Posted by Tyler Chancey, GCFA on

Tyler Chancey is a seasoned cybersecurity professional currently serving as the Director of Cyber Security at Scarlett Cybersecurity Services, With a solid foundation in Computer Software Engineering from the University of Florida, Tyler holds a repertoire of certifications that underscore his expertise. These include the prestigious Microsoft 365 Certified: Enterprise Administrator Expert and Microsoft 365 Certified: Security Administrator Associate, showcasing his mastery in Microsoft's enterprise solutions. Tyler's commitment to comprehensive security is further evidenced by his CompTIA Security+ certification, demonstrating proficiency in core cybersecurity principles. Additionally, his GIAC Certified Forensic Analyst (GCFA) credential attests to his advanced skills in forensic analysis—an invaluable asset in today's complex cybersecurity landscape. Tyler's dedication to staying at the forefront of industry standards is evident in the active pursuit and maintenance of these certifications, making him a trusted authority in the field.

three rules of hipaa

The Health Insurance Portability and Accountability Act (HIPAA) safeguards the privacy and security of patient's sensitive health information. 

The three most essential parts of the HIPAA rules are: 

  • The Privacy Rule
  • The Security Rule
  • The Breach Notification Rules 

Collectively, these rules support the core principles of HIPAA, promoting the confidentiality, integrity, and availability of individuals' health information while promoting trust in the healthcare system.

According to the Office for Civil Rights (OCR), which enforces HIPAA, 500 healthcare data breaches were reported in 2021, compromising the protected health information (PHI) by approximately 75%. According to the HIPAA journal, cybersecurity crimes have grown by 45% globally

IT professionals are pressured to reduce assaults and enhance danger authentication, so they must fulfill HIPAA security requirements. Healthcare providers, insurers, and PHI handlers must comply with HIPAA to protect the healthcare system. We have compiled this comprehensive guide featuring everything about HIPAA rules and regulations that significantly safeguard PHI. Let’s dive in.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act, a crucial piece of legislation in the United States enacted in 1996. HIPAA sets standards and regulations for healthcare providers, health plans, and healthcare clearinghouses regarding protecting, using, and disclosing sensitive patient data. 

Its main goal is to ensure that patients have control over their medical data and make it easier for people to share the information needed for good healthcare. HIPAA requires administrative, technical, and physical protections to keep personal health information from being accessed or shared without permission. 

This promotes trust, privacy, and honesty in the healthcare system. The HIPAA rules are now well-known because they add new standards to PHI. Sensitive health information should always be kept safe because a data breach may harm the person. Policies and methods were checked to ensure that health information was kept safe.

Even today, the HIPAA rules and their purpose are constantly changing. HIPAA must keep changing because there are always new threats to protected health information in the business.

Learn more about HIPAA and its purpose in Cybersecurity here.

Why Do We Need HIPAA Rules?

There needs to be more significant agreement on best practices regarding PHI. But after HIPAA was passed, things began to change. At first, there were rules about privacy and safety. PHI was at the center of HIPAA's new rules, which all healthcare businesses had to follow.

To meet the rules of HIPAA, patient names must be used with code sets. This makes it easier for people to change their health insurance plans. With the Portability and Accountability Act in mind, healthcare workers try to improve the patient's experience.

HIPAA ensures that personal health information is kept private, secure, and not leaked. These rules allow the healthcare industry to store and share patient data safely and efficiently, protect patient privacy, and keep PHI from being used or accessed by people who shouldn't be able to.

HIPAA rules make sure that only people who have authorization can view PHI. Patients can get copies of their personal information if they ask. Covered organizations protect PHI through appropriate physical, procedural, and technical means. Covered companies must quickly report and fix any security breaches.  

What Are HIPAA's Three Rules?

The key components of the HIPAA rules and regulations are the HIPAA Privacy Rules, the HIPAA Security Rules, and the HIPAA Breach Notification Rules. An overview of these Rules is given below.

Rule 1: The HIPAA Privacy Rule 

The Privacy Rule protects individuals' rights to confidentiality and limits the uses and disclosures of health information. It outlines regulations for maintaining the confidentiality of patient information, including who can access and share ePHI. To protect patient privacy, cybersecurity providers need to understand the Privacy Rules.

