The Health Insurance Portability and Accountability Act (HIPAA) is one of the most well-known pieces of legislation in health care and related industries. But what exactly does it say, and more importantly, what does it say about data protections and use cases for patients’ protected health information (PHI)?
Let’s dissect the core purpose behind the monumental health data act and some of the key factors related to data regulations and compliance.
HIPAA originated in 1996 to address a combination of patient convenience and health insurance-related efficiencies. The first idea behind the act was to hold health insurers accountable for the portability of patients’ health insurance when they transition to a new workplace. A secondary goal behind the act was to make the transference and storage of medical data more efficient and secure, eliminating much of the need for paper medical records that are more susceptible to fraud and waste.
The act focuses on protecting the privacy and security of protected health information, preventing covered organizations from using or disclosing patient data in unauthorized exchanges or procedures. Some common types of PHI covered by HIPAA include information about health status or current conditions, health treatments, and any method of payment used for health care.
HIPAA requirements apply to two core groups that work with patient data: covered entities and business associates.
HIPAA enforces many policies and procedures regarding patient data privacy and security on its own. But several rules promulgated pursuant to the act have developed to increase protections over the years, with the Privacy Rule and Security Rule being the most prominent. Other rules have detailed what needs to happen if a data breach occurs.
The Privacy Rule was first published on December 28, 2000, and modifications were added and finalized by August 14, 2002. HIPAA covered entities were required to comply with the Privacy Rule no later than April 14, 2003.
This regulation constitutes a wide-ranging definition of the responsibilities that covered entities and business associates have to protect the privacy of patient data. Some of the core areas of focus within the Privacy Rule include appropriate uses and disclosures, patients’ individual rights, and administrative requirements for privacy protection.
The uses and disclosures portion of the Privacy Rule delineates how covered entities are allowed to use and disclose patient data. As a general rule, patient data cannot be disclosed unless it is directed to or authorized by the patient or meets one of the following conditions: it pertains to treatment, payment, or operations within a health care entity; it is a limited and privatized data set used for research; or the Office for Civil Rights in the Department of Health and Human Services (HHS OCR) steps in and requests the data in an audit or investigation. The HHS website provides extensive details about other use and disclosure possibilities. A best practice is to only use or disclose the minimum necessary data.
It’s important to note that uses and disclosures, as well as all other HIPAA regulations, only pertain to covered entities and business associates. No other businesses are held to HIPAA or related protection standards in the ways that they use consumer data.
Attorney Iliana Peters, CISSP — a shareholder at the law firm Polsinelli and former acting deputy for HIPAA and senior advisor for enforcement at HHS OCR — further illustrated how people are misunderstanding the uses and disclosures clause of the Privacy Rule in the wake of COVID-19 vaccinations:
“A common misconception right now is related to whether or not businesses are violating HIPAA when they ask customers for proof of vaccination,” Peters said. “The short answer here is no. There is no rule against asking people about their health information.”
“And outside of covered entities and business associates, all other businesses, like grocery stores and restaurants, are not covered by HIPAA rules and regulations. Only covered entities and business associates are covered by HIPAA and required to protect PHI, and that’s less focused on asking for patient information and more focused on how these organizations use and disclose patient data.”
The Privacy Rule highlights a patient’s right to know how their data can be used as well as the right to access and request adjustments to their filed personal data. Covered entities are required to share a privacy practices notice with all patients, clearly detailing how their PHI can be used by the organization and how patients should respond if they feel their privacy is violated. Once a patient begins working with a covered entity, they can exercise their rights to access, amend, restrict, and request an account of disclosures on their personal data.
The HIPAA Privacy Rule provides several expectations for administrative protections on patient data. Some of the most prominent administrative requirements include:
Perhaps the most significant regulation related to electronic personal data arrived when the Security Rule was enacted on February 20, 2003, requiring organizations to be compliant by April 20, 2006.
The Security Rule focuses on what covered entities and business associates must do to protect and secure the integrity, confidentiality, and availability of electronic PHI (e-PHI). The three main categories of the Security Rule focus on administrative controls, physical controls, and technical controls that need to be implemented to protect patient data in these settings.
