<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon

What Are the Three Rules of HIPAA? Explained

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Summary: While HIPAA rules benefit both patients and providers, failure to comply with these standards can result in significant penalties and negative outcomes for both parties. That’s why it is important to understand how HIPAA works and what key areas it covers. In this article, we’ll review the three primary parts of HIPAA regulation, why these rules matter, and how organizations can ensure compliance at every level.    

What is the Purpose of HIPAA Rules? 

The Health Insurance Portability and Accountability Act (HIPAA) was originally introduced in 1996 to protect health insurance coverage for employees that lost or changed jobs. Today, HIPAA also includes mandates and standards for the transmission and protection of sensitive patient health information by providers and relevant health care organizations. 

HIPAA regulates the privacy, security, and breaches of sensitive healthcare information. These regulations enable the healthcare industry to securely and efficiently store and share patient data, protect patient privacy, and secure protected health information (PHI) from unauthorized use and access.

HIPAA rules ensure that: 

  • PHI is only accessed by authorized parties.
  • Patients have access to copies of their personal records upon request.
  • Covered entities safeguard PHI through reasonable physical, administrative, and technical measures.
  • Covered entities promptly report and resolve any breach of security.  

So, what are three major things addressed in the HIPAA law?

HIPAA Rule 1: The Privacy Rule

The HIPAA Privacy Rule outlines standards to protect all individually identifiable health information handled by covered entities or their business associates. This protected health information (PHI) includes a wide range of sensitive data, such as social security numbers, credit card information, and medical history, including prescriptions, procedures, conditions, and diagnoses. 

PHI has long been a target for identity theft, so establishing strong privacy rules around its use, access, and security is critical for protecting patient data in an increasingly digital world.

The Privacy Rule addresses this risk by:

  • Giving patients more control over their health information, including the right to review and obtain copies of their records.
  • Setting boundaries on the use and release of health records. 
  • Requiring standard safeguards that covered entities must implement to protect PHI from unauthorized use or access. 

The Privacy Rule also includes limiting the release of PHI to the minimum required for disclosure (aka the Minimum Necessary Rule). In other words, under the Privacy Rule, information isn’t disclosed beyond what is reasonably necessary to protect patient privacy.

To ensure patient records and information are kept private, the Privacy Rule outlines:

What is a covered entity?

The organizations bound by HIPAA rules are called covered entities. 

Covered entities include any organization or third party that handles or manages protected patient data, for example:

  • Health plans, such as health insurance companies, HMOs, and government programs like Medicare and Medicaid.
  • Health care providers that conduct business electronically, such as most doctors, hospitals, clinics, nursing homes, and pharmacies.
  • Health care clearinghouses, which are entities that process or facilitate the processing of nonstandard data elements of health information into standard data elements.

Additionally, business associates of covered entities must comply with parts of HIPAA rules. 

Business associates are third-party organizations that need and have access to health information when working with a covered entity. Business associates can include contractors and subcontractors, companies that help doctors bill and process claims, lawyers and accountants, IT specialists, and companies that store or dispose of medical data.

When can covered entities use or disclose PHI?

A covered entity cannot use or disclose PHI unless permitted under the Privacy Rule or by written authorization from the subject of the information.

Covered entities must disclose PHI to the individual if they request access or to HHS for compliance investigations or enforcement.  

Permitted Uses and Disclosures 

Covered entities can use or disclose PHI without prior authorization from the patient for their own treatment, payment, and health care operations activities. They are always allowed to share PHI with the individual. The Privacy Rule also makes exceptions for disclosure in the interest of the public, such as in cases required by law, or for public health. 

HIPAA Rule 2: The Security Rule

The HIPAA Security Rule establishes standards for protecting the electronic PHI (ePHI) that a covered entity creates, uses, receives, or maintains. While the Privacy Rule governs the privacy and confidentiality of all PHI, including oral, paper, and electronic, the Security Rule focuses on guidelines specific to securing electronic data. 

A key goal of the Security Rule is to protect individuals’ private health information while still allowing covered entities to innovate and adopt new technologies that improve the quality and efficiency of patient care.

The Security Rule considers flexibility, scalability, and technological neutrality. This means there are no specific requirements for the types of technology covered entities must use. Instead, covered entities can use any security measures that allow them to implement the standards appropriately. It is up to the covered entity to decide which security measures and technologies are best for its organization.

Under the Security Rule, covered entities must: 

  • Ensure the confidentiality, integrity, and availability of the ePHI they receive, maintain, create or transmit.
  • Identify and protect against threats to the security or integrity of the information.
  • Reasonably protect against impermissible uses or disclosures.
  • Ensure compliance by their workforce.

The Security Rule covers three main areas of security: administrative, physical, and technical. 

Administrative safeguards

Administrative safeguards are administrative actions, policies, and procedures that develop and manage security measures that protect ePHI.

Administrative safeguards make up more than half of the Security Rule regulations and lay the foundation for compliance. 

Covered entities must implement the following administrative safeguards:  

  • Conduct thorough security management and risk analysis.
  • Assign a privacy officer.
  • Manage workforce security.
  • Manage information access.
  • Conduct HIPAA security training.
  • Establish security incident procedures.
  • Develop contingency plans.
  • Obtain proper contract agreements with business associates.
  • Evaluate security safeguards regularly.

Physical safeguards

HIPAA physical safeguards are any physical measures, policies, and procedures used to protect a covered entity’s electronic information systems from damage or unauthorized intrusion—including the protection of buildings and equipment.

In other words, HIPAA rules require covered entities to consider and apply safeguards to protect physical access to ePHI. 

