📜 The 5 HIPAA Rules Explained

HIPAA is implemented through five interconnected rules. Each rule addresses a different aspect of health information protection. Together, they create a comprehensive framework for privacy, security, breach notification, enforcement, and modernization. Understanding each rule is essential for a complete compliance program.

Privacy Rule

Standards for Privacy of Individually Identifiable Health Information (45 CFR Part 160 and Part 164, Subparts A and E)

🎓 In Plain English: In plain English: The Privacy Rule is about WHAT information is protected and WHO can see it. It says healthcare organizations must have clear rules about when patient data can be shared, must tell patients what those rules are, and must give patients control over their own information. If you are building a database that stores patient data, the Privacy Rule dictates what data you can store, who can access it, how long you keep it, and what happens when a patient asks for their records.

The Privacy Rule establishes national standards for when, how, and to whom PHI can be used and disclosed. It applies to PHI in ALL forms — paper, electronic, and oral. It gives patients specific rights over their health information and sets limits on how covered entities can use that information. Think of it as the 'who can see what and when' rule.

Applies to: Covered Entities and, through the Omnibus Rule, Business Associates (for the provisions relevant to their functions).

Key Requirements

✓ Develop and distribute a Notice of Privacy Practices (NPP) to all patients
✓ Obtain patient authorization for uses/disclosures beyond TPO
✓ Apply the Minimum Necessary standard to all uses and disclosures (except treatment)
✓ Grant patients the right to access, amend, and receive an accounting of disclosures of their PHI
✓ Establish policies and procedures for PHI use and disclosure
✓ Appoint a Privacy Officer responsible for developing and implementing privacy policies
✓ Train all workforce members on privacy policies and procedures
✓ Implement a complaint process for patients to report privacy concerns
✓ Apply sanctions against workforce members who violate privacy policies
✓ Maintain documentation of all privacy policies for at least 6 years

Security Rule

Security Standards for the Protection of Electronic Protected Health Information (45 CFR Part 160 and Part 164, Subparts A and C)

🎓 In Plain English: In plain English: The Security Rule is about HOW you protect electronic patient data. If the Privacy Rule says 'only authorized people can see this data,' the Security Rule says 'here is how you technically enforce that.' It requires three categories of safeguards: Administrative (policies, training, risk assessments — the human side), Physical (locked server rooms, screen privacy filters, device tracking — the physical side), and Technical (encryption, access controls, audit logs, firewalls — the technology side). As a database professional, the Security Rule is your primary focus area.

The Security Rule specifically addresses the protection of ePHI (electronic PHI only — not paper or oral). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. It is technology-neutral, meaning it does not mandate specific technologies but requires you to assess risks and implement reasonable and appropriate safeguards.

Applies to: Covered Entities and Business Associates that create, receive, maintain, or transmit ePHI.

Key Requirements

✓ Ensure the confidentiality, integrity, and availability of all ePHI you create, receive, maintain, or transmit
✓ Protect against reasonably anticipated threats or hazards to the security of ePHI
✓ Protect against reasonably anticipated impermissible uses or disclosures
✓ Ensure workforce compliance with the Security Rule
✓ Conduct a thorough Risk Analysis to identify threats to ePHI
✓ Implement a Risk Management program to reduce risks to reasonable levels
✓ Implement Administrative Safeguards (security management, workforce security, access management, training, incident procedures, contingency planning, evaluation)
✓ Implement Physical Safeguards (facility access controls, workstation use/security, device and media controls)
✓ Implement Technical Safeguards (access control, audit controls, integrity controls, transmission security)

Breach Notification Rule

Breach Notification for Unsecured Protected Health Information (45 CFR Part 164, Subpart D)

🎓 In Plain English: In plain English: The Breach Notification Rule says 'if patient data gets exposed, you must tell people about it.' You cannot sweep a breach under the rug. You must notify affected patients within 60 days, report to the federal government, and if it is big enough (500+ people), you must even tell the local news media. The one exception is if the data was properly encrypted — encrypted data that gets lost or stolen is NOT considered a breach. This is why encryption is often called the HIPAA 'safe harbor.'

The Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media, when there is a breach of unsecured PHI. 'Unsecured' means the PHI was not encrypted or destroyed in accordance with HHS guidance. This rule was established by the HITECH Act in 2009 and strengthened by the Omnibus Rule in 2013.