More on securing data: What is Data Segmentation?
In order to comply with the Security Rule, covered entities and business associates must establish several administrative controls for data security. Some of the administrative controls that help organizations comply with the Security Rule include:
Risk analysis is one of the most crucial and misinterpreted pieces of the Security Rule. When an organization misunderstands the risk analysis regulation, the time wasted, financial loss, and compliance risks can be severe.
Peters highlighted the incredible opportunity cost of getting risk analysis wrong:
“Risk analysis is an area of the Security Rule that a lot of businesses get wrong,” Peters said. “There’s some confusion about the term, with many businesses thinking that an audit or gap analysis is what’s needed. This is one of the most frustrating and costly mistakes for covered entities and for firms like ours that work with them.”
“They are often small businesses working with a smaller budget, but they spend $10,000, $20,000, even $50,000 to get a third-party consultant to conduct an audit or gap analysis related to their HIPAA compliance and policies. This is helpful information for the business to know, but it does not constitute the risk analysis that HIPAA requires them to do related to their data.”
Peters went on to compare a true risk analysis to what other business sectors call an enterprise risk assessment. When done correctly, a risk analysis involves locating and inventorying all relevant e-PHI, mapping out additional locations and users who might have access, explaining security restrictions in place, and analyzing any recent security incidents and other metrics of security efficacy. Risk analysis is an ongoing process that should inform a risk management plan and the steps to increase security safeguards in areas where they are lacking.
Part of the Security Rule is making sure that physical safeguards are in place to protect data. Some of the physical controls that HHS highlights include:
Technical compliance controls involve software and other security measures implemented on network technology that accesses e-PHI. Some of the most common technical controls that covered entities use for data security include anti-malware software, firewalls and next-generation firewalls (NGFWs), multi-factor authentication, and end-to-end encryption.
Read Next: What is a Virtual Data Room?
Whether it’s two or 2,000 people affected, a covered entity has to let affected individuals know when a breach involving their data has occurred in that organization or with one of their business associates. They also need to inform HHS and will incur different penalties based on the severity of the breach and if it affected more than or less than 500 people. If 500 or more people were affected, the covered entity is required to notify the media. There’s also the potential for criminal penalties resulting in hefty fines or jail time, depending on the severity and intent behind a HIPAA breach.
It’s important to first recognize the distinct difference between a security incident and a breach. Security incidents are any events that violate a company’s security policies and procedures, whereas breaches are any security incidents that have escalated to compromise and expose PHI or e-PHI. Not all security incidents become breaches, so covered entities should complete incident risk assessments to determine if their organization needs to report a breach to HHS and patients.
Enforcement of HIPAA and the Privacy and Security rules is primarily handled at the federal government level by the Office for Civil Rights in the Department of Health and Human Services. The office sets the guidelines for HIPAA, makes any necessary adjustments or clarifications over time, and decides if an organization’s actions are compliant.
Peters emphasized that companies should stay away from any so-called “HIPAA-compliant” solutions that vendors or consultants offer, as no organization other than HHS can ensure a decision is HIPAA compliant.
Some of the main actions that OCR takes in relation to HIPAA include investigating HIPAA violation complaints, reviewing the compliance of covered entities via audits, and offering educational resources to assist organizations with their HIPAA compliance.
If a breach incurs criminal penalties or otherwise moves beyond the jurisdiction of the department, OCR also refers potential criminal HIPAA breaches to the Department of Justice (DOJ) for further investigation.
It’s important for all data professionals at covered entities or business associates, as defined by HIPAA, to understand the act’s regulations and compliance features.
There are consequences for patient privacy and health care entities when a HIPAA breach occurs. HIPAA does, however, provide benchmarks for establishing security parameters for consumer information, and HHS offers recommendations for data compliance.
Many of the protections involve adding the right data security safeguards and working with experts to address holes in HIPAA compliance. Law firms specializing in HIPAA regulations can help get policies, procedures, in-house training, and incident response in working order. There are also third-party vendors that assist with penetration and vulnerability testing to help identify potential HIPAA breach threats — before they become costly issues.
More security solutions for your business: Best Threat Intelligence Platforms for 2021
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.
