What are the HIPAA Rules?


HIPAA compliance for HIPAA cloud development for health IT consists of a number of different HIPAA rules. Now, all those rules were passed in the last 20+ years ever since the HIPAA act was signed by President Bill Clinton in 1996.

The below are the HIPAA rules that you should get yourself familiar with:

1.HIPAA Privacy Rule

In this rule, the HIPAA act sets national standards for patients’ right to the protected health information (PHI). Now, this rule applies to the covered entities only such as insurance companies, hospitals, etc., and not business associates. Also, there are a few standards drafted by the HIPAA privacy rule such as patients have rights to access protected health information (PHI), healthcare providers such as physicians have the right to deny access to PHI, the contents of Use and Disclosure HIPAA release forms and Notices of Privacy Practices, etc. All the necessary regulatory standards should be properly stored in the organization’s HIPAA Policies and Procedures. The company’s staff have to be trained on these policies and procedures with documented attestation.

2. HIPAA Security Rule

The HIPAA Security Rule has set national-level regulations for the safe maintenance, transmission, and administration of ePHI. Unlike HIPAA Privacy Rule, HIPAA Security Rule applies to both the covered entities and business associates as the potential sharing of ePHI is high. The Security Rule also demands standards for the integrity and security of ePHI, including physical, regulatory, and technical protection for any healthcare enterprise. All the necessary specifics of the regulation should be well-documented in the enterprise’s HIPAA Policies and Procedures. The company’s staff have to be trained on these policies and procedures with documented attestation.

3. HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule consists of a handful of rules that covered entities and business associates should follow in case of a data breach containing PHI or ePHI takes place. This rule covers two kinds of breaches based on scope and size which are called Minor Breaches and Meaningful Breaches. Companies are needed to report all kinds of breaches, notwithstanding of size to HHS OCR. However, the rules for reporting differ based on the type of breach. The standards of the HIPAA Breach Notification Rule are described in the later sections.

4. HIPAA Omnibus Rule

The HIPAA Omnibus Rule acts as an additional rule to HIPAA regulation which was passed to apply HIPAA to both covered entities and business associates. The HIPAA Omnibus Rule outlines that the business associates should be HIPAA compliant along with the rules encompassing Business Associate Agreements (BAAs). Business Associate Agreements are the type of contracts that must be implemented between a covered entity and business associate, or two business associates before protected health information (PHI) or ePHI can be shared.

What is needed to be HIPAA Compliant?

HIPAA regulation has outlined a bunch of national rules that all business associates and covered entities should follow.

  • Self-audits — Both Covered Entities and Business Associates have to perform annual audits of their enterprises to assess Administrative, Technical, and Dynamic gaps in compliance in regards to HIPAA Privacy and Security standards. Under HIPAA, a basic or regular Security Risk Assessment will not suffice to be compliant. This is the only significant annual audit that Covered Entities and Business Associates are needed to do to maintain their compliance every year.
  • Remediation Plans — After Covered Entities and Business Associates found the gaps in compliance via self-audits, now it’s time to execute remediation plans to reverse those compliance violations. Also, these remediation plans have to be properly documented and include expected dates as to by when the gaps can be remedied.
  • Employee Training, Procedures, & Policies — Policies and Procedures must be developed keeping HIPAA regulatory rules in mind by both the Covered Entities and Business Associates as per the rules described by the HIPAA Standards. Now, these policies and procedures should be frequently updated considering the changes that take place in the enterprise. Employee training on an annual basis on these policies and procedures is needed along with documented employee attestation mentioning that the employees have read and understood all of those enterprise’s policies and procedures.
  • Documentation — Enterprises should have in the written format all efforts they take to become HIPAA compliant. This documentation is vital for HIPAA investigation with HHS OCR to pass stringent HIPAA audits.
  • Business Associate Management — Covered Entities and Business Associates should document all suppliers with whom they share protected health information (PHI) in a similar way, and implement Business Associate Agreements (BAA) to make sure PHI is managed securely and avoid liability. Business Associate Agreements should be reviewed yearly to account for changes that take place in the enterprise in regards to suppliers. BAAs should be implemented before any PHI is transferred or shared.
  • Incident Management — For instance, either a Covered Entity or Business Associate encounters a data breach, they should have a process in place to document all the details of the breach and notify concerned patients that their confidential data has been jeopardized in accordance with the HIPAA Breach Notification Rule.