HIPAA Compliance: Security and Privacy Rule Guide
HIPAA compliance requires covered entities and business associates to implement administrative, physical, and technical safeguards for protected health information. This guide covers the Security Rule, Privacy Rule, breach notification requirements, and Business Associate Agreement essentials.
HIPAA Overview
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting the privacy and security of certain health information in the United States. HIPAA applies to covered entities (health plans, clearinghouses, and healthcare providers who transmit health information electronically) and their business associates. The Office for Civil Rights (OCR) enforces HIPAA, with penalties ranging from $100 to $50,000 per violation.
The Privacy Rule
The HIPAA Privacy Rule establishes standards for Protected Health Information (PHI):
- Permitted uses and disclosures: PHI may be used for treatment, payment, and healthcare operations without patient authorisation. Other uses require written authorisation.
- Minimum necessary standard: Only the minimum PHI needed should be used or disclosed.
- Patient rights: Individuals can access their PHI, request amendments, receive an accounting of disclosures, and request restrictions.
- Notice of Privacy Practices: Covered entities must describe how PHI is used and protected.
The Security Rule
The Security Rule specifies safeguards for electronic PHI (ePHI) in three categories:
Administrative Safeguards: Conduct a risk analysis, implement risk management, designate a security officer, establish workforce security procedures, implement training, and develop contingency plans.
Physical Safeguards: Implement facility access controls, establish workstation security policies, and control hardware and electronic media containing ePHI.
Technical Safeguards: Implement access controls with unique user identification, deploy audit controls, ensure integrity controls, and implement transmission security including encryption.
Risk Analysis Requirements
The risk analysis is the foundation of Security Rule compliance. OCR has consistently identified inadequate risk analysis as the most common deficiency. Your risk analysis should identify all systems that create, receive, or transmit ePHI, document potential threats and vulnerabilities, assess likelihood and impact, determine current risk levels, and be updated regularly.
Breach Notification Rule
Covered entities must notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI:
- Individual notification: Without unreasonable delay, no later than 60 days after discovery
- HHS notification: For breaches affecting 500 or more individuals, notify within 60 days. For smaller breaches, submit an annual log.
- Media notification: Required for breaches affecting 500 or more residents of a state
Business Associate Agreements
BAAs are required whenever a covered entity engages a business associate to handle PHI. A BAA must describe permitted uses of PHI, require appropriate safeguards, require breach reporting, ensure subcontractors agree to the same obligations, and provide for return or destruction of PHI upon termination.
Practical Compliance Steps
To build and maintain HIPAA compliance: conduct and document a comprehensive risk analysis annually, implement identified safeguards, train all workforce members at onboarding and annually, maintain written policies addressing all requirements, monitor and audit compliance regularly, and establish a breach incident response process.
Frequently Asked Questions
Put this guide into practice
Our platform covers 692 compliance frameworks with 819,000+ cross-framework control mappings. Map your compliance journey, track progress, and identify gaps. Start free, no credit card required.
Try the Platform Free →