The 7 HIPAA Compliance Rules for Covered Entities
The 7 HIPAA compliance rules for covered entities are the rules within the HIPAA Administrative Simplification Regulations that covered entities must comply with, ensure compliance with by members of the workforce, and oversee compliance with when services are contracted out – or Protected Health Information is disclosed – to business associates and other third parties.
The HIPAA compliance rules for covered entities differ from the generally accepted list of HIPAA Rules because there are certain compliance requirements within the HIPAA Administrative Simplification Regulations which are not immediately apparent as “Rules”, are not titled as “Rules”, or appear as different standards throughout the HIPAA Administrative Simplification Regulations although they are connected by the same principle (for example, the HIPAA Whistleblower Rule).
Conversely, there are regulations titled as “Rules” which do not contain compliance requirements for covered entities. For example, in the case of the HIPAA Enforcement Rule, the “Rule” describes the procedures for compliance reviews, investigations, and hearings. It also lists the factors taken into account when determining the amount of a civil monetary penalty. There are no compliance requirements for covered entities other than to cooperate during a review, investigation, or hearing.
Some of the following HIPAA compliance rules will be familiar inasmuch as they have been in force for more than twenty years. Other HIPAA compliance rules may be less familiar to covered entities. Nonetheless, they all have an impact on overall HIPAA compliance and the failure to comply with these other HIPAA Rules can lead to financial penalties if a complaint is filed with the Department of Health and Human Services (HHS) or if there is an avoidable breach of unsecured Protected Health Information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The 7 HIPAA Compliance Rules for Covered Entities
- HIPAA General Rules
- HIPAA Preemption Rules
- HIPAA Transactions and Code Sets Rules
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Breach Notification Rule
- HIPAA Whistleblower Rule
1 – HIPAA General Rules
Most Parts and Subparts of the HIPAA Administrative Simplification Regulations include General Rules or General Provisions. The HIPAA General Rules most relevant to HIPAA compliance are:
Applicability (§160.102)
The applicability section of the HIPAA General Provisions is relevant to HIPAA compliance because it defines covered entities under HIPAA (note – not all healthcare providers are covered entities under HIPAA). It also requires business associates to comply with any applicable standards, requirements, and implementation specifications of the HIPAA Administrative Simplification Regulations “where provided”.
This is important because it is sometimes believed business associates only have to comply with the HIPAA Security Rule and the HIPAA Breach Notification Rule. While compliance with these two Rules is mandatory, business associates must also comply with other HIPAA Rules when they apply to services being provided for or on behalf of a covered entity. Covered entities need to be aware of this to ensure compliance by their business associates.
Definitions (§160.103 et seq.)
Definitions appear in every Subpart of the HIPAA Administrative Simplification Regulations and sometimes it is necessary to look in several subparts to understand a compliance requirement. For example, Protected Health Information is defined in §160.103, but when complying with patients’ rights of access, it is also necessary to understand the definition of Designated Record Sets in §164.501.
Other definitions that may be key to complying with HIPAA include the definitions of Operating Rules (§162.103), Required by Law (§164.103), Security Incident (§164.304) and Data Breach (§164.402). Some covered entities may need to know the difference between Direct and Indirect Treatment Relationships (§164.501), or that the definition of Access in §164.304 is unique to the HIPAA Security Rule.
General Security Rules (§164.306)
The General Security Rules require covered entities and business associates to ensure the confidentiality, integrity, and availability of electronic Protected Health Information (emphasis added), protect against reasonably anticipated threats and hazards to the security and integrity of data, and protect against any impermissible uses or disclosures of electronic Protected Health Information.
How covered entities comply with these requirements is flexible as HIPAA is technology neutral. However, covered entities and business associates cannot use the “flexibility of approach” standard to avoid protecting electronic Protected Health Information, and must periodically review and modify (when necessary) the security measures implemented to comply with the General Security Rules.
General Breach Notification Rules (§164.404 and §164.410)
There are two General Rules in the HIPAA Breach Notification Rule – one that applies to covered entities and one that applies to business associates. However, they both say much the same inasmuch as a breach is considered to have been discovered on the day on which it is known about or on the day when, by exercising reasonable diligence, it should have been known about.
“Reasonable diligence” is defined in the HIPAA Enforcement Rule as “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances”. This definition implies “ticking boxes” to achieve point in time compliance is not sufficient to satisfy HHS’ HIPAA compliance expectations. HIPAA compliance must be ongoing.
General Privacy Rules (§164.502)
The General Privacy Rules lay the foundations of HIPAA compliance because they explain the required, permitted, and prohibited uses of Protected Health Information, the minimum necessary standard, and disclosures to personal representatives. The General Rules also prohibit business associates from disclosing Protected Health Information in a manner that would violate the Privacy Rule.
It is not only important that covered entities and business associates understand and comply with the General Privacy Rules. As discussed later in this article, it is also important that members of covered entities’ and business associates’ workforces understand and comply with the General Privacy Rules to avoid sanctionable violations of HIPAA attributable to a lack of knowledge.
