HHS HIPAA Regulations and Requirements


HHS HIPAA – Overview

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has several regulatory standards to define the lawful use, and disclosure, of protected health information (PHI). HIPAA compliance is controlled by the Department of Health and Human Services (DHHS) and is enforced by the Office for Civil Rights (OCR).

The OCR plays an important role in maintaining HIPAA compliance using routine guidance on new issues that develop in healthcare services. The OCR is also tasked with investigating commonly-reported HIPAA violations.

HIPAA compliance is basically a dynamic structure that healthcare organizations need to implement into their business, using a series of interlinked rules. HIPAA compliance aims to protect a person’s PHI’s security, privacy, and integrity.

Let’s take a deeper dive into HHS HIPAA regulations and standards.


HHS HIPAA regulations and standards.

What is Protected Health Information (PHI)?

Protected health information (PHI) is any kind of demographic information that can identify a client or patient of a HIPAA-certified entity. Some common examples of PHI are names, addresses, social security numbers, phone numbers, financial information, medical records, and full facial photographs.

PHI, which is stored, shared or accessed electronically, is regulated with HIPAA regulatory standards. It is also known as Electronic Protected Health Information (ePHI). This is regulated under the HIPAA Security Rule, which adds to the main HIPAA regulations.

Where is HIPAA Compliance Applicable?

HIPAA regulations state two types of organizations that need to be HIPAA-compliant, namely:

Covered Entities

HIPAA regulations define a ‘covered entity’ as an organization that creates, collects or transmits PHI using electronic means. Healthcare organizations, such as primary healthcare providers, healthcare clearinghouses, and health insurance providers are considered covered entities under HIPAA regulations.

Business Associates

HIPAA regulations define ‘business associates’ as an organization that works with PHI in any way throughout work that it has been hired to perform by a covered entity. Some common examples of business associates as defined by HIPAA regulations are practice management agencies, billing companies, third-party consultants, MSPs, EHR platforms, IT service providers, email hosting services, accountants, and attorneys, among others.

What Are the Different Types of HIPAA Regulations?

HIPAA regulations are made up of several different HIPAA Rules. These rules have been in effect for over 20 years since HIPAA was established in 1996.

The four main types of HIPAA Rules that you need to be aware of are:

HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for patients’ rights to PHI. This Rule is applicable only to covered entities, and business associates do not have to comply with it. Some of the most important standards that the HIPAA Privacy Rule outline are patients’ right to access PHI, providers rights to deny access to PHI, details of Use and Disclosure of HIPAA release forms, and Notices of Privacy Practices, among others.

Every eligible organization is required to document its HIPAA Policies and Procedures. Every employee in such organizations must also be trained on these Policies and Procedures each year, with attested documentation.

HIPAA Security Rule

HIPAA Security Rule is a set of national standards to ensure secure maintenance, management, and transmission of ePHI. The Security Rule applies to covered entities and business associates alike, as they both have the potential to share ePHI.

This Rule sets the standards that ensure the safety and integrity of ePHI, including administrative, physical and technical safeguards that are required in any healthcare organization. This Rule requires these organizations to document their HIPAA Policies and Procedures. In addition, the employees in a such organization also need to be trained on these HIPAA Policies and Procedures every year, with attested documentation.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule is a set of standards for covered entities and business associates. These standards require these organizations to follow the standards in case of a data breach containing ePHI or PHI. The Rule dictates different requirements for breach reporting, depending on the data breach’s size and scope.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule is an addendum to HIPAA regulations. It was enacted to apply HIPAA to business associates along with covered entities. This Rule requires business associates to be completely HIPAA compliant. The Rule also dictates the rules relating to Business Associate Agreements (BAAs).

A Business Associate Agreement is a contract executed between a covered entity and a business associate or between two business associates before any PHI or ePHI can be shared or transferred.

What is Required for HIPAA Compliance?

As mentioned earlier, HIPAA regulations dictate national standards to which all covered entities and business associates must adhere.

To ensure HIPAA compliance, these are some of the tasks that the covered entity and business associate need to perform:


HIPAA requires covered entities and business associates to perform annual audits of their organizations. These audits should assess technical, Administrative, and Physical gaps in compliance with HIPAA Privacy and Security Standards.

Under HIPAA regulations, a Security Risk Assessment (SRA) is not sufficient to ensure compliance but is only an essential aspect of a HIPAA-related audit. This audit needs to be conducted every year to ensure HIPAA compliance year-over-year.

Remediation Plans

Once the covered entities and business associates have determined the gaps in compliance with self-audits, they need to implement remediation plans to remedy the compliance violations. These plans need to be completely documented, with the calendar dates included, by which the gaps are remedied.

Policies, Procedures, Employee Training

Covered entities and business associates need to develop specific Policies and Procedures that correspond to HIPAA regulatory standards, as the HIPAA Rules dictate.

These policies and procedures should be regularly updated to accommodate any organizational changes. The staff also needs to undergo annual training on these HIPAA-related Policies and Procedures, along with documented employee attestation, which states clearly that the staff has read and understood each policy and procedure of the said organization.


HIPAA-regulated organizations are bound by the rules to document every effort made by the organization to ensure HIPAA compliance. This documentation proves extremely crucial during a HIPAA investigation with HHS OCR to pass stringent HIPAA audits.

Business Associate Management

Covered entities and business associates need to document all vendors to whom they transmit PHI in any form and execute Business Associate Agreements (BAAs) to ensure that PHI is handled securely and to mitigate liability.

BAAs should also be reviewed annually to accommodate changes to the organization’s relationship with vendors. These BAAs should be executed before sharing any PHI.

Incident Management

If a covered entity or business associate experiences a data breach, they should have a process in place to document the breach and notify patients that their data has been compromised, as per HIPAA Breach Notification Rule.


In short, the Human and Health Services’ HIPAA regulations require covered entities and business associates to implement written policies, procedures, and standards of conduct. The rules require these organizations to designate a compliance officer and a compliance committee.

Organizations are required to train and educate employees about HIPAA rules and regulations effectively. To learn more about HHS HIPAA, you can check out the official website at https://www.hhs.gov/hipaa/index.html.

See Also

How to Get Medical Records Online for Free

Medical Law and Ethics in the USA

Follow us

Leave a comment

Your email address will not be published.