HIPAA Rules

Software for HIPAA

Other Resources

Last updated



HIPAA Rules & Standards

The Health Insurance Portability and Accountability Act (HIPAA) regulations are divided into several major standards or rules: Privacy Rule, Security Rule, Transactions and Code Sets (TCS) Rule, Unique Identifiers Rule, Breach Notification Rule, Omnibus Final Rule, and the HITECH Act.


HIPAA Privacy Rule

The HIPAA Privacy Rule mandates the protection and privacy of all health information. This rule specifically defines the authorized uses and disclosures of "individually-identifiable" health information. This is the most complex rule, setting requirements for how protected health information (PHI), in any form or medium, should be controlled.


HIPAA Security Rule

The HIPAA Security Rule mandates the security of electronic medical records (EMR). Unlike the Privacy Rule, which provides broader protection for all formats that health information make take, such as print or electronic information, the Security Rule addresses the technical aspects of protecting electronic health information. More specifically, the HIPPA Security standards adresses these aspects of security:

Administrative security - assignment of security responsibility to an individual.

Physical security - required to protect electronic systems, equipment and data.

Technical security - authentication & encryption used to control access to data.


HIPAA Transactions and Code Set Rule (TCS)

The HIPAA Transaction and Code Set Rule addresses the use of predefined transaction standards and code sets for communications and transactions in the health-care industry. Standards 5010 and ICT-10 are addressed here.


HIPAA Unique Identifiers Rule

As part of HIPAA Administrative Simplification regulation, the HIPAA Identifiers Rule defines unique identifiers are used for covered entities in HIPAA transactions. The use of these unique identifiers will promote standardization, efficiency and consistency.


HIPAA Enforcement Rule

The HIPAA Enforcement Rule stems from the HITECH Act. The HITECH Act substantially expands the scope of the HIPAA Privacy and Security Rules and increases the reach and penalties for HIPAA violations.


HIPAA Breach Notification Rule (BNR)

The HIPAA Breach Notification Rule stems from the HITECH Act, which stipulates that organizations have up to 60 days to notify patients/individuals, the HHS, and sometimes the media of PHI data breaches.


HIPAA Final Omnibus Rule

The HIPAA Omnibus Rule stems from the HITECH Act, and further tightens and clarifies provisions contained in the HIPAA Privacy, Security, Enforcement, and Breach Rules.