Blog Home  >  How it works  >  What are the HIPAA rules?

What are the HIPAA rules?

Terri Phillips   |   Jan 07, 2022

facebook icon twitter icon linkedin icon

The Health Insurance Portability and Accountability Act (HIPAA) was introduced as a federal law in 1996 with the main goal of protecting patient health information at a time when paper was transitioning to an electronic format.

These regulations provide guidance for the appropriate uses and disclosures of protected health information (PHI). Healthcare providers that transmit information—along with workers acting on behalf of covered entities—must comply. Along with properly protecting patient information, HIPAA benefits the healthcare industry by ensuring efficient sharing of information needed to provide high quality health care.

Having a national standard for recording and exchanging information between healthcare providers and other appropriate parties acts as a safeguard to protect sensitive personal information.

What are the HIPAA rules? HIPAA lists 3 main components for compliance. They cover administrative, physical, and technical safeguards.

What are the three rules of HIPAA?

patient privacy systems

Privacy rule

The HIPAA privacy rule sets a national standard for ensuring the confidentiality and integrity of a patient’s information. The main goal is to ensure a balance between keeping patient information secure and the flexibility of permitted use to deliver top quality care. Covered entities that must follow HIPAA privacy regulations are also defined, alongside patients’ rights over their personal healthcare information.  The Department of Health and Human Services enforce HIPAA rules, and all employees must be trained on these policies and procedures annually.

patient security issues

The security rule

The HIPAA security rule states that covered entities must analyze and implement effective security measures to safeguard patient data. This rule doesn’t specifically set out exact measures that must be taken, but outlines certain considerations, for example:

  • The use of adequate technical hardware and software 
  • The likelihood of security breach 
  • Continual review of procedures

Alongside these recommendations, the security rule also requires the implementation of safeguards that cover administrative, physical, and technical aspects of security.

doctor logging in a security matter

The breach notification rule

The HIPAA breach notification rule requires covered entities to notify patients if their personal health information (PHI) has been breached. If data has been compromised, covered entities should use a 4-factor test to assess whether the risk is on a low or greater-than-low threshold. 

The four parts of the test are:

  • Type of PHI involved and to what extent 
  • Identity of the unauthorized parties who used the PHI or to whom the disclosure was made
  • Whether the PHI was acquired or viewed
  • Mitigation of risk

If there has been an obvious compromise, covered entities are under no obligation to carry out the 4-factor test and can notify patients immediately. Covered entities have up to 60 days to notify those involved.

HIPAA rules—security safeguards

Offering your patients a HIPAA-compliant service through video, chat, and by phone maintains a crucial level of trust. Here at WELLReceived, we’re proud to be HIPAA compliant, and our virtual medical receptionists are trained to take every message in accordance with HIPAA standards. They complete multiple training courses in call-handling practices.

If you would like to know more about HIPAA and WELLReceived services you can contact us 24/7/365.

avatar imgae

Terri Phillips

Leave a comment

Your email address will not be published