HIPAA Explained – What This Important Regulation Means for Healthcare Organizations and Patients

The Health Insurance Portability and Accountability Act of 1996 – or HIPAA, as most of us know it – is legislation designed to protect patients. It does so by protecting patients’ sensitive personal information – the storage and transmission of which is vital to providing care, but that, without protections, could be used, compromised, or stolen by third parties or bad actors. That personal data is known in the healthcare industry and under HIPAA as “personal health information,” or PHI for short. Stored electronically, it becomes ePHI. Some of the information that falls under PHI includes:

  • Names
  • Phone numbers
  • Email addresses
  • Medical record numbers
  • Social security details
  • Health insurance beneficiary numbers
  • IP addresses
  • Geographical identifiers

In total, there are 18 categories of data that make up personal health information under HIPAA, and the act safeguards that data through a set of mandatory rules that anyone handling PHI or ePHI must comply with.В 


What are the HIPAA Rules?

Each HIPAA rule is designed to protect patients in a certain area. There are five primary rules covering privacy, security, breach notifications, rule changes, and enforcement. Failure to abide by any of the rules represents a failure to comply with the act as a whole, so it’s important to understand each.В 

The HIPAA Privacy Rule:

The Privacy Rule essentially dictates when and how patient health information can be used or disclosed. That’s important since PHI is extremely valuable. In addition to covering when patient health information can be used without specific prior permission, the rule also ensures that patients have access to and control over their own PHI.

Click here for the full HIPAA Privacy Rule

The HIPAA Security Rule:

The Security Rule covers the minimum security protocols that must be in place to safeguard electronic patient health information. That includes both system/software protocols, like encryption standards, as well as physical protocols, like screen visibility or server protection. Any person that can access, edit, create, or transfer ePHI is bound by the security rule, and ePHI security is one of the most pressing issues under HIPAA considering the threats that exist to web-connected systems.В 

Click here for the full HIPAA Security Rule

The HIPAA Breach Notification Rule:

The Breach Notification Rule outlines what actions must be taken in the event of a breach of HIPAA’s protocols. Specifically, it requires the Department of Health and Human Services to be notified of any breach within 60 days of its discovery for breaches involving 500 patients or more, or within 60 days of the end of the calendar year for breaches covering fewer than 500 patients. Patients must also be notified within 60 days of breach discovery, and for larger breaches, a media advisory must be issued in the area affected.В 

Click here for the full HIPAA Breach Notification Rule

The HIPAA Omnibus Rule:

The HIPAA Omnibus Rule was a 2013 addition to the act that covered changes introduced in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Changes include bringing third-party business associates under HIPAA, outlawing the use of PHI for marketing purposes without prior patient permission, changes to breach penalties, and more.В 

Click here for the full HIPAA Omnibus Rule

The HIPAA Enforcement Rule:

The Enforcement rule covers what the consequences are when a breach occurs, and how investigations into the breach are conducted to ensure the proper punitive and corrective actions are taken. The rule includes areas like how to determine the level of negligence involved in a breach, and what kinds of fines – reaching maximums of $1.5 million – should be levied as a result.В 

Click here for the full HIPAA Enforcement Rule


Staying compliant with these rules must be a top priority for all healthcare organizations, and the same goes for third-party partners providing support in care and record management. At MedicalCRM, we take HIPAA incredibly seriously. From the HIPAA-compliant chat platform built into our CRM, to our use of Amazon’s most secure, HIPAA-ready AWS solution for record and document storage, our aim is to make sure the clinics that utilize our advanced customer resource management tool never have to worry about the safety, security, or privacy of their patients’ sensitive ePHI.В 

For more information on MedicalCRM’s HIPAA compliance, or the amazing suite of productivity and patient management tools the platform provides, visit MedicalCRM.com and sign up for a free demonstration or reach out to one of our expert support staff today.В В 

Related Posts

HIPAA – Our Commitment to Compliance
HIPAA Compliant Live Chat – Everything You Need to Know and More

Are you familiar with the HIPAA Compliance? Information silos occur when information can’t...

HIPAA – Our Commitment to Compliance
HIPAA Compliant Live Chat Service for Practice Efficiency

Chat platforms and collaboration tools are exploding in popularity and becoming ubiquitous across...