Applies to: Covered Entities and Business Associates.

Key Requirements

✓ Notify affected individuals within 60 days of discovering a breach
✓ Notify HHS within 60 days if the breach affects 500 or more individuals (immediately reported via HHS breach portal)
✓ Notify HHS within 60 calendar days after the end of the calendar year for breaches affecting fewer than 500 individuals (annual log submission)
✓ Notify prominent local media if the breach affects 500+ residents of a state or jurisdiction
✓ Individual notification must include: description of the breach, types of information involved, steps individuals should take, what the entity is doing to investigate and mitigate, and contact information
✓ Business Associates must notify the Covered Entity of breaches without unreasonable delay (no later than 60 days)
✓ Maintain a log of all breaches affecting fewer than 500 individuals
✓ Conduct a 4-factor risk assessment to determine if an impermissible use/disclosure constitutes a breach

Enforcement Rule

HIPAA Administrative Simplification: Enforcement (45 CFR Part 160, Subparts C, D, and E)

🎓 In Plain English: In plain English: The Enforcement Rule is the 'what happens when you get caught' rule. It establishes how the government investigates HIPAA violations and what punishments can be imposed. Penalties range from relatively small fines for honest mistakes to millions of dollars and prison time for willful violations. The federal government investigates through OCR, and state attorneys general can also sue violators. If your client asks 'what is the worst that could happen?' — this rule has the answer.

The Enforcement Rule establishes the procedures and penalties for investigating HIPAA violations and imposing civil monetary penalties. It sets out how OCR conducts investigations, the hearing process, and the penalty tiers. It also established procedures for compliance reviews and complaint investigations.

Applies to: Covered Entities and Business Associates subject to HIPAA enforcement.

Key Requirements

✓ OCR can investigate complaints filed by individuals or initiate compliance reviews
✓ OCR must attempt to resolve violations through informal means (voluntary compliance, corrective action) before imposing penalties
✓ Civil monetary penalties follow a four-tiered structure based on the level of culpability
✓ Criminal penalties (handled by DOJ) can include fines up to $250,000 and imprisonment up to 10 years for violations committed with intent to sell or use PHI for personal gain
✓ State attorneys general can also bring civil actions against HIPAA violators under HITECH
✓ There is a 6-year statute of limitations for imposing penalties
✓ Covered entities and BAs must cooperate with OCR investigations and provide access to information

Omnibus Rule

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Final Rule, January 25, 2013)

🎓 In Plain English: In plain English: The Omnibus Rule was HIPAA's major 2013 upgrade. Before this rule, Business Associates (like your cloud hosting provider) could point to the hospital and say 'that is their responsibility, not ours.' After this rule, every company that touches patient data is directly responsible under federal law. It also made breach reporting stricter — you now have to PROVE a breach did NOT happen, rather than proving it did. For consultants, this means your client's entire vendor ecosystem needs to be HIPAA compliant, not just the hospital itself.

The Omnibus Rule was a comprehensive update to HIPAA that implemented many provisions of the HITECH Act. It was the most significant update to HIPAA since the original rules. It fundamentally changed the landscape by making Business Associates directly liable, strengthening breach notification requirements, expanding patient rights, and increasing penalties.

Applies to: Covered Entities, Business Associates, and their Subcontractors.

Key Requirements

✓ Business Associates are now directly liable for compliance with applicable HIPAA requirements — not just through contractual obligations
✓ Subcontractors of Business Associates are also considered Business Associates and must comply with HIPAA
✓ The breach standard changed: any impermissible use/disclosure is presumed to be a breach unless a 4-factor risk assessment demonstrates a low probability of compromise
✓ Genetic information is now explicitly protected as PHI under HIPAA
✓ Patients can request electronic copies of their records when records are maintained electronically
✓ Patients can request that PHI NOT be disclosed to their health plan when they pay out of pocket in full
✓ Marketing and fundraising communications using PHI require explicit patient authorization
✓ Sale of PHI requires patient authorization (with limited exceptions)
✓ Notice of Privacy Practices must be updated to reflect new patient rights and breach notification practices
✓ Penalties were increased to the current four-tier structure with annual maximum caps