Voted Best Sexual Harassment Training Solution in 2021 by The Balance SMB

What Are the Three Rules of HIPAA? Guide to HIPAA Compliance

As a company working with the healthcare system, you might have asked yourself "what are the three rules of HIPAA?" - and it's good that you did. At this point, you are considered an entity, so if you wish to avoid a fine, you need to comply with all the HIPAA rules.

The security rule and the privacy rule are the ones that most people pay attention to, but there's more to it. Covered entities must do their research so that they are compliant with the policies and procedures of HIPAA. This article will inform you of the most important aspects.  

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) has its origins back in 1996 when the United States Congress put its roots down. At first, the HIPAA rules and legislation existed so that people who were temporarily unemployed would still have health insurance.

To this day, it very much serves the same purpose - but there's more to it than that. Nowadays, it also stands for the protection of information within the Covered Entities. The HIPAA rules are now popular for the fact that they add new standards to the Protected Health Information (PHI).

Sensitive health care needs to always be protected because a data breach can have negative effects on the individual. Policies and procedures were put in check in order to ensure protected health information. 

HIPAA is more or less like a lock meant to protect people's data from potential breaches or hackers. The Covered Entities must ensure that these policies and procedures not only prevent a leak but also solve a problem immediately.

To this day, the HIPAA rules and their role are evolving continuously. With the industry facing new threats to protected health information, HIPA needs to adapt continuously. 

Why Do We Need HIPAA Rules?

Before HIPAA came along, we didn't have much of a consensus as to what the best practices for Private Healthcare Information (PHI) should be. With the appearance of HIPAA, things began to change. 

The privacy rule and the security rule were first and foremost. Addressing Protected Health Information (PHI), the standards added by HIPAA were industry-wide and with the purpose of aiding health and human services. 

Even more, HIPAA's purpose was to improve the health care experience for the patients. It introduced a variety of policies and procedures so that Covered Entities can protect their client information without too much hassle. Plus, reducing the paperwork also improves the workflow of the covered entity. 

HIPAA works with code sets that are supposed to be used along with patient identifiers. This makes the transfer of information between covered entities easier, aiding health insurance portability. Working in compliance with the Portability and Accountability Act aims to make the experience of the patient easier to deal with. 

HIPA also serves some much smaller functions through its rules. Depending on the circumstances, it may cover the banning of tax-deduction where life insurance loans are involved. It helps organize the healthcare services, improving their function and making them much easier for the patient to deal with. 

Who Needs to Have HIPAA Compliance?

HIPAA applies to pretty much every entity within the healthcare system, whether it's a private hospital, health plan company, medical discount company, and business associates. 

A company from this category is referred to as a "Covered Entity," which will have to comply to the HIPAA rules. Only under rare circumstances would a Covered Entity be exempt from the HIPAA rules. 

If a company or organization offers third-party health and human services to a Covered Entity, then they will also have to comply to the HIPAA rules. These companies are referred to as "Business Associates," and while they do not offer direct services, they must have the same safeguards as the Covered Entities.

Both Business Associates and Covered Entities must sign a document called the "Business Associate Agreement." This document has the purpose of ensuring that the integrity of Protected Health Information (PHI) is maintained before they even begin to undergo their procedures. 

What Are the 3 Main Rules of HIPAA?

HIPAA legislation is made from a few set rules that speak about what you'll have to do in order to meet HIPAA compliance. Here is what you need to know about the HIPAA security rules. 

The HIPAA Privacy Rule

The HIPAA Privacy Rule dictates the circumstances in which someone may disclose or use the PHI. Everyone is entitled to their privacy - but as we know, there are also certain circumstances when the rule might be used. In these cases, the covered entities will need to follow a set of requirements. 

The standards set by the privacy rule cover the following:

  • Which covered entities need to follow the policies and procedures set by HIPAA privacy rule
  • What defines as protected health information
  • How organizations may share their PHI and use it (minimum necessary rule)
  • Circumstances under which disclosure of PHI is permitted 
  • Rights that a patient has over their information
The HIPAA Privacy Rule was originally enacted in 2003. Not only does it apply to health care organizations of all types, but also to clearinghouses and other health plan entities. In 2013, it was also updated to include business associates of the health care domain. 

