What are the HIPAA Rules?
The US Congress passed HIPAA legislation in the mid-1990s, with two goals in mind: to improve the portability of health insurance when people changed jobs and to reduce healthcare fraud and waste. Since then, the Department of Health and Human Services (HHS) has added a series of HIPAA rules that require healthcare organizations — and their business associates — to protect patient privacy and secure patient data.
The Privacy Rule sets national standards for the protection of “individually identifiable health information” — which includes information about a patient’s mental or physical health, medical treatments, or payment history. Healthcare organizations and providers are required to protect this information “in any form or media, whether electronic, paper, or oral” when it contains PHI such as name, phone number, birth date, Social Security Number, or any other personal identifier.
Simply put, any medical information that can be tied to a specific patient is protected by HIPAA.
The HIPAA Privacy Rule outlines how healthcare providers can use patient data, what they can disclose without the patient’s permission, and to whom. The rule also guarantees patients the “Right to Access” most of their personal health information and obtain copies of their medical records. Healthcare providers are required to develop and implement written privacy policies for their organizations, to notify patients (in writing) about these policies, and to provide annual HIPAA training for staff.
HIPAA Security Rule
The HIPAA Privacy Rule requires organizations to secure PHI. The Security Rule tells them how to do it. More specifically, the Security Rule sets national standards for the protection of electronically protected health information (ePHI) — including how that data should be handled, maintained, and transmitted.
This rule requires healthcare organizations to have three types of data security safeguards in place — including administrative, physical, and technical safeguards. (More on all three below.)
HIPAA Omnibus Rule
HHS enacted the final Omnibus Rule in 2013 to address policy gaps in earlier HIPAA rules. Most notably, the Omnibus Rule defines the role of business associates, which were not previously subject to HIPAA rules, and outlines the criteria for Business Associate Agreements (BAAs).
The Omnibus Rule also introduced new provisions required by the Health Information Technology for Economic and Clinical Health (HITECH) Act — part of the American Recovery and Reinvestment Act of 2009. The HITECH Act incentivized the use of EHR in the U.S., strengthened HIPAA security and privacy protections, and increased the legal and financial liability for non-compliant organizations.