Evaluating a Cybersecurity Provider's Compliance with the Privacy Rule

Key considerations when evaluating a Cybersecurity Provider's adherence to the Privacy Rule:

Privacy Policies and Procedures

A trustworthy Cybersecurity Provider should have privacy policies and processes in place that meet the standards of HIPAA. These rules should be used to handle, store, and transmit ePHI, ensuring the Privacy Rule is followed.

Business Associate Agreement (BAA)

OrganizationsOrganizations must ensure that any Cybersecurity Provider they engage signs a BAA. This agreement establishes the responsibilities and obligations of the provider in protecting ePHI and ensures they comply with the Privacy Rule.

Training and Awareness

The Privacy Rule emphasizes how essential it is to train workers to keep patient information safe. A trustworthy cybersecurity provider should offer employee privacy and data breach prevention training.

Between 2009 and 2021, 95% of the US population of the US people had their medical details shared. 88% of hackers who attack healthcare organizations do so because they want to make money.‍95% of all identity theft incidents of all cases of identity theft are caused by stolen health records. These details are worth about 50 times more than credit card information.

Requirement for Covered Entities

The HIPAA Privacy Rule requires covered businesses to safeguard the privacy of individual's health information and provide them with rights over its use and disclosure. Some key provisions of the Privacy Rule include:

  • Privacy Notice: Covered entities must notify patients of their health information privacy practices and rights.
  • Consent: Except for treatment, payment, and healthcare operations, patients must grant written permission for health information use and dissemination.
  • Minimum Necessary Standard: Covered organizations must use, disclose, and seek the least protected health information to achieve the intended purpose.
  • Access to Records: Patients can access and obtain copies of their health records, including the right to request amendments or corrections.
  • Confidentiality: Health information must be protected against unauthorized access by covered organizations using physical, technological, and administrative protections.

HIPAA Privacy Rule - Hypothetical Example

Let's consider an example to illustrate how the HIPAA Privacy Rule works. A patient goes to a doctor for a checkup. Medical history, test findings, and treatment plans are collected throughout the appointment. The HIPAA Privacy Rule requires the provider to:

  1. Provide a Privacy Notice to notify patients about how the provider will use and safeguard their health information.
  2. Before sharing a patient's health information with other healthcare professionals or their health insurance company for billing, get their written approval.
  3. Only authorized persons, such as healthcare professionals directly engaged in the patient's care, should have access to their health information.
  4. Implement security measures to protect patient health information, including electronic systems and physical protections.

Rule 2: The HIPAA Security Rule 

The Security Rule is a crucial component of HIPAA, outlining the required safeguards to protect ePHI. It requires administrative, physical, and technological measures to protect ePHI's confidentiality, integrity, and availability. When selecting a Cybersecurity Provider, organizations should know about implementing these measures properly.

Evaluating a Cybersecurity Provider's Compliance with the Security Rule

To comply with the Security Rule, organizations should consider the following factors:

Risk Assessment

Regular risk assessments help discover weaknesses and apply security remedies. Organizations should seek a Cybersecurity Provider that offers comprehensive risk assessment services to identify and mitigate potential threats.

Access Controls

Applying strict access controls, such as unique user identification, role-based access, and automatic logoff, is crucial to preventing unauthorized ePHI access. Cybersecurity providers should have expertise in protecting sensitive data with strong access controls.

Incident Response

HIPAA mandates data breach incident response plans. To mitigate security problems, a cybersecurity provider should provide breach detection, containment, and remediation.

Over the previous decade, nearly 4500 data breaches have harmed 500 or more medical records. Every year, the average number of data breaches increases by 25%. The US Healthcare Data Breach Report from the HIPAA magazine says that since 2014, the number of data breaches in big and small hospitals and clinics has doubled.  In 2021, it took 212 days to discover and 75 days to contain the typical data breach.

Main Categories of Security Safeguards

The Security Rule establishes three main categories of safeguards: administrative, physical, and technical. These security measures keep ePHI from being accessed, shared, changed, or destroyed by people who shouldn't be able to. Here's a brief explanation of each category:

Administrative Safeguards 

These are the rules and guidelines used to handle how security measures are chosen, made, put into place, and kept up to date. Examples include conducting risk assessments, developing workforce security policies, providing employee training, and establishing incident response protocols.

