations can’t sweep incidents under the rug and that patients are kept informed when their information is at risk.
The Enforcement Rule establishes how HIPAA is enforced, who enforces it, and what happens when organizations don’t comply.
This rule gives HHS the power to investigate complaints, conduct audits, and impose penalties. It also lays out different tiers of penalties based on the level of negligence, ranging from violations an organization could not reasonably have known about to willful neglect.
Example: HIPAA is about reducing the risk of breaches, not eliminating them (that would be impossible). If an organization caught a breach right away, took the proper steps to notify relevant parties, and corrected it as quickly as possible, they would receive a smaller penalty than an organization that waited to act until well after an incident was discovered.
Enforcement is not only about punishment. Investigations often result in corrective action plans that require organizations to fix compliance gaps, update policies, train staff, and demonstrate improvement.
The Enforcement Rule explains that HIPAA is not optional. Organizations are expected to take compliance seriously and be able to show the steps they take to protect patient information.
The Omnibus Rule did not create a new set of requirements. Instead, it was a major update that strengthened HIPAA.
One of the biggest changes was expanding the liability to business associates. After the Omnibus Rule, business associates became directly responsible for complying with certain HIPAA requirements.
Example: Before the Omnibus Rule, business associates were not directly liable for HIPAA violations in the same way. Now, the same penalty structure that applies to covered entities also affects business associates.
The Omnibus Rule also tightened breach standards, modified the definition of a reportable breach, and strengthened enforcement provisions. It enhanced patient rights by improving access to records and clarifying how information can be used for marketing and fundraising.
Overall, the Omnibus Rule closed gaps that developed as healthcare technology evolved. It made HIPAA more relevant to modern workflows and reinforced the responsibility of protecting patient information.
Now that you understand more about what the HIPAA rules do, you are more equipped to work toward your compliance goals. The first step you should take is identifying your organization’s needs. If you are managing compliance for a larger organization, or there is a lot of complexity involved in bringing your safeguards up to speed, it can be helpful to seek help from a dedicated compliance professional.
If the requirements are less extensive, you can start by tackling your biggest needs first. HIPAA is about protecting workflows that involve PHI. Identify which policies, procedures, and systems are the most vulnerable and work to bring them in line with HIPAA’s standards. If you don’t know where to start, you can map out all the PHI flows that you can think of and work from there.
HIPAA may seem scary, but if you start small and work efficiently, it can make it much more manageable. You’ll never eliminate the risk of PHI breaches, but you can always remain diligent and ensure that your organization is implementing reasonable and appropriate safeguards for your specific situation.