HHS HIPAA Regulations and Requirements

HHS HIPAA – Overview

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has several regulatory standards to define the lawful use and disclosure of protected health information (PHI).HIPAA compliance is overseen by the Department of Health and Human Services (HHS) and enforced by its Office for Civil Rights (OCR)

The OCR plays an important role in maintaining HIPAA compliance by providing routine guidance on new issues that develop in healthcare services and investigating commonly reported violations.

HIPAA compliance is a dynamic structure that healthcare organizations need to implement into their business using a series of interlinked rules. It aims to protect a person’s PHI’s security, privacy, and integrity.

Let’s take a deeper dive into HHS HIPAA regulations and standards.


HHS HIPAA regulations and standards.

What is Protected Health Information (PHI)?

Protected Health Information (PHI) encompasses any information in a medical record or other health-related information that can be used to identify an individual and created, used, or disclosed while providing a healthcare service, such as diagnosis or treatment. Some common examples of PHI are names, addresses, social security numbers, phone numbers, financial information, medical records, and full facial photographs.

PHI, which is stored, shared, or accessed electronically, is regulated with HIPAA regulatory standards. It is also known as Electronic Protected Health Information (ePHI). The HIPAA Security Rule, which adds to the main HIPAA regulations, regulates this.

Where is HIPAA Compliance Applicable?

HIPAA regulations state two types of organizations that need to be HIPAA-compliant, namely:

Covered Entities

HIPAA defines a ‘covered entity’ as any health plan, healthcare clearinghouse, or healthcare provider that transmits health information in electronic form in connection with transactions for which HHS has adopted standards. Healthcare organizations, such as primary healthcare providers, healthcare clearinghouses, and health insurance providers, are also considered covered entities under HIPAA regulations.

Business Associates

HIPAA regulations define ‘business associates’ as organizations that work with PHI in any way throughout the work that they have been hired to perform by a covered entity. Some common examples of business associates as defined by HIPAA regulations are practice management agencies, billing companies, third-party consultants, MSPs, EHR platforms, IT service providers, email hosting services, accountants, and attorneys, among others.

What Are the Different Types of HIPAA Regulations?

HIPAA consists of a series of regulatory standards that include the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Omnibus Rule. These rules have been in effect for over 20 years since HIPAA was established in 1996.

The four main types of HIPAA Rules that you need to be aware of are:

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards for protecting individuals’ medical records and other personal health information and applies to covered entities. While not directly subject to the Privacy Rule, business associates must comply with its requirements through the HIPAA Omnibus Rule, which extends many of the Privacy Rule’s requirements to business associates.

Some of the most important standards that the HIPAA Privacy Rule outline are patients’ right to access PHI, providers rights to deny access to PHI, details of Use and Disclosure of HIPAA release forms, and Notices of Privacy Practices, among others.

Every eligible organization is required to document its HIPAA Policies and Procedures. Every employee in such organizations must also be trained on these Policies and Procedures each year, with attested documentation.

HIPAA Security Rule

The HIPAA Security Rule is a set of national standards to ensure the secure maintenance, management, and transmission of ePHI. The Rule applies to covered entities and business associates alike, as they both have the potential to share ePHI.

This Rule sets the standards that ensure the safety and integrity of ePHI, including administrative, physical, and technical safeguards required in any healthcare organization. This Rule requires these organizations to document their HIPAA Policies and Procedures. In addition, the employees in such organizations need to be trained on these HIPAA Policies and Procedures every year, with attested documentation.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule is a set of standards for covered entities and business associates. These standards require these organizations to follow the standards in case of a data breach containing ePHI or PHI. The Rule dictates different requirements for breach reporting, depending on the data breach’s size and scope.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule is a supplement to HIPAA regulations. It was enacted to apply HIPAA to business associates along with covered entities. This Rule requires business associates to be completely HIPAA compliant. The Rule also dictates the rules relating to Business Associate Agreements (BAAs).

A Business Associate Agreement is a contract executed between a covered entity and a business associate or between two business associates before any PHI or ePHI can be shared or transferred.

What is Required for HIPAA Compliance?

As mentioned earlier, HIPAA regulations dictate national standards to which all covered entities and business associates must adhere.

To ensure HIPAA compliance, covered entities and business associates must conduct regular self-audits to assess compliance with HIPAA Privacy and Security Rules.


HIPAA requires covered entities and business associates to perform annual audits of their organizations. These audits should assess technical, Administrative, and Physical gaps in HIPAA Privacy and Security Standards compliance.

A Security Risk Assessment (SRA) is a critical component of HIPAA compliance, but it must be part of a broader set of actions to ensure full compliance with HIPAA regulations. This audit needs to be conducted every year to ensure HIPAA compliance year over year.

Remediation Plans

Once the covered entities and business associates have determined the gaps in compliance with self-audits, they must implement remediation plans to remedy the compliance violations. These plans need to be completely documented, with the calendar dates included, by which the gaps are remedied.

Policies, Procedures, Employee Training

As the HIPAA Rules dictate, covered entities and business associates need to develop specific Policies and Procedures that correspond to HIPAA regulatory standards.

These policies and procedures should be regularly updated to accommodate any organizational changes. The staff also needs to undergo annual training on these HIPAA-related Policies and Procedures, along with documented employee attestation, which states clearly that the staff has read and understood each policy and procedure of the said organization.


HIPAA-regulated organizations are bound by the rules to document every effort made to ensure HIPAA compliance. This documentation proves crucial during a HIPAA investigation with HHS OCR to pass stringent HIPAA audits.

Management of Business Associates

Covered entities and business associates need to document all vendors to whom they transmit PHI in any form and execute Business Associate Agreements (BAAs) to ensure that PHI is handled securely and to mitigate liability.

BAAs should also be reviewed annually to accommodate the organization’s vendor relationship changes. These BAAs should be executed before sharing any PHI.

Incident Management

Suppose a covered entity or business associate experiences a data breach. In that case, they should have a process to document the breach and notify patients that their data has been compromised, as per the HIPAA Breach Notification Rule.


In short, the Human and Health Services’ HIPAA regulations require covered entities and business associates to implement written policies, procedures, and standards of conduct. The rules require these organizations to designate compliance officers and committees.

Organizations are required to train and educate employees about HIPAA rules and regulations effectively. To learn more about HHS HIPAA, you can check out the official website at https://www.hhs.gov/hipaa/index.html.

See Also

How to Get Medical Records Online for Free

Medical Law and Ethics in the USA

Current Version
November 21, 2022
Written By
Shubham Grover
March 16, 2024
Updated By
Andrea Morales G.

Follow us