What are the three rules of HIPAA?

by | Feb 8, 2023 | HIPAA News and Advice

HIPAA sets forth comprehensive regulations to safeguard the privacy and security of individuals’ protected health information (PHI). HIPAA’s regulatory framework encompasses several rules, but the three primary rules that govern the protection of PHI are the Privacy Rule, the Security Rule, and the Breach Notification Rule.

The Privacy Rule establishes national standards for protecting patients’ PHI held by covered entities, such as healthcare providers, health plans, and healthcare clearinghouses. This rule grants patients certain rights regarding their health information and delineates the responsibilities of covered entities in maintaining privacy. It mandates the implementation of administrative, physical, and technical safeguards to protect PHI, limits the use and disclosure of this information without patient authorization, and requires covered entities to provide individuals with notice of their privacy practices.

The Security Rule complements the Privacy Rule by setting standards for securing electronic PHI (ePHI) that covered entities create, receive, maintain, or transmit. It outlines specific safeguards that organizations must adopt to protect ePHI, including access controls, audit controls, integrity controls, and transmission security measures. The Security Rule requires covered entities to conduct regular risk assessments, implement appropriate security measures to mitigate identified risks, and train employees on security awareness to ensure the confidentiality, integrity, and availability of ePHI.

The Breach Notification Rule mandates covered entities to notify affected individuals, the Secretary of the Department of Health and Human Services (HHS), and sometimes the media in the event of a breach of unsecured PHI. A breach refers to the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule, which poses a significant risk to the privacy or security of the information. The rule establishes specific criteria and timelines for breach notification, ensuring that individuals and relevant authorities are promptly informed about any breaches to enable appropriate actions to mitigate harm.

These three rules collectively form the foundation of HIPAA’s regulatory framework, emphasizing the importance of protecting patients’ privacy, securing electronic health information, and ensuring timely notification of breaches. Compliance with these rules is vital for covered entities to establish trust with patients and avoid potential penalties and legal consequences. By adhering to the Privacy Rule, Security Rule, and Breach Notification Rule, healthcare organizations can demonstrate their commitment to safeguarding PHI and maintaining the confidentiality, integrity, and availability of individuals’ health information in a digital era.

I apologize for the formatting inconsistency. Here’s the revised table in the previous format:

Privacy RuleSecurity RuleBreach Notification Rule
Sets national standards forEstablishes standards for securingRequires covered entities to notify
protecting PHI held by coveredePHI created, received, maintained,affected individuals, the Secretary
entitiesor transmitted by covered entitiesof HHS, and sometimes the media
in case of a breach
Grants patients certain rightsRequires regular risk assessmentsDefines a breach as unauthorized
regarding their healthand vulnerability identificationacquisition, access, use, or
informationdisclosure of PHI
Specifies safeguards such as accessSpecifies criteria for breach risk
Requires implementation ofcontrols, audit controls, integrityassessments to determine if there
safeguards for PHI protectioncontrols, and transmission securityis a significant risk of harm
Limits use and disclosure ofRequires implementation of securityEstablishes timelines and methods
PHI without patientpolicies and proceduresfor providing breach notifications
Mandates providing individualsRequires training employees onOutlines content for breach
with notice of privacy practicessecurity awarenessnotifications
Defines requirements forEmphasizes the importance ofRequires prompt reporting of breaches
patient access to healthcontingency plans and data backupto the HHS Secretary
Sets guidelines for sharing PHIEncourages use of encryption andProvides guidance on roles and
with family members, friends,decryption mechanisms for ePHIresponsibilities in breach
and others involved in carenotification
Outlines patient complaintRequires documentation and
procedures and enforcementrecord-keeping of breach incidents

Figure: The Three Rules of HIPAA


The three rules of HIPAA form the backbone of privacy, security, and breach notification requirements for PHI. The Privacy Rule establishes national standards for safeguarding PHI held by covered entities, ensuring patients’ rights, and limiting the use and disclosure of information without authorization. It places an emphasis on administrative, physical, and technical safeguards to protect patient privacy. The Security Rule complements the Privacy Rule by setting specific standards for securing ePHI. It mandates risk assessments, implementation of safeguards, and training of employees to ensure the confidentiality, integrity, and availability of ePHI. The Security Rule emphasizes the need for access controls, audit controls, and transmission security measures to protect electronic health information. The Breach Notification Rule requires covered entities to promptly notify affected individuals, the HHS Secretary, and sometimes the media in case of a breach. It defines a breach as unauthorized acquisition, access, use, or disclosure of PHI, and establishes criteria for assessing the risk of harm. Compliance with these three rules is crucial for covered entities to protect patient privacy, secure health information, and respond effectively to breaches. By adhering to the Privacy, Security, and Breach Notification Rules, healthcare organizations can uphold the confidentiality, integrity, and availability of PHI while maintaining compliance with HIPAA regulations.

3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy