The HIPAA Privacy Rule establishes standards to protect individuals' medical records and personal health information. It requires implementation of appropriate safeguards for protected health information and limits on access and disclosure of data. The HIPAA Security Rule also requires technical, administrative, and physical security safeguards to protect electronic protected health information. Both rules aim to ensure privacy and security of patient health information as required by the Health Insurance Portability and Accountability Act.
2025 Inpatient Prospective Payment System (IPPS) Proposed Rule
Explaining the HIPAA Privacy[.docx
1. Explaining the HIPAA Privacy & Security Rules
Introduction
The Health Insurance Portability and Accountability Act which is also known as HIPAA comprises
several rules that entities are expected to adhere, to ensure compliance. This would include rules
such as the HIPAA Privacy Rule, Security Rule, Transactions and Code Sets (TCS) Rule, Unique
Identifiers Rule, Breach Notification Rule, and Omnibus Final Rule. Every Covered Entity and Business
Associate who deal with sensitive PHI data and is required to be HIPAA Compliant is expected to
diligently follow these rules. The prime objective of the HIPAA regulation is to protect PHI data. So,
every healthcare organization and the related entity must put in efforts to protect PHI data and this
can be achieved by following the HIPAA Rules. Among all the HIPAA rules, Privacy and Security Rules
are the most important aspects of HIPAA law. These rules are the core of HIPAA law. Elaborating on
the importance of both these rules and also explaining the rules in detail, we have summarized HIPAA
Privacy and Security Rule in this article.
What are the HIPAA Rules?
HIPAA Rules are developed to ensure the protection and privacy of sensitive PHI data. However,
failure to comply with these rules can result in a negative impact in terms of attracting significant
penalties. For these reasons understanding the HIPAA rules and learning how it works is crucial.
HIPAA Rules broadly include the Privacy Rule, Security Rule, Transactions and Code Sets (TCS) Rule,
Unique Identifiers Rule, Breach Notification Rule, and Omnibus Rule which are explained briefly
below.
HIPAA Privacy Rule-The HIPAA Privacy Rule includes a set of mandates that are developed to ensure
the privacy of all Patient Health Information (PHI). This rule includes defining the authorized use and
disclosure of PHI data and also mandates healthcare organizations to take due permission from
customers before processing and disclosing their data.
HIPAA Security Rule-The HIPAA Security Rule mandates the security of PHI data in all formats. This
would mean health information in electronic/ digital format or print/physical format. Unlike the
HIPAA Privacy Rule, the Security Rule provides broader protection or security to PHI Data. The
Security Rule addresses technical, physical, and administrative aspects of protecting PHI data.
HIPAA Enforcement Rule-The HIPAA Enforcement Rule comprises provisions and rules regarding the
directives around compliance, investigations, and imposition of penalties for HIPAA Violation. The
rule developed by the Secretary of the US Department of Health and Human Services (HHS) and
enforced by the Office of Civil Rights (OCR) is designed to hold covered entities and business
associates accountable for violation of rules and incidents of a breach.
HIPAA Breach Notification Rule –The HIPAA Breach Notification Rule was developed to ensure all
covered entities and business associates abide by the rules in case of an incident of a breach. The
rule requires all covered entities and business associates to notify all the relevant authorities and
affected individuals about the security breach and potential risk or impact to the PHI data. The rule
comprises steps to be taken to notify individuals, and relevant parties to minimize the impact of a
breach.
HIPAA Omnibus Rule-The HIPAA Omnibus Rule is a set of requirements that comprises several
provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act and
provisions to strengthen the HIPAA Privacy, Security, Enforcement, and Breach Rules. The HHS Office
for Civil Rights protection for health information established this rule to ensure the security of PHI
data.
HIPAA Transactions and Code Set Rule (TCS) - The HIPAA Transaction and Code Set Rule require
Covered Entities to use standard formats and coding for transmitting sensitive e-PHI data. It
standardizes processes concerning claims, referrals, eligibility requests, remittance advice, etc. This
would eliminate the use of duplicate and local codes for communications and transactions in the
industry and bring efficiency to healthcare practice.
HIPAA Unique Identifiers Rule-The HIPAA Unique Identifiers Rule requires defining identifiers and
standardizing them for Covered Entities in HIPAA transactions. By this we mean the rule requires that
2. healthcare providers have standard national numbers that identify them on standard
transactions. The National Provider Identifier (NPI) is a unique identification number for covered
healthcare providers. Covered healthcare providers and all health plans and healthcare
clearinghouses use these NPIs in the administrative transactions adopted under HIPAA. The NPI is a
10-position, intelligence-free numeric identifier (10-digit number) that does not carry other
information about healthcare providers, such as the state in which they live or their medical specialty.
