Learn about the three main HIPAA rules that covered entities and business associates must follow.

As part of the HIPAA rulings, there are three main standards that apply to Covered Entities and Business Associates: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Each incorporates numerous specifications that organizations must appropriately implement. All three incorporate the need for dynamic and active action, as well as thorough documentation. Covered Entities and Business Associates have to not only become HIPAA compliant, but remain compliant by continually reviewing and updating organizational practices, structures, policies and procedures.


The Privacy Rule

The Privacy Rule is a set of national standards purposed to define appropriate and inappropriate uses and disclosures of protected health information (PHI), inform individuals of their privacy rights, and ultimately, protect health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule as an implementation guideline for Covered Entities to follow so they can adequately meet the HIPAA requirements.

According to HHS, “A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being [sic].”


The Security Rule

The Security Rule is another set of national standards that provides protection for electronic Protected Health Information (ePHI) by requiring that entities take appropriate steps to safeguard the ePHI that their organization creates, receives, uses or maintains. The Security Rule requires that Covered Entities assess their methods for protecting ePHI and apply specific safeguards to ensure the confidentiality, integrity and security of ePHI. Covered Entities must apply administrative, physical and technical safeguards.

As society continues to create new technologies, it is important for Covered Entities to implement technical safeguards to carefully monitor the uses of their organization’s technologies and instruct their workforce members accordingly. While new technologies present more opportunities for ease of access to ePHI for treatment and other authorized purposes, they also create increased risks for security incidents and breaches.


The Breach Notification Rule

The Breach Notification Rule requires that Covered Entities and their Business Associates follow specific steps in the event of a breach of unsecured PHI. The Breach Notification Rule’s specific requirements include actions to take for notifying the individual(s) affected by the breach, the media and the HHS Secretary. In association with the HITECH Act, this rule incorporates many other specific regulations that must be followed when a breach of PHI has occurred, as well as information detailing the monetary penalties associated with non-compliance.


Join HIPAAgps today and learn more about how to implement the safeguards required in the three main HIPAA rules.