Physical Safeguards

These safeguards focus on the physical protection of electronic systems and data. They restrict access to buildings, workstations, and ePHI equipment. Examples include using secure locks, surveillance systems, and access controls like badges or biometric authentication.

Technical Safeguards

These safeguards pertain to the technology and systems used to protect ePHI. They include access restrictions, encryption, audit controls, and other data security safeguards. Examples include using strong passwords, implementing firewalls, encrypting data transmissions, and regularly updating software and systems.

HIPAA Security - Hypothetical Example

Consider a scenario where a healthcare provider implements the HIPAA Security Rule. The service does a risk review to find out where its electronic systems might be vulnerable and then takes steps to fix them. They make rules and processes to ensure workers know how to handle ePHI safely. 

Access controls are implemented to prevent people who shouldn't be able to access patient information. The service uses encryption to protect ePHI when sending it over networks. Regular audits and monitoring are conducted to identify potential breaches or security incidents promptly.

Rule 3: The HIPAA Breach Notification Rule

The Breach Notification Rule requires organizations to notify affected individuals promptly, the Secretary of Health and Human Services, and, in some cases, the media in the event of a data breach. It specifies breach notification standards for content, time, and mechanism.

When selecting a Cybersecurity Provider, organizations should consider their expertise in breach detection, response, and notification.

Evaluating a Cybersecurity Provider's Compliance with Breach Notification Rule

Key considerations when evaluating a Cybersecurity Provider's breach response capabilities:

Breach Detection and Monitoring

A trustworthy cybersecurity provider should use cutting-edge tools to identify and monitor security breaches. Real-time threat intelligence, network monitoring, and log analysis detect and react to breaches.

Incident Response Planning

Data breach response is vital. Organizations should ensure their Cybersecurity Provider has strong Breach Notification Rule-compliant incident response processes.

Compliance with Reporting Requirements

A good cybersecurity provider should know HIPAA and other breach reporting rules. They should be able to help organizations prepare breach notices and submit occurrences to authorities.

The Anthem data breach of 2015 affected 80 million users, while in 2021, 713 reported major data breaches impacted more than 45 million people. In February 2022, 46 healthcare data breaches impacted 2.5 million individuals, down 8% from January. The HHS reported 30 healthcare breaches in March 2022, affecting 1.4 million people.

HIPAA Breach Notification Rule - Hypothetical Example

Let's say a laptop containing unencrypted PHI of patients is stolen from a physician's office. Because the information was not properly protected, the stolen laptop is considered a breach of unprotected PHI. The physician's office must assess risk to determine how likely the PHI has been hacked.

If it is found that there is a high risk of harm, such as identity theft or financial scams, the physician's office must follow the requirements of the breach reporting rule and tell the affected people, HHS, and maybe even the media.

Who Needs to Have HIPAA Compliance?

HIPAA compliance is crucial for various entities within the healthcare industry. Healthcare providers (like hospitals, clinics, and private practices), health plans (like insurance companies and government programs like Medicare and Medicaid), and healthcare clearinghouses (which process healthcare information) are all covered entities that must follow HIPAA rules. 

Additionally, business associates who handle protected health information on behalf of covered entities, such as billing companies, IT vendors, and third-party administrators, must comply with HIPAA regulations. 

HIPAA compliance is required to protect patient privacy, maintain the security of sensitive health information, and promote trust within the healthcare ecosystem.

Organizations and cybersecurity partners can proactively anticipate emerging threats, adapt security measures, and fortify the healthcare ecosystem against potential breaches to create flexible, privacy-preserving healthcare environments.


The three main rules of HIPAA are the Privacy Rule, Security Rule, and Breach Notification Rule.

The Privacy Rule protects individuals' medical information

The Security Rule sets standards for safeguarding electronic health records. 

The Breach Notification Rule requires covered entities to notify affected individuals in case of a data breach.

By engaging the services of a trusted Cybersecurity Provider, organizations can benefit from their expertise and experience in navigating the intricacies of HIPAA compliance. 

Share this

Related Articles

Ascension hospitals investigating possible data breach after suspected cyberattack disrupts clinical operations

Cyberattacks in the Healthcare Sector: Threats, Impact, & Mitigation

Nation State Cyber Attack on Local Government