Source- HHS
Explaining HIPAA Privacy & Security Rules
HIPAA Privacy Rule
The HIPAA Privacy Rule is an established standard and framework designed to protect individual’s
medical records, other identifiable health information, and personal data which are also collectively
known as “protected health information”. The Privacy Rule applies to health plans, healthcare
clearinghouses, and other healthcare providers who deal with PHI records in physical or electronic
format. It also applies to healthcare providers who conduct certain healthcare transactions
electronically. The Privacy Rule requires the implementation of appropriate safeguards to protect
the privacy of the PHI data and set limits for access and disclosure of PHI data. This requires the
implementation of necessary access controls that ensure only authorized individuals have access to
the data.
The HIPAA Privacy Rule further mandates the need for consent or permission from patients for the
disclosure or release of PHI to third parties. This requirement would however not be applicable in
scenarios where third parties are involved to provide healthcare treatments, operations, or payment
for services. The Rule also gives rights to individuals over their protected health information in terms
of their right to examine, and obtain a copy of their health records, and also direct the covered entity
and the third party having access to their PHI data to correct their health records in case of an error.
The HIPAA Privacy Rule also includes a ‘Minimum Necessary Rule,’ wherein healthcare workers must
have access and disclosure to only the minimum necessary PHI data for as much as they require to
complete their jobs.
HIPAA Security Rule
The HIPAA Security Rule includes a set of security requirements that should be implemented by
Covered Entities and Business Associates to ensure the protection of PHI data. This would include
setting Security Standards for the Protection of Electronic Protected Health Information for certain
health information that is held or transferred in electronic form. Further, the Security Rule facilitates
the operationalization of the safeguards contained or implemented in the Privacy Rule. The Office
for Civil Rights (OCR) has the responsibility for enforcing these Privacy and Security Rules with civil
monetary penalties. The Security Rule applies to health plans, healthcare clearinghouses, and any
healthcare provider who transmits health information in electronic form. For this, the HIPAA Security
Rule requires the implementation of 3 main security safeguards which include Physical,
Administrative, and Technical safeguards that are explained below.
Administrative Safeguards
Security Management Process- Covered entities are required to identify and analyze
potential risks to e-PHI, and accordingly implement security measures that reduce risks and
vulnerabilities to a reasonable and appropriate level.
Security Personnel- Covered entities must appoint and designate a security official who will
be responsible for developing and implementing the security policies and procedures
established to meet the HIPAA Security Requirements.
Information Access Management- In consistency with the Privacy Rule that requires limiting
uses and disclosures of PHI to the "minimum necessary," the Security Rule requires the
implementation of policies and procedures that facilitates authorizing access to e-PHI, based
on the defined roles and responsibilities.
3. Workforce Training and Management- Covered entities must provide appropriate
authorization and supervision of the workforce working with e-PHI. Further, they must train
all workforce and educate them regarding the security policies and procedures and
implement appropriate sanctions against those violating the established policies and
procedures.
Evaluation- As per the HIPAA Requirement, the Covered entities are expected to perform a
periodic assessment to evaluate the success of the implementation of security policies and
procedures that is essential to meet the Security Rule.
Physical Safeguards
Access Control- HIPAA Security Rule requires the covered entities to implement measures to
limit physical access to its facilities. This is to ensure that access is granted to only authorized
individuals.
Workstation and Device Security- Covered entity must implement policies and procedures
specifically concerning the use and access to workstations and electronic media. It should
further include requirements for the transfer, removal, disposal, and re-use of electronic
media, to ensure appropriate protection of electronically protected health information (e-
PHI)
Technical Safeguards
Access Control- Similar to the Physical Safeguard requirement, the Covered Entity must also
develop and implement technical policies and procedures that allow only authorized persons
to access electronically protected health information (e-PHI).
Audit Controls- Covered entity must implement hardware, software, and/or procedural
mechanisms to record and examine access and other activity in information systems that
contain or use e-PHI.
Integrity Controls- Covered entity must implement policies and procedures for disposing
of/destroying e-PHI. There must be electronic measures in place to confirm that e-PHI is not
improperly altered or destroyed.
Transmission Security. HIPAA Security Rule requires covered entities to implement technical
security measures that prevent unauthorized access to e-PHI data transmitted over an
electronic network.
Source- HHS
Final Thought
Security and Privacy of PHI/ePHI data is the core requirement of HIPAA Regulation. These
HIPAA Rules were designed and developed to ensure organizations adhere to the rules and
implement appropriate measures to meet the highest level of security standards. So, for
organizations (covered entity & business associates) looking to achieve and maintain HIPAA
Compliance understanding these rules and its implication is crucial for their compliance program. We
recommend organizations first understand these rules thoroughly and then consult with a
compliance specialist for appropriate implementation of these rules.
Author Bio
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA
InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr.
Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk
Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security
audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI
DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years
(since 2004) worked with organizations across the globe to address the Regulatory and Information
Security challenges in their industry. VISTA InfoSec has been instrumental in helping top
multinational companies achieve compliance and secure their IT infrastructure.