HIPAA Rules and Regulations

The compliance date of the HIPAA Privacy Rule was April 14, 2003 with a one-year extension for certain “small plans”. HIPAA Privacy Rules regulate the use and disclosure of Protected Health Information (PHI) held by covered entities which are defined as health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.The Department of Health and Human Services,when implementing the Omnibus Rule,extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of a business associate. PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. There are 18 fields of ePHI that need to be considered that include such items as Name, Diagnosis, Social Security Number, etc. This is includes any part of an individual’s medical record or payment history. Under HIPAA regulations, covered Entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law such as reporting suspected child abuse or when presented with a subpoena or when requested by law enforcement.
A covered entity may disclose PHI to facilitate treatment, payment, or health care operations (TPO) without a patient’s express written authorization. Any other disclosure of PHI requires the covered entity to obtain and store written authorization from the individual for the disclosure. When a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.
HIPAA Privacy and Security Rules require covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures. They must appoint a Privacy Official and a contact person responsible for receiving complaints and train all members of their workforce in procedures regarding PHI. An individual who believes that HIPAA Privacy and Security Rules are not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR), the reporting information but be available on the organizations Notice of Privacy Practices that is handed to the patient or visible in an obvious place like a doctors waiting room.


The Security Standards were issued on February 20, 2003 but went into effect on April 21, 2003 with a compliance date of April 21. The Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (ePHI). HIPAA Rules and Regulations lay out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications. The HIPAA Rules and Regulations standards and specifications are as follows:
  • Access to equipment containing health information should be carefully controlled and monitored.
  • Access to hardware and software must be limited to properly authorized individuals.
  • Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts.
  • Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public.
  • If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities.
  • Technical Safeguards – controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
  • Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized if deemed appropriate and possible. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
  • Data integrity must be maintained, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
  • Covered entities must also authenticate entities with which they communicate to include: password systems, two or three-way handshakes, telephone callback, and token systems.
  • Covered entities must make documentation of their HIPAA practices available to the government to determine compliance.
  • In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network s.
  • Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act.