The key provisions of HIPAA establish national standards for the privacy and security of protected health information, define when and how protected health information may be used and disclosed, require safeguards for electronic protected health information, mandate breach notification when unsecured protected health information is compromised, and authorize enforcement through investigations, corrective action, and civil money penalties. HIPAA also sets baseline requirements for administrative simplification, including standardized electronic transactions and code sets and unique health identifiers implemented through regulation.
The HIPAA Privacy Rule governs uses and disclosures of protected health information by HIPAA Covered Entities and establishes individual rights that include access to records, amendment requests, an accounting of disclosures in applicable circumstances, and the right to receive a Notice of Privacy Practices. The HIPAA Privacy Rule also requires reasonable safeguards to limit incidental disclosures and requires that workforce members are trained on privacy policies and procedures that apply to their functions. The HIPAA Minimum Necessary Rule restricts uses, disclosures, and requests for protected health information to the minimum necessary to accomplish the intended purpose when the rule applies.
The HIPAA Security Rule applies to electronic protected health information and requires administrative, physical, and technical safeguards to protect confidentiality, integrity, and availability. Requirements include risk analysis and risk management, workforce security and access authorization, audit controls, person or entity authentication, integrity controls, and transmission security, along with policies and procedures and documentation retention. The HIPAA Security Rule uses an addressable and required implementation specification framework that requires documented decisions and implementation actions consistent with an organization’s environment and risks.
The HIPAA Breach Notification Rule requires notification to affected individuals, the Department of Health and Human Services, and in certain cases the media, following a breach of unsecured protected health information, with timeframes and content requirements specified by regulation. HIPAA also establishes rules for business associate relationships, requiring contracts that obligate business associates to safeguard protected health information and report breaches and security incidents as specified. Enforcement is conducted by the HHS Office for Civil Rights through complaint investigations and compliance reviews, with outcomes that can include corrective action plans, monitoring, and civil money penalties based on the violation and culpability.