HIPAA protects against unauthorized disclosures by limiting when protected health information may be used or disclosed under the HIPAA Privacy Rule, requiring safeguards for electronic protected health information under the HIPAA Security Rule, requiring business associate agreements for vendors that handle protected health information, and requiring breach evaluation and notification under the HIPAA Breach Notification Rule when unsecured protected health information is impermissibly used or disclosed.
The HIPAA Privacy Rule permits uses and disclosures of protected health information for treatment, payment, and healthcare operations without an authorization and permits or requires certain other disclosures under defined conditions, while treating all other uses and disclosures as impermissible unless a valid HIPAA authorization applies. The HIPAA Minimum Necessary Rule requires a Covered Entity to limit uses, disclosures, and requests for protected health information to the minimum necessary to accomplish the intended purpose, excluding disclosures for treatment and certain other exceptions. Operational controls that support these limits include role based access controls, verification procedures for identity and authority, workforce training, sanctions for policy violations, and mitigation steps when an impermissible disclosure occurs.
The HIPAA Security Rule protects against unauthorized access and disclosure of electronic protected health information by requiring administrative safeguards, physical safeguards, and technical safeguards. Required program elements include a documented risk analysis, risk management actions, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, and evaluation. Technical controls include access controls, audit controls, integrity controls, person or entity authentication, and transmission security. Physical controls include facility access controls, workstation security, and device and media controls that manage removal, disposal, and reuse of electronic media.
HIPAA extends disclosure controls to vendors through business associate agreements that define permitted uses and disclosures, require safeguards, require reporting of breaches, and require flow down obligations to subcontractors that handle protected health information. When an impermissible use or disclosure involves unsecured protected health information, the HIPAA Breach Notification Rule requires a documented breach risk assessment and, when notification is required, timely notice to affected individuals and required reporting to the U.S. Department of Health and Human Services, with additional media notice requirements for breaches affecting 500 or more residents of a state or jurisdiction. Enforcement actions, corrective action plans, and civil money penalties may follow when organizations fail to maintain required controls or fail to meet breach response obligations.