2 – Preemption Rules
When taken in isolation of other regulatory requirements, the HIPAA Preemption Rules are straightforward – HIPAA preempts all state regulations unless a provision of a state regulation has more stringent privacy protections than the Privacy Rule or gives patients more rights over the control of their information. Exceptions are permitted for reporting diseases, injuries, and abuse, or for providing access to Protected Health Information to meet licensing and certification requirements.
However, it is not feasible to isolate HIPAA from other regulatory requirements. Healthcare organizations have to comply with multiple federal, state, and local laws and regulations. Some of these may require disclosures of Protected Health Information for purposes not covered by the “health care operations” category of permissible disclosures, or to third parties that do not qualify as business associates – for example, when complying with OSHA’s Emergency Response Standard.
Conversely, some disclosures permitted by the HIPAA Privacy Rule may be in violation of other federal regulations. An example of this scenario is when Protected Health Information is disclosed permissibly for patient safety activities, but a disclosure to an authorized Patient Safety Organization violates the Patient Safety and Quality Improvement Act if a Business Associate Agreement is not in place between the covered entity disclosing the information and the Public Safety Organization.
With regards to state laws, while most state privacy laws exempt HIPAA covered entities, some only exempt covered entities in respect of the privacy and security of Protected Health Information (i.e., Oregon). Any other individually identifiable non-health information maintained by the covered entity may still be covered by the state’s privacy law – or by a neighboring state’s privacy law if the law applies to residents of the state rather than to organizations who conduct business in the state (i.e., Texas).
3 – HIPAA Transactions and Code Sets Rules
The HIPAA Transactions and Code Sets Rules are possibly the HIPAA compliance rules most overlooked by covered entities, yet the easiest to identify non-compliant activities. Evidence of this claim comes from Comprehensive Error Rate Testing conducted on behalf of HHS’ Centers for Medicare and Medicaid (CMS) on random samples of fee-for-service claims. In 2022, 7.46% of the sampled claims contained errors.
Each year, Medicare Administrative Contractors process an estimated 1.2 billion fee-for-service claims on behalf of CMS. The percentage of sampled claims containing errors implies that 90 million claims each year are incorrectly coded, lack supporting documentation, or are medically unnecessary – not just exposing covered entities to penalties for HIPAA violations, but also to penalties for violations of the False Claims Act.
A common reason for many errors is mistakes in data entry. However, mistakes of this nature do not only impact the accuracy of claims. Data entry errors attributable to human error can delay responses to eligibility checks and authorization requests for treatment – potentially risking patient safety. They can also delay payments to healthcare providers when claims are submitted with, for example, incorrect National Provider Identifiers.
For this reason, and regardless of whether healthcare transactions are processed in-house or by a business associate, covered entities should monitor compliance with the HIPAA Transaction and Code Sets Rules, the Operating Rules, and the Unique Identifier Rules. While no covered entity has yet been fined for violating these HIPAA compliance Rules, CMS regularly imposes disruptive Corrective Action Plans on non-compliant entities.
4 – HIPAA Privacy Rule
Responsibility for compliance with the HIPAA Privacy Rule is shared between covered entities and their workforces. Covered entities must develop policies and procedures to comply with the Privacy Rule standards and train members of the workforce on the policies and procedures that apply to their functions. Covered entities must also distribute Notices of Privacy Practices and ensure Business Associate Agreements are in place where necessary.
Workforce members are not only responsible for complying with their HIPAA training, but also for complying with the HIPAA Privacy Rule – even if some standards of the HIPAA Privacy Rule have not been included in the HIPAA training. This is because §164.530(e)(1) of the HIPAA Privacy Rule requires covered entities to:
“Have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart [the HIPAA Privacy Rule] or subpart D of this part [the HIPAA Breach Notification Rule]”.
This means that if a student nurse identifies a celebrity entering a medical center for treatment, and they share their news on social media, the student nurse could be sanctioned even though social media policies have not been included in HIPAA training. Consequently, all workforce members need to understand what Protected Health Information is, when it can permissibly be used or disclosed, and the verification requirements in §164.514(h) of the HIPAA Privacy Rule.
It is worth noting that HHS’ Office for Civil Rights receives more than 6,000 justified privacy complaints and more than 60,000 notifications of data breaches per year. To prevent avoidable compliance investigations and the operational disruptions they cause, covered entities should provide more than the minimum necessary HIPAA training to prevent members of the workforce disclosing Protected Health Information impermissibly due to a lack of knowledge.
5 – HIPAA Security Rule
Similar to the HIPAA Privacy Rule, covered entities and workforces share responsibility for compliance with the HIPAA Security Rule. Covered entities have to implement the security measures required to comply with the General Security Rules and the Administrative, Physical, and Technical Safeguards. They must also provide security awareness training and ensure third party software solutions with access to Protected Health Information are HIPAA compliant.
