Five Important Rules that Make up HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law created in 1996 that protects patients’ health information from being disclosed or improperly used without their knowledge or consent. Companies and their employees in the medical field must understand the rules of HIPAA to ensure that they are not in violation. Five crucial HIPAA rules form the requirements held up by the Office for Civil Rights (OCR).  

  1. Privacy Rule  

The Privacy Rule encompasses when, how, and what situations allow transferring Personal Health Information (PHI). It also contains standards on patients’ rights regarding PHI and the control they have over its disclosure and usage. This rule also allows patients and their representatives to obtain a copy of their health records and request corrections on inaccurate information.  

  1. Security Rule  

The Security Rule sets regulations that protect electronic Personal Health Information (ePHI). Any Covered Entities, such as healthcare providers, healthcare plans or third-party business associates that provide care for or on behalf of a Covered Entity, are required to meet the Security Rule standards. This rule comrpomises three key components – administrative, physical, and technical security. These components ensure that patients’ data is accurate and accessible to parties with authorization, prevent physical theft and loss of devices containing patient data, and protect devices from network and data breaches.  

  1. Breach Notification Rule  

When data has been breached, the Department of Health and Human Services must be notified. This notification must be given within 60 days if the case involves 500 or more people, and a media notice must be made to a local news outlet. If 500 or fewer people are involved, they must be notified within 60 days of the last calendar year when the breach was discovered. Individuals whose personal information was discovered must be notified within 60 days.  

  1. Omnibus Rule  

This rule extended coverage of HIPAA to Business Associates, the bar on marketers and fundraisers using PHI without authorization, and new penalty levels for violations of HIPAA.  

  1. Enforcement Rule  

The enforcement rule outlines actions taken if there is a breach of PHI. Specific situations, such as ignorant handling of information or willful negligence, will have specific penalties and can impose high fines.

The five HIPAA rules can get extensive, and managing compliance throughout an organization can be tricky. Improper training and practices regarding patients’ PHI can result in monetary and reputational damage. Becoming aware of the factors that impact a company’s everyday operations is necessary. Regarding patients’ data safety and security, companies should take the utmost precautions.  

Remember, MedPro Disposal offers HIPAA Compliance Training and Certification Services. 


Scroll to Top