The HIPAA Privacy Rule sets the national standard for protecting an individual’s medical record and other personal health-related information. This Rule applies to HIPAA-covered entities, which includes health plans, healthcare clearinghouses, and those healthcare providers that conduct standard electronic healthcare transactions.

The Privacy Rule requires organizations to implement appropriate safeguards for protecting the privacy of Protected Health Information (PHI) and limit the use and disclosure of information that may be used without a patient’s consent. In short, it explains how healthcare professionals, lawyers, or anyone who has access to PHI, can or cannot use the data. Furthermore, the Rule allows patients to access their medical records, make copies, and corrections upon request.

For example, if a patient wants to share their information with someone else, the law requires a HIPAA PHI release form to be signed for the physician’s office to share the information. These are the kinds of scenarios that the HIPAA Privacy Rule covers.

HIPAA Compliance Management Application

Reduce Administrative Burden

See all the information in a centralized space

Keep your team updated with regular information

Contact Us

The HIPAA Security Rule requirements ensure that both CEs and BAs protect patients’ electronically stored, protected health information (ePHI) through appropriate physical, technical, and administrative safeguards to fortify the confidentiality, integrity, and availability of ePHI.

The HIPAA Security Rule requirements are an extension to the protections contained in the Privacy Rule, which address technical and non-technical safeguards that every CEs must implement to secure ePHI.

The HIPAA Security Rule requirements fulfill the purpose of protecting electronically-stored health information while allowing CEs to adapt to new technologies to improve efficiency and quality of patient care. The Security Rule was designed to be flexible and scalable so that CEs can implement policies, procedures, and technologies that are appropriate according to their size, structure, and daily operations.

The requirements of the HIPAA Security Rule that CEs or BAs must address is broken down into three categories, which are:

  • Technical safeguards to protect electronic data such as data encryption. This includes Access control, Audit control, Integrity, Person or Entity Authentication, and Transmission Security.
  • Administrative safeguards where policies and procedures on PHI protection are explained. This includes the Security Management Process, Assessing Security Authority, Security and Awareness Training, Security Incident Procedures, Information Access Management, Contingency Plan, Evaluation, and Business Associate Agreements.
  • Physical safeguards that involve actual physical structures such as controlling facility access or staff. This includes implementing surveillance, alarm systems, etc.

To learn how to simplify HIPAA compliance, check out our robust cloud software application, HIPAA Ready.


The HIPAA Privacy Rule Checklist 2020

HIPAA Security Rule Requirements – Why are they important?