HIPAA Basics for Healthcare Providers: Broad Rules for Compliance

The Health Insurance Portability and Accountability Act of 1966 (“HIPAA”) is one of the most
important healthcare laws in effect. For patients, HIPAA protects the privacy and security of private
health information. For healthcare providers, understanding basic HIPAA requirements is essential for
complying with federal law and promoting patient trust.

HIPAA regulations apply to “covered entities” and “business associates.” Covered entities
include health plans, healthcare clearinghouses, and healthcare providers who transmit health information
electronically. Business associates are those who create, receive, maintain, or transmit PHI on behalf of a
covered entity. Broadly, HIPAA prevents unauthorized disclosure of protected health information
(“PHI”). PHI refers to information that can be used to identify an individual and that was created, used, or
disclosed in the course of providing healthcare services. Within HIPAA, there are three broad rules that
healthcare providers and business associates should be familiar with: the Privacy Rule, the Security Rule,
and the Breach Notification Rule.

First, the Privacy Rule gives patients rights over their PHI (such as the right to examine and
request corrections to their medical records), and restricts the use and disclosure of PHI without patient
authorization. The Privacy Rule protects PHI that is held or transmitted on paper, verbally, or
electronically.

To comply with HIPAA’s Privacy Rule, covered entities should:

● Develop policies and procedures for using and disclosing PHI in compliance with HIPAA and for
preventing HIPAA violations;
● Develop policies and procedures for managing patient access or correction requests and obtaining
patient authorization;
● Develop a cohesive and effective privacy policy, and provide appropriate training in these
policies to all employees; and
● Designate specific employees in charge of evaluating HIPAA privacy compliance.

Second, the Security Rule requires administrative, technical, and physical safeguards for effective
security management of electronic PHI. To comply with HIPAA’s Security Rule, covered entities should:

● Identify potential threats to PHI security and develop reasonable and appropriate security
policies;
● Ensure the confidentiality, integrity, and availability of all PHI created, received,
maintained, or transmitted;
● Ensure employee compliance with security policies; and
● Review and modify security measures to adapt to changes in PHI security risks.

Finally, covered entities must follow HIPAA’s Breach Notification Rule. Under this rule, covered
entities should notify affected individuals, the Department of Health and Human Services, and, if
appropriate, media outlets serving the affected area whenever a breach occurs. This notice must be
delivered no later than 60 days following the discovery of the breach, and should include a brief
description of the breach, the PHI involved, and the steps taken following the breach to mitigate harm. A business associate involved in a breach of PHI must provide notice to the covered entity no later than 60
days following the discovery of the breach.

Understanding HIPAA is essential for healthcare providers and business associates, not only to
remain compliant but also to protect patient trust. If you have questions about how HIPAA applies to your
practice or business, contact one of our attorneys at McNeelyLaw LLP.

This McNeelyLaw LLP publication should not be construed as legal advice or legal opinion of
any specific facts or circumstances. The contents are intended for general informational purposes only,
and you are urged to consult your own lawyer on any specific legal questions you may have concerning
your situation.