HIPAA Comprehensive Summary Guide & Cheat Sheet (2025)
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal law designed to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
1. Privacy Rule
Purpose: Protects the privacy of individually identifiable health information (PHI).
Who Must Comply: Health care providers, health plans, and health care clearinghouses (collectively called "covered entities"), and their business associates.
What’s Protected: All forms of PHI—oral, paper, and electronic.
Permitted Uses/Disclosures: For treatment, payment, health care operations, and certain public interest activities (e.g., law enforcement, public health) .
Patient Rights: Right to access, amend, and receive an accounting of disclosures of their PHI.
2. Security Rule
Purpose: Sets standards for safeguarding electronic PHI (ePHI).
Safeguards Required:
Administrative: Policies, workforce training, risk analysis.
Physical: Facility access controls, workstation security.
Technical: Access controls, audit controls, encryption.
3. Breach Notification Rule
Purpose: Requires covered entities to notify affected individuals, HHS, and sometimes the media of a breach of unsecured PHI.
Timeline: Notification must be made without unreasonable delay and no later than 60 days after discovery.
4. Enforcement Rule
Purpose: Establishes procedures for investigations, penalties, and hearings for HIPAA violations.
Protected Health Information (PHI) includes any information that can identify an individual and relates to their health status, provision of health care, or payment for health care. Examples: names, addresses, birth dates, Social Security numbers, medical records, lab results, insurance information.
Covered Entities: Health care providers, health plans, health care clearinghouses.
Business Associates: Vendors and subcontractors who handle PHI on behalf of covered entities.
Appoint a HIPAA Privacy & Security Officer
Conduct regular risk assessments
Implement written policies and procedures
Train all workforce members on HIPAA
Secure all forms of PHI (paper, oral, electronic)
Limit PHI access to only those who need it
Use secure methods for transmitting PHI (encryption, secure email)
Have a breach notification process in place
Maintain documentation of compliance efforts
Review and update policies regularly.
Unauthorized access to PHI
Failure to perform risk assessments
Lack of employee training
Improper disposal of PHI
Lost or stolen devices containing ePHI
Failure to notify affected parties after a breach
Access: Patients can request and obtain copies of their health records.
Amendment: Patients can request corrections to their records.
Restrictions: Patients can request restrictions on certain uses/disclosures.
Confidential Communications: Patients can request communications by alternative means or locations.
Accounting: Patients can request a record of certain disclosures.
Always verify identity before sharing PHI
Never discuss PHI in public areas
Lock computers and files when not in use
Report suspected breaches immediately
Use strong passwords and change them regularly
Shred documents containing PHI before disposal.