HIPAA physical safeguard requirements include: 

  • Facility access controls. Ensure that only authorized users can access your facilities by implementing contingency operations, facility security plans, access control and validation procedures, and maintenance records. This might include controlling building access through photo ID cards and locking offices or storage files with ePHI.   
  • Workstation use and security. Implement policies and procedures to standardize functions that are performed and the physical setup to protect ePHI. This includes setting parameters on access and storage for ePHI on mobile devices, properly arranging the physical workspace (e.g., can unauthorized people see information on the screen?), and limiting what information is stored on station devices.
  • Devices and media controls. Establish policies for receiving and handling devices with ePHI stored on them and moving these items within the facility. This includes procedures for proper disposal of data, as well as backup and storage policies.

Technical safeguards

Under the Security Rule, technical safeguards apply to the technology itself, as well as the policies and procedures that govern its use, protect its electronic protected health information, and control access to it. 

Technical safeguards include:

  • Access control. Grant access only to those with permission.  
  • Audit controls. Implement a system to monitor, record, and review all activity.  
  • Integrity. Ensure ePHI has not been altered or destroyed improperly. 
  • Person or entity authentication. Confirm user identity before granting access. 
  • Transmission security. Protect access to ePHI through encryption. 

Together, these safeguards help covered entities provide comprehensive, standardized security for all ePHI they handle. 

HIPAA Rule 3: The Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and business associates to provide notification of a breach involving unsecured PHI. A breach is any impermissible use or disclosure of PHI under the Privacy and Security Rules. 

If a potential breach occurs, the organization must conduct a risk assessment to determine the scope and impact of the incident—and confirm whether it falls under the notification requirement. 

The risk assessment should be based on the following factors

  • The nature and extent of the PHI involved
  • The unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually obtained or viewed
  • The extent to which the risk to the PHI has been mitigated

A covered entity is required to make a notification unless it can demonstrate a low probability that PHI was compromised. Breach notifications include individual notice, media notice, and notice to the secretary.

Individual notice

Following a breach, the organization must notify all impacted individuals. The notice must include a description of the breach and the types of information involved, what steps individuals should take to protect themselves from potential harm, and what the covered entity is doing to investigate and address the breach.

Media notice

Covered entities must also notify the media—typically through a press release to local or regional outlets—if the breach affects 500 or more residents of a state or jurisdiction. The notice must include the same information as the notice to individuals and must be issued promptly, no later than 60 days following the discovery of the breach.

Notice to the Secretary 

Covered entities are required to notify the Secretary of Health and Human Services whenever a breach occurs. If the breach affects fewer than 500 individuals, the covered entity must notify the Secretary within 60 days of the end of the calendar year in which the breach was discovered. 

If the breach affects 500 or more individuals, the covered entity must notify the Secretary within 60 days from the discovery of the breach. 

StrongDM Makes Following HIPAA Rules Easy 

The three Rules of HIPAA represent a cornerstone regulation that protects the healthcare industry—and consumers—from fraud, identity theft, and violation of privacy. 

Through privacy, security, and notification standards, HIPAA regulations:

  • Improve standardization and efficiency across the industry. 
  • Strengthen data security among covered entities. 
  • Deliver better access control across networks.
  • Provide greater transparency and accountability to patients. 

Failure to comply with HIPAA regulations can lead to costly penalties and even criminal liability. That’s why it’s important to rely on comprehensive solutions like StrongDM to ensure end-to-end compliance across your network. 

StrongDM enables automated evidence collection for HIPAA, SOC 2, SOX, and ISO 27001 audits so you can ensure compliance at every level.

Easily configure your Kubernetes, databases, and other technical infrastructure with granular, least-privileged access based on roles, attributes, or just-in-time approvals for resources. Then capture and record all sessions across your entire stack—so you have full visibility into your risk landscape and can implement compliancestandards every step of the way.

Want to simplify your HIPAA Compliance? Try a 14-day free trial of StrongDM today.


About the Author

, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Incident Response Plan: Your 7-Step Process
Incident Response Plan: Your 7-Step Process
If organizations hope to minimize their exposure to attacks and mitigate any damage done by a threat, they must have a comprehensive incident response plan. An effective plan will detect, contain, and enable rapid recovery from security breaches, preserving your business continuity and operability. We've outlined seven incident response steps for you to follow so you can be prepared for a threat.
HIPAA Omnibus Rule: Everything You Need to Know
HIPAA Omnibus Rule: Everything You Need to Know
The HIPAA Omnibus Rule strengthens privacy and security protections for patient health information, extends liability to business associates, and increases penalties for non-compliance.
What Is Continuous Compliance? Examples & How To Achieve It
What Is Continuous Compliance? Examples & How To Achieve It
Continuous compliance is the ongoing process of ensuring that an organization consistently adheres to regulatory standards and internal policies for its systems, applications, employees, partners, and engagement with stakeholders. It involves continuous monitoring, auditing, and real-time updates of both technology and human behavior to maintain compliance with government and industry standards frameworks.
Cybersecurity Audit: The Ultimate Guide
Cybersecurity Audit: The Ultimate Guide for 2024
A cybersecurity audit is a comprehensive assessment of your organization's information systems, networks, and processes that identify vulnerabilities and weaknesses that cybercriminals could exploit. The audit also evaluates the effectiveness of your security controls, policies, and procedures and determines if they align with industry best practices and compliance standards.
How StrongDM Simplifies NIS2 Compliance for EU Organizations
How StrongDM Simplifies NIS2 Compliance for EU Organizations
The NIS2 Directive establishes comprehensive cybersecurity legislation across the European Union. Building upon its predecessor, the Network and Information Security (NIS) Directive, the goal of NIS2 is to standardize cybersecurity practices among EU Member States. Much like the General Data Protection Regulation (GDPR), NIS2 seeks to unify strategies and actions throughout the EU to fortify digital infrastructure against the escalating threat of cyberattacks.