HIPAA compliance can get confusing when understanding all the rules and regulations surrounding them regarding HIPAA compliance.  Staying on top of these regulations will help you stay out of trouble when protecting your client’s information.

In this post, we will look at understanding Privacy and Security Rules and then get a better look at the Breach Notification Rule.

So let’s get started!

What is HIPAA, and Why is it Important?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is essentially a federal law passed to ensure the protection of sensitive health information of patients. Under  HIPAA, privacy rules and security rules must be followed.

HIPAA applies to health care clearinghouses, health plans, and those providers that conduct certain health care transactions electronically. 

Believe it or not, health data breaches are more common than you think.  It’s essential for doctor’s offices in the health field to abide by HIPAA standards when dealing with patient information. HIPAA violations can cost thousands and even millions if they don’t stay up to date.

What Is Personal Health Information (PHI)?

Personal Health Information (PHI) is a term you will see pop up whenever you read about HIPAA compliance.  PHI is essentially all personal information and data doctors collect from their patients to make a proper diagnosis and determine the appropriate care.

This data can include medical history from previous care, demographic data, lab results, insurance information, etc. Since PHI is so sensitive, HIPAA was put into place to protect this information and create a set of standards for doctors on how to handle this vital information on their patients.

Related Links: Top Challenges in the Telehealth Industry and How To Overcome It

The HIPAA Privacy Rule

Understanding HIPAA’s Privacy, Security and Breach Notification Rules

The Privacy Rule lets you pass information back and forth between offices and doctors to collaborate and coordinate a patient’s care while protecting all of their personal health information (PHI).

On top of this, there are several other rules listed below:

  •       You have the right to look at your medical records.
  •       You can correct them if needed.
  •       Health plans can’t use genetic information during the underwriting process.
  •       Patients can stop their health plan from gaining access to information about the treatments a patient has previously paid for in cash. 
  •       Allows you to report child neglect or abuse to the proper authorities.

The Privacy Rule Requirements

The Privacy Rule requires specific rules.  Firstly, you must notify patients about their privacy rights and how they use their information. 

Secondly, the doctor’s office must adopt specific privacy procedures and then ensure each employee is trained on these procedures.

Thirdly, you should secure a patient’s records from anyone in the office who doesn’t need to see them.

Lastly, find someone who is an expert in this field so that you can double-check if you are correctly performing HIPAA compliance. 

Friends and Family

When it comes to friends and family, unless a patient objects, doctors can share information with anyone involved with the patient. 

Under the Privacy Rule, medical staff can also give information on primary conditions, give out the patient’s room number at a hospital, and share information about religious affiliation.

Security and Mobile Phone Devices

Another critical piece of the Privacy rule is mobile phone security. Here are some quick rules to remember if you pass PHI over the phone:

  •   Install a firewall
  •   Use passwords
  •   Enable encryption
  •   Keep security software up to date
  •   Try to refrain from sending PHI over public wi-fi
  •   Don’t install file sharing apps
  •   Delete any PHI from the mobile device if using or reassigning to someone
  •   Keep the mobile device with you at all times

You can view more information about the Security Rule on the HHS.gov website.

The HIPAA Security Rule

Understanding HIPAA’s Privacy, Security and Breach Notification Rules

The Security Rule is the part of HIPPA that requires doctor’s offices to physically and technically protect patients’ information.  Your office needs to develop an iron-clad system for protecting patients’ data. 

At the same time, you need to be able to analyze the risk that your office environment imposes on your patient’s records.  This will depend on the business, the size, resources, and how complex day-to-day operations are.

The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.  

Here are a few specific things that need to be addressed:

  •   Keep all ePHI confidential when you receive, transmit, and maintain information.
  •   Know the digital security threats to your computer that data is stored within.
  •   Make sure employees understand how to handle sensitive data.
  •   Make sure your hardware, firewalls, and IT network are adequately maintained.
  •   When developing your security protocols, understand your organization’s size, complexity, and capabilities.


Related Links: What Is Digital Transformation in the Healthcare Field and Why You Need It

Breach Notification

Understanding HIPAA’s Privacy, Security and Breach Notification Rules

A Breach is generally PHI that gets exposed for various reasons.  The use of private information is assumed to be a breach unless your office can prove otherwise.

If your organization should ever experience a HIPAA breach, specific rules need to be followed.   

There are three notification requirements you must follow:

  •       Individual Notice
  •       Media Notice
  •       Notice to the Secretary

Each of these has detailed information, so be sure to read about them on HIPAA Journal’s website.

Related Links: 5 Easy Steps to Creating a Customer Service Program

Notification By a Business Associate

 When the breach occurs, the person to who it happened near or close will need to notify the right people immediately following the breach. The business associate needs to identify the affected individuals and give all the information to the covered entity.

Administrative Requirements and the Burden of Proof

Health organizations must follow specific administrative rules when it comes to breach notification.  These rules can range from having written policies to training procedures for employees.

Since the burden of proof falls on the breached organization, you will need to provide evidence that your office did everything possible and abided by all rules to protect data.  For more guidance, you can visit  HHS HIPAA Breach Notification Rules.


No matter what environment you work for in the health care field, HIPAA compliance is not to be taken lightly.  It is a serious matter if a breach occurs and knowing how to prevent them in the first place is the key to it all.