HIPAA Rules 101

Posted: January 4, 2017

hipaa-rulesImplementing a Simplified Approach to HIPAA Compliance

The standards and procedures established under HIPAA aim to protect patient health information for privacy and safety reasons. However, understanding what HIPAA Rules apply and accommodating those requirements may be difficult without implementing a simplified approach. To help, below is a summary of the HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Privacy Rule.

HIPAA Security Rule:
The HIPAA Security Rule has established national standards for and focuses on the confidentiality, integrity and availability (CIA Triad) of electronic Protected Health Information (ePHI) that is created, used, received or maintained by an entity. The HIPAA Security Rule based is divided into three parts:

  1. Administrative Safeguards;
  2. Physical Safeguards; and
  3. Technical Safeguards.

To add complexity, within each of the Safeguards are Standards. Most of the Standards have Implementation Specifications that are either required or addressable.

HIPAA Breach Notification Rule:
The HIPAA Breach Notification Rule has standards that help entities identify whether a breach of Protected Health Information (PHI) occurred based on a predefined 4 step process under the Breach Risk Assessment and further outlines what exceptions are applicable for unsecured PHI. If the Breach Risk Assessment 4 step process conclusion determines a breach of PHI occurred, specific standards outline the time of response, content and method of notification to the applicable parties.

HIPAA Privacy Rule:
The HIPAA Privacy Rule has established national standards and focuses on the privacy of protected health information (PHI) by setting limits and conditions on how and when an individual’s PHI can be used and disclosed. The HIPAA Privacy Rule based on HHS Audit Protocol is divided into Sections that contain Standards and Implementation Specifications.

Determining which rules are applicable to your environment based on your classification under HIPAA can be overwhelming and stressful. However, a simplified approach can be taken by having the proper guidance and support every step of the way during and after a HIPAA Compliance Assessment. This should be offered during your initial engagement to assess your current environment as well as during any remediation. Then, after the remediation phase, a HIPAA compliance report should reflect the updates efforts made within your environment to meet HIPAA Compliance.

In this short video, learn the biggest challenge most clients face with HIPAA compliance.


If you have any questions regarding the healthcare information requirements or other information security needs, please contact us at security@compliancepoint.com.

Martha Raber

Author: Martha Raber

Martha Raber is a HIPAA Security Consultant for CompliancePoint’s Information Security Practice. Her knowledge spans across multiple industries and entities including healthcare, telecommunications, and travel technology (airlines and SaaS). Martha’s passion lies with knowing she can help Organizations meet compliance and mitigate risk through Gap and Risk Assessments and by providing recommendations for meeting regulatory requirements and internal organizational objectives. Martha has earned the HITRUST CSF Practitioner, CISSP, and CompTIA Security+ certifications. She has also earned a Master’s of Science in Information Systems and a certification in Business Management from Stratford Career Institute.

Leave a Reply

Your email address will not be published. Required fields are marked *

Reduce risk, maintain a compliant posture, and protect info