Discover how you can simplify regulatory compliance for your business with the top HIPAA compliance tools in 2025.
HIPAA Regulations
What are HIPAA rules and regulations?
The HIPAA laws and regulations include instructions on how to secure protected health information (PHI), use it appropriately, and respond in the event of a PHI breach. The HIPAA Privacy Rules, Security Rules, and Breach Notification Rules make up the three main parts of the HIPAA Rules and Regulations.
HIPAA Privacy Rule
Health care clearinghouses, employer-sponsored health plans, health insurers, and medical service providers are examples of covered entities, and the HIPAA Privacy Rules govern how they use and disclose Protected Health Information (PHI) maintained by these businesses. When adopting the HIPAA Omnibus Rule, the Department of Health and Human Services expanded the scope of the HIPAA Privacy Rule to include independent contractors of covered organizations who met the criteria for a business partner. PHI is any data that can be related to an individual’s health status, the delivery of healthcare, or the payment for healthcare and is kept by a covered entity. There are 18 ePHI fields that must be considered, including name, diagnosis, social security number, etc. Any information from a person’s medical history or financial history falls under this category.
According to the HIPAA Privacy Rule, a covered organization may divulge PHI without a patient’s written consent in order to support treatment, payment, or health care operations (TPO). The covered entity must seek and keep a written consent from the individual before making any other disclosures of PHI. When a covered entity discloses any PHI, it is required to use commercially reasonable efforts to release no more information than is necessary to fulfill the intended purpose.
The Privacy and Security Rules of the HIPAA Act mandate that covered entities notify individuals of the uses of their PHI. Additionally, covered entities are required to record privacy policies and practices and track PHI disclosures. All employees must be trained in PHI policies, and they must appoint a Privacy Official and a contact person who will handle complaints. If someone feels that the HIPAA Privacy Rules are not being followed, they can file a complaint with the Office for Civil Rights (OCR) of the Department of Health and Human Services.
HIPAA Security Rule
The HIPAA Security Rule deals exclusively with Electronic Protected Health Information (EPHI), while the Privacy Rule applies to all Protected Health Information (PHI), including paper versions (ePHI). Administrative, physical, and technical security protections are the three categories of security that must be in place to comply with HIPAA Rules and Regulations. The HIPAA Privacy Rule establishes security standards for each of these kinds, and for each standard, it lists both necessary and addressable implementation specifications.
HIPAA Breach Notification Rule
Organizations that encounter a PHI breach are required by the HIPAA Breach Notification Rule to notify the occurrence. Reporting obligations vary depending on how many patients were impacted by the breach. Affected patients, the HHS OCR, the media, and breaches involving 500 or more patients must all be informed. The discovery of these significant breaches must be disclosed within 60 days. Additionally, on the OCR breach site, incidents that harm 500 or more patients are made public.
Breach notifications must go to both the HHS OCR and the affected patients if they affect less than 500 patients. When a breach is identified, it must be reported within 60 days of the end of the calendar year (March 1st).