What are HIPAA rules?

The Health Insurance Portability and Accountability Act (HIPAA) includes a set of rules to help healthcare organizations and their business associates protect the security and confidentiality of sensitive patient data. To become compliant, healthcare organizations must follow five HIPAA rules to safeguard this protected health information (PHI).

The HIPAA Privacy Rule

The HIPAA Privacy Rule is a federal law that gives patients rights over their protected health information and limits who can access and disclose it. It ensures that healthcare organizations take the proper steps to safeguard sensitive health information while allowing that information to be shared in a way that promotes high-quality healthcare.

The HIPAA Security Rule

The Security Rule outlines a set of physical, administrative, and technical safeguards that organizations must use to secure PHI. Together, these safeguards help protect PHI from unauthorized access, alteration, and deletion.

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires organizations to notify affected individuals and the US Department of Health and Human Services (HHS) when unsecured PHI has been breached. To avoid a HIPAA violation, organizations must send notifications to affected individuals within 60 days of identifying a breach. 

The HIPAA Enforcement Rule

This rule defines how investigations into HIPAA complaints and violations are conducted, as well as how fines and penalties for HIPAA violations are determined.

The HIPAA Omnibus Rule

One of the key points of HIPAA legislation is to give patients greater control over who can access their health records and when. Under the Omnibus Rule, covered entities must comply with a patient’s request to access or share their medical records.