Workforce members are required (by the General Security Rules) to comply with covered entities’ security policies and procedures and use the implemented security measures in the manner in which they are intended. This means it is not permitted to change the configuration of software solutions to bypass security mechanisms nor download unsanctioned apps and services and allow them access to Protected Health Information “to get the job done”.
Because covered entities (and business associates) are required to conduct risk analyses to identify risks and vulnerabilities to electronic Protected Health Information and implement security measures (including workforce policies) to mitigate risks and vulnerabilities, covered entities have the responsibility of preventing workforce members from taking reasonably foreseeable actions that would violate either the HIPAA Security Rule or HIPAA Privacy Rule.
However, if an action is not reasonably foreseeable – or is a deliberate violation of a workplace policy – the HIPAA Security Rule gives covered entities (and business associates) the authority to apply sanctions on workforce members. Sanctions can range from additional training to verbal and written warnings, to the loss of employment. Additionally, if a violation of HIPAA results in a violation of §1177 of the Social Security Act, workforce members could be fined or receive a prison sentence.
6 – HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule is the easiest of the HIPAA compliance rules to comply with, yet some covered entities are reluctant to issue timely and complete breach notifications in order to avoid the risk of civil lawsuits and other legal actions. This has not gone unnoticed by HHS’ Office of Civil Rights, and the agency is expected to publish a Rule in the near future similar to that published by the FTC in April 2024 to address this problem.
While waiting to hear what requirements HHS’ Office for Civil Rights will introduce with regards to breach notifications, it is advisable for covered entities to review any state breach notification laws that may apply to them. While many state breach notification laws exempt HIPAA covered entities, some have conditions on the exemptions, have different definitions of harm, have shorter notification periods, and extend across state borders.
An example of one state law that many impact covered entities nationwide is Indiana’s breach notification law (Indiana Code §24-4.9). This law excludes covered entities who maintain a compliance plan under HIPAA (but not those who don’t), requires notifications of breaches regardless of the probability that information has been compromised, has a forty-five day notification period, and applies to citizens of Indiana regardless of where the breach covered entity is located.
Due to the “probability” criteria, it could be possible that a security incident which is not notifiable under HIPAA, is notifiable under a state law. Covered entities need to be aware of which state laws may apply to them, alert members of the workforce to when security incidents may be notifiable under state laws, and provide members of the workforce with secure channels of communication to report all security alerts and suspected data breaches for evaluation.
7 – HIPAA Whistleblower Rule
The HIPAA Whistleblower rule is an example of when HIPAA compliance rules appear as different standards throughout the HIPAA Administrative Simplification Regulations but are connected by the same principle. In this case, the relevant standards are §160.316 of the General Administrative Regulations (Compliance and Investigations), §164.502(j) of the HIPAA Privacy Rule (General Rules), and §§164.530(e) and (g) of the HIPAA Privacy Rule (Administrative Requirements).
- 160.316 of the General Administrative Regulations prohibits covered entities from threatening, discriminating against, or taking other retaliatory action against any individual who files a compliant with HHS’ Office for Civil Rights or CMS, or who participates in an investigation or compliance review. The standard also prohibits retaliatory action against any member of the workforce who in good faith refuses to carry out an instruction or action that violates HIPAA.
- 164.502(j) of the HIPAA Privacy Rule covers disclosures of Protected Health Information by whistleblowers. Under this standard, covered entities will not be considered to have violated HIPAA if a member of the workforce discloses Protected Health Information to a health oversight agency or attorney in order to report conduct that is unlawful or otherwise violates professional standards in such a way that it endangers patients, the public, or members of the workforce.
- 164.530(e) of the HIPAA Privacy Rule prohibits covered entities from applying sanctions against whistleblowers, while §164.530(g) of the HIPAA Privacy Rule repeats that covered entities may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against whistleblowers, patients who complain about violations of their HIPAA rights, or any member of the workforce who participates in compliance and investigation processes (including internal processes).
HIPAA Compliance Rules for Business Associates & Conclusion
The HIPAA compliance rules that apply to business associates depend on the nature of service being provided for or on behalf of a covered entity. For example, a healthcare provider who does not qualify as a covered entity, but who provides services on behalf of a covered entity as a business associate, will likely have to comply with all the HIPAA compliance rules. They will also have to attest to complying with the HIPAA compliance rules via a Business Associate Agreement.
Conversely, while it is advisable for all business associates to be aware of all applicable HIPAA compliance rules, a provider of secure “no view” cloud storage will usually only have to comply with the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the HIPAA Whistleblower Rule. If there are circumstances in which other standards of the HIPAA compliance rules apply – or in which state laws pre-empt HIPAA – these should be noted in a Business Associate Agreement.
Covered entities, business associates, and members of the workforce who are uncertain about what HIPAA compliance rules they are required to comply with are advised to seek independent compliance advice. While HHS’ Office for Civil Rights and CMS most often seek to resolve compliance issues through technical assistance and corrective action plans, organizations and individuals who should have been aware of the HIPAA compliance rules and who failed to exercise reasonable diligence can still face civil or criminal penalties for HIPAA violations.
