HIPAA Agent
HIPAA Agentby Sentinel Health Compliance
LoginGet Started
Back to Learning Center
8 Modules

HIPAA Basics: A Complete Guide

Everything you need to know about HIPAA compliance. Learn the Privacy Rule, Security Rule, Breach Notification requirements, and more.

Table of Contents

1.What is HIPAA?2.The Privacy Rule3.The Security Rule4.Breach Notification Rule5.Covered Entities6.Business Associates7.PHI and ePHI Explained8.HIPAA Penalties
1

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. While originally focused on health insurance portability, HIPAA has evolved to become the primary federal law protecting patient health information.


HIPAA establishes national standards for:

  • Protecting sensitive patient health information
  • Ensuring the security of electronic health records
  • Giving patients rights over their health information
  • Setting penalties for violations

    • Who Must Comply?

  • Healthcare providers (doctors, dentists, hospitals, clinics)
  • Health plans (insurers, HMOs, Medicare, Medicaid)
  • Healthcare clearinghouses
  • Business associates who handle PHI on behalf of covered entities
    • 2

    The Privacy Rule

    The HIPAA Privacy Rule establishes national standards for protecting individuals' medical records and other personal health information (PHI).


    Key Requirements:

  • Limits on who can access patient information
  • Patients' rights to access their own records
  • Requirements for written privacy policies
  • Notice of Privacy Practices (NPP) distribution
  • Minimum necessary standard - only access what you need

    • Patient Rights Under the Privacy Rule:

  • Right to access their health records
  • Right to request corrections
  • Right to an accounting of disclosures
  • Right to request restrictions on uses
  • Right to confidential communications

    • **2026 Update:** New NPP requirements take effect February 2026, requiring clearer language and additional disclosures about patient rights.

    3

    The Security Rule

    The HIPAA Security Rule establishes standards for protecting electronic Protected Health Information (ePHI). It requires three types of safeguards:


    Administrative Safeguards:

  • Security management process
  • Workforce security training
  • Information access management
  • Security awareness training
  • Contingency planning
  • Evaluation procedures

    • Physical Safeguards:

  • Facility access controls
  • Workstation security
  • Device and media controls
  • Proper disposal of hardware

    • Technical Safeguards:

  • Access controls (unique user IDs, encryption)
  • Audit controls (activity logging)
  • Integrity controls (data accuracy)
  • Transmission security (encryption in transit)
  • Authentication requirements

    • **Risk Assessment Requirement:** Organizations must conduct regular risk assessments to identify vulnerabilities and implement appropriate controls.

    4

    Breach Notification Rule

    The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI.


    What is a Breach?

    An impermissible use or disclosure of PHI that compromises its security or privacy. A breach is presumed unless you can demonstrate low probability of compromise.


    Notification Requirements:


    Individual Notice:

  • Within 60 days of discovery
  • Written notification by first-class mail
  • Must include: what happened, types of information involved, steps to protect themselves, what you're doing, contact information

    • HHS Notification:

  • Breaches affecting 500+ individuals: within 60 days
  • Breaches affecting fewer than 500: annual log submission

    • Media Notice:

  • Required for breaches affecting 500+ residents of a state
  • Within 60 days to prominent media outlets

    • **Documentation:** Maintain documentation of all breaches and notifications for 6 years.

    5

    Covered Entities

    A covered entity is any organization that electronically transmits health information in connection with certain transactions.


    Three Types of Covered Entities:


    1. Healthcare Providers

  • Doctors and physicians
  • Dentists and orthodontists
  • Hospitals and clinics
  • Nursing homes
  • Pharmacies
  • Psychologists and therapists
  • Chiropractors
  • Any provider who transmits health information electronically

    • 2. Health Plans

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs (Medicare, Medicaid, VA)
  • Prescription drug programs

    • 3. Healthcare Clearinghouses

  • Billing services
  • Repricing companies
  • Community health information systems
  • Value-added networks

    • **Key Point:** If you're a covered entity, you must comply with all HIPAA rules, train your workforce, and ensure your business associates also comply.

    6

    Business Associates

    A business associate is a person or organization that performs functions involving the use or disclosure of PHI on behalf of a covered entity.


    Common Business Associates:

  • EHR/EMR vendors
  • Medical billing companies
  • IT service providers
  • Cloud storage providers
  • Shredding companies
  • Accountants with access to PHI
  • Attorneys providing healthcare legal services
  • Consultants with PHI access

    • Business Associate Agreements (BAAs):

    Every business associate relationship requires a written BAA that specifies:

  • What PHI the BA can access
  • How they must protect it
  • Their breach notification obligations
  • Their compliance requirements
  • Termination conditions

    • **Important:** A covered entity is responsible for ensuring their BAs comply with HIPAA. Regular vendor assessments are recommended.


    **Subcontractors:** Business associates must also have BAAs with their subcontractors who handle PHI.

    7

    PHI and ePHI Explained

    **Protected Health Information (PHI)** is individually identifiable health information that is transmitted or maintained in any form.


    18 HIPAA Identifiers:

    1. Names

    2. Geographic data (smaller than state)

    3. Dates (except year) related to an individual

    4. Phone numbers

    5. Fax numbers

    6. Email addresses

    7. Social Security numbers

    8. Medical record numbers

    9. Health plan beneficiary numbers

    10. Account numbers

    11. Certificate/license numbers

    12. Vehicle identifiers and serial numbers

    13. Device identifiers and serial numbers

    14. Web URLs

    15. IP addresses

    16. Biometric identifiers

    17. Full-face photos

    18. Any other unique identifying number or code


    ePHI (Electronic PHI):

    PHI that is created, received, maintained, or transmitted electronically. This includes:

  • Electronic health records
  • Email containing patient information
  • Patient portals
  • Digital images
  • Billing records
  • Lab results

    • De-Identified Data:

    Health information with all 18 identifiers removed (Safe Harbor) or certified by an expert (Expert Determination) is not considered PHI and is not protected by HIPAA.

    8

    HIPAA Penalties

    HIPAA violations can result in significant civil and criminal penalties enforced by the HHS Office for Civil Rights (OCR).


    Civil Penalties (Per Violation):


    |------|-------------|---------|---------|


    Annual cap per identical violation: $2,067,813


    Criminal Penalties:

  • Knowingly obtaining/disclosing PHI: Up to $50,000 fine and 1 year imprisonment
  • Obtaining under false pretenses: Up to $100,000 fine and 5 years imprisonment
  • Intent to sell or harm: Up to $250,000 fine and 10 years imprisonment

    • State Attorneys General:

    Can also bring civil actions on behalf of state residents for HIPAA violations.


    Recent Trends:

    OCR is increasingly aggressive with enforcement. Small practices are not exempt - several have faced six-figure settlements.

    Test Your Knowledge

    Take the HIPAA Basics quiz to earn your certificate and verify your understanding.

    Take the Quiz