HIPAA Training: HIPAA Rules

In this video, we will discuss the HIPAA Rules:
What the Privacy Rule, Security Rule, Breach Notification Rule, and Omnibus Rule are, and how to abide by these rules.
Below are links to additional readings on what is covered in the video.


In this video, we will discuss the HIPAA rules: 

Privacy Rule
Security Rule
Breach Notification Rule
Omnibus Rule

  • HIPAA guidelines are identified and defined in a series of interlocking regulations known as the HIPAA Rules. One of these rules is known as the HIPAA Privacy Rule.
  • HIPAA privacy guidelines are defined in the HIPAA Privacy Rule. These HIPAA guidelines include national standards that all covered entities must address within their business. 
  • These standards are meant to safeguard the privacy of patient data, called protected health information (PHI) under HIPAA.
  • What information does the HIPAA privacy rule protect? 
  • The Privacy Rule protects protected health information from unauthorized use or disclosure. 
  • What is “Use”?

    • Use means, with respect to individually identifiable health information, the:
    • Sharing; 
    • Employment;
    • Application; 
    • Utilization; 
    • Examination, or 
    • Analysis.
  • What is “Disclosure”?

    • disclosure means the release, transfer, or  provision of access to, any manner of information outside the covered entity holding that information.
    • Next, we will discuss the HIPAA Security Rule 
  • The HIPAA Security Rule is meant to protect electronic PHI (ePHI).
  • The Security Rule requires appropriate safeguards to be in place to maintain the integrity, availability, and confidentiality of ePHI.
  • Healthcare organizations must implement physical, technical, and administrative safeguards to secure patient information.
  • Physical Safeguards: protect the physical security of your offices where PHI or ePHI may be stored or maintained. Common examples of physical safeguards include alarm systems, security systems, and locking areas where PHI or ePHI is stored.
  • Technical Safeguards: protect the cybersecurity of your business. Technical cybersecurity safeguards must be implemented in order to protect the ePHI that is maintained by your business. Examples of technical safeguards include firewalls, encryption, and data backup.
  • Administrative Safeguards: ensure that staff members are properly trained in order to execute the security measures you have in place. Administrative safeguards should include policies and procedures that document the security safeguards you have in place, as well as employee training on those policies and procedures to ensure that they are being properly executed.

Now, let’s discuss the Breach Notification and Omnibus Rule 

  • The Breach Notification Rule outlines the processes that HIPAA-beholden entities must follow in the event of a data breach
  • This requires covered entities, following the discovery of a breach of unsecured PHI, to notify each person affected. 
  • If a breach affects 500 or more individuals, covered entities must notify the Department of Health and Human Services without unreasonable delay and no later than 60 days following a breach.
  • If a breach affects LESS than 500 individuals, the covered entity may notify on an annual basis.

Omnibus Rule: 

  • The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant
  •  and also outlines the rules surrounding Business Associate Agreements (BAAs).
  • Business Associate Agreements are contracts that must be executed between a covered entity and business associate–or between two business associates–before ANY PHI or ePHI can be transferred or shared. 

We have now reviewed the HIPAA rules. Please continue to the next section!