Simply put, the privacy rule sets the limits in which a patient's information may be used without being given previous authorization. The HIPAA Privacy Rule also allows patients and their next of kin (their representatives) to obtain a file of their documents. 

The Covered Entities have at most 30 days to respond to these requests for access and disclosure. 

The HIPAA Security Rule

The HIPAA Security Rule suggests the minimum standards by which the ePHI is safeguarded. Even those who are technically fit to access that information would have to meet those standards.

The HIPAA security rule covers the following aspects:

  • The organizations that may need to follow the security rule and be deemed covered entities.
  • Safeguards, policies and procedures that can be put in place to meet HIPAA compliance
  • Health care information that is under the protection of the security rule
To put it simply, anyone who is part of the BA or CE and can access, alter, create or transfer recorded ePHI will be required to follow these standards. These technical safeguards will involve NIST-standard encryption in case the information goes outside the firewall of the company. 

Aside from technical safeguards, the security rule will also include a series pf physical safeguards. This can take the form of a workstation layout - for instance, you cannot access the screen if you are within a public area. You can only do so from a set area covered by the company's network. 

Administrative safeguards are also placed in check, and they are merged between the security rule and the privacy rule. These safeguards need a privacy officer along with a security officer to conduct regular audits and risk analysis.

These assessments are essential to security. They look for potential ways in which the PHI may be threatened, even if it's just a hypothesis. As a result, they will create a risk management policy based on it, to prevent any potential issues in the future. 

In the end, a covered entity must protect all the ePHI they create, send or receive through the following actions:

  • Ensure the confidentiality integrity and availability of the PHI
  • Protect against improper uses and disclosures of data
  • Protect the ePHI against potential threats, safeguarding their medical records
  • Train employees so that they are aware of the compliance factors of the security rule
  • Adapt the policies and procedures to meet the updated security rule
It is the responsibility of the covered entity to make sure the confidentiality, integrity and availability rules of health care are met.

The HIPAA Breach Notification Rule

No piece of technology is ever perfect, no matter how much we may try to make it so. Sometimes, breaches may happen. And this is where the breach notification rule comes forth. 

If a breach has occurred and data has been disclosed, then the Department of Health and Human Services must find out about it as soon as possible. This has to be done within 60 days of the discovery of the breach, no matter the nature of the breach.

If an individual's information was compromised during a breach, then they will also need to be notified within 60 days. 

If a mass scale breach occurs and more than 500 patients are affected by it within a certain jurisdiction, then a media notice needs to be given as well. 

The HIPAA breach notification rule says that any violations of the privacy rule should be announced as soon as possible. Failure to do so may lead to fines from the Office for Civil Rights.

The Covered Entity may also choose not to send a breach notification, but they need to be able to prove that the PHI is not likely to be compromised. If it does turn out that they were compromised, then this will be considered a violation of the privacy and security rules. 

Bonus HIPAA Rules for Covered Entities

A Covered Entity has to follow the three basic rules above. However, other additions to the Health Insurance Portability and Accountability Act should also be kept in mind. The following rules are what follow the Breach Notification Rule.  

The Enforcement Rule

If a breach does occur after all, then this rule will lay out exactly what the covered entities must do in order to approach and resolve this problem. If the cause of the breach was negligence, then a fine has to be issued for the covered entity responsible. 

The value of the fine will depend on the cause and the intent. For example, if the breach was due to ignorance, the negligent party will have to pay a fine as high as $50,000 for every violation. 

For willful breaches, fines also start at $50,000 per offense, but the sum may grow higher if 30 days pass and the offense was not rectified. The Office for Civil Rights will determine the fine based on the severity of the offense.

The Omnibus Rule

Introduced in 2013, the Omnibus Rule is in charge of activating HIPAA changes resulting from the risk analysis process. If anything from the HITECH Act needs changing, then it's this rule that will activate the change. 

