The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national Standards to protect individuals’ individually identifiable health information (collectively defined as “protected health information”), including medical records. Eighteen (18) identifiers make up protected health information. The Privacy Rule applies to:

1. health plans, 

2. healthcare clearinghouses, 

3. healthcare providers that conduct certain healthcare transactions electronically. 

The Privacy Rule requires appropriate Safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Privacy Rule details an individual’s rights to:

1. examine and obtain a copy of their health records, 

2. direct a HIPAA covered entity to transmit PHI to a third party 

3. request corrections.

The Privacy Rule can be found on the Federal Register at 45 CFR Part 160 and Subparts A and E of Part 164

The HIPAA Security Rule

The HIPAA Security Rule is a set of national standards to protect individuals’ electronic personal health information that is:

  1. created, 
  2. received, 
  3. used, 
  4. maintained 

by a HIPAA-covered entity.

The Security Rule requires Safeguards:

1. Administrative safeguards

2. Physical safeguards,

3. Technical safeguards 

The Safeguards are designed to ensure the confidentiality, integrity, and security of electronic protected health information (“ePHI”).

A HIPAA Covered Entity or hybrid entity must regularly review and update its policies and procedures regarding the safeguards. If there is a breach, Covered Entities must perform an assessment which may drive edits or updates to the policies and procedures to remediate weaknesses in the Safeguards.

The Security Rule may be found on the Federal Register at 45 CFR Part 160 and Subparts A and C of Part 164.

Related topics:

HIPAA Expert Witness