implementing three rules of HIPAA

What Are the Three Rules of HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) defines the three rules that all healthcare professionals and organizations must abide by. This law provides the framework for protecting and preserving patient health information. So, what are the three rules of HIPAA? How do you implement them?

What are the three rules of HIPAA?

Complying with the HIPAA law is a must for all healthcare professionals and organizations. Failure to do so could leave you facing substantial fines. But aside from getting fined, covered entities to the HIPAA rules and regulations must be compliant with the procedures and policies recommended by the HIPAA to safeguard confidential patient health information.

Before the HIPAA law, there were no clear guidelines on protecting and safeguarding protected health information. This law was devised to aid health and human services, as well as improve the patient experience.

As part of the HIPAA law, all healthcare organizations must abide by the three rules that outline additional policies and procedures unique to the specific circumstances that these organizations deal with regularly.

HIPAA Privacy Rule

The HIPAA Privacy Rule provides guidelines on the circumstances that allow the disclosure or use of patient health information. The law acknowledges that every patient is entitled to privacy. Therefore, the healthcare providers and organizations do not own outright the opportunity to disclose this information except for those that are specified under the Privacy Rule. It recognizes that certain circumstances compel the disclosure of the patient's health information, which includes personal information and payment history.

The Privacy Rule was enacted in 2003 and was updated in 2013. It previously covered only specified healthcare entities but was expanded to include health clearinghouses, health plans, and healthcare providers.

HIPAA Privacy Rule

This rule not only outlines the specific circumstances that legally allow the disclosure of patient health information, but also sets the corresponding limits. The disclosure of patient information (as long as covered by this rule) does not require prior authorization.

Here are the guidelines and recommendations of the HIPAA Privacy Rule:

  • It specifies the organizations that must abide by the Privacy Rule.

  • It defines what is considered protected health information.

  • It outlines how organizations can use or share protected health information (PHI).

  • It specifies the circumstances wherein the permitted and unauthorized use of the PHI is allowed.

  • It clearly defines the patients' rights to access their medical records.

Patients, or their next of kin, are also given the right to access and get a copy of their medical records, as per the HIPAA Privacy Rule. The covered entities must respond to the request within 30 days of filing. This Privacy Rule does not offer any restrictions to health information that does not reveal a person's identity.

HIPAA Security Rule

The HIPAA Security Rule recommends the minimum standards that healthcare organizations and related entities must follow to safeguard electronic health information. This rule was issued in February 2003 and took effect in April 2003. It pertains to all types of health information, whether in paper or electronic format. However, there is a specific focus on electronic health information with this particular rule.

Under the HIPAA Security Rule, there are three types of security safeguards that all covered entities must comply with: 1) physical, 2) administrative, and 3) technical. These are specific security standards that are recommended by the HIPAA for each of these categories.

All covered entities and healthcare organizations must adopt the required specifications for enhanced electronic health information security. There are also addressable specifications, which can be flexible enough and vary based on the applicable circumstances for each organization. Therefore, HIPAA recommends that individual entities analyze their risk and follow the security recommendations that apply.

The HIPAA Security Rule covers the following information:

  • It identifies the organizations that must follow the minimum security standards set by the HIPAA.

  • It identifies the safeguards and policies that ensure HIPAA compliance.

  • It defines what would be considered health care information that is protected by the security rule.

Simply put, anyone who is part of the organizations that will be responsible for collecting, handling, storing, and sharing the electronic health information of patients must meet the minimum compliance standards.

The physical safeguards include improving the layout of healthcare workers to prevent screens showing confidential information from being visible to other unauthorized personnel. The technical safeguards involve making sure that there is a firewall installed in your network and that your IT infrastructure meets NIST-standard encryption. For administrative safeguards, all employees tasked with handling electronic health information must undergo regular compliance training.

HIPAA Breach Notification Rule

Woman working on her phone and laptop

HIPAA recognizes that while healthcare organizations invest in their security and privacy measures, a breach could happen. This rule outlines the administrative actions that a healthcare organization affected by such a breach must do.

First off, the Department of Health and Human Services must be notified about the data breach, regardless of the nature and size of the attack. You should also notify the person whose personal information is affected by the data breach. The notification must be issued within 60 days of the discovery of the attack. The media is included in the list of parties to be notified. A notification of the privacy violation is required'; or else you could be issued fines by the Office of the Civil Rights.

A large-scale data breach is defined as an attack that affects over 500 patients.


There are other rules from the HIPAA that have been added: The Enforcement Rule and the Omnibus Rule. However, you must ensure compliance with the three rules of HIPAA as discussed above since that applies to most of the covered entities and healthcare organizations.

If your organization is covered by HIPAA law, you must regularly undergo risk analysis to ensure compliance. The risk analysis report will provide you with an in-depth insight into your existing policies and identify areas for improvement. Ensure that your staff is well-trained about the specifications of the three rules of HIPAA so that they can implement and practice them.

The unauthorized disclosure of medical information is a huge violation. You could get in serious trouble for violating this law, especially if your patients entrusted their information with you. Invest in regular training and continuous education for your employees so they can enforce these rules.