What people should know is that this HIPAA rule doesn't introduce any new legislation to the Covered Entities. Instead, it is a security rule designed to clarify any potential ambiguities that might exist in the HITECH Act and other HIPAA rules.

For instance, the Omnibus Rule deals with encryptions and what becomes the standard for Covered Entities to follow. It reflects on technological advances, and if new administrative standards apply, it's the Omnibus's role to clarify and activate the changes. 

The Omnibus rule also includes certain definition improvements so that every aspect of the security rule and privacy rule is completely understandable.

For instance, the definition of the term "workforce" was modified to make it clear who exactly was part of it. It clearly states that it includes employees, trainees, volunteers, and business associates of the covered entity.

Basic Rules for HIPAA Compliance

A covered entity has to undergo regular risk analysis to make sure that HIOAA compliance is ensured. Even if initial compliance is achieved, it's difficult to say what modifications to privacy and security rules may occur. 

These risk analysis reports will tell you whether there are any areas that might show potential for improvement, as well as points that might seem vulnerable. It will tell if any technical, physical or administrative safeguards need to be modified.

The Office for Civil Rights (OCR) created a list of basic rules that must be followed. Here are some objectives that should be kept in mind during risk assessment: 

  • Identify the PHI, whether it is created, stored, received or transmitted. PHI shared with business associates is also included. 
  • Identify the natural, human and environmental threats to the PHI integrity. If the threats are human, identify whether the threat is intentional or unintentional.
  • Determine what measures will be used in order to meet HIPAA regulations. Assess the likelihood of a potential breach occurring as well.
  • Determine a potential impact that a breach may have on the PHI and assign a risk level based on the likelihood. 
  • Document what you found and begin implementing measures to protect against breaches. This includes anything from physical safeguards to other methods that help HIPAA compliance.
  • Store your risk assessment documents, along with the rationales for implementing specific measures. They need to be maintained for at least 6 years. 
Depending on the size of the covered entity along with the data type that they deal with, several different steps might be taken. 

Categories of HIPAA Violations

As you can see, a HIPAA violation may cause a lot of damage to an organization. The Office for Civil Rights (OCR) can easily prosecute you if they found you violated any of the above-mentioned rules.

  • Category I: A violation that couldn't have been noticed by the Covered Entity, but also had no way of realistically avoiding it. A lot of care was taken beforehand so that the organization complies with the rules of HIPAA.
  • Category II: A violation that should have been noticed, but still could not really be avoided in normal circumstances, even with reasonable care.
  • Category III: Violation was a result of "willful neglect," a mistake, where the party tried to correct the violation.
  • Category VI: Violation was a result of willful neglect, but the party did not try to correct the violation.
Depending on the circumstances, the violation penalty may differ. The Office for Civil Rights will determine this based on the gravity of the violation. 

Exceptions and Reportable Breaches

In some cases, HIPAA regulations may also see some exceptions to their rules. Technically speaking, an organization must ensure confidentiality, considering every unapproved use and disclosure to be a PHI breach. 

That being said, organizations are only required to send an alert when unsecured PHI is involved. In three special circumstances, the breach notification rule may be considered flexible, as follows: 

  1. If the breach was done in good faith or without any ill intentions, remaining within the authorized scope.
  2. If the disclosing organization has it in good faith that the entity receiving the data would not be able to actually retain the PHI and medical records.
  3. If the uses and disclosures were done unintentionally with two entities that have access control.
Regardless of the circumstances, the covered entity must make sure the security standards are not breached again. Depending on the number of people that were affected, the Department of Health may still impose a penalty.

Read more on how to report a violation for HIPAA

The Bottom Line

Disclosure of medical records can cause a lot of trouble, especially for those who put their faith in the healthcare system. This is why organizations must respect the rules established by the Office for Civil Rights (OCR) when setting their security standards. Every patient has a right to security, so it is your responsibility as a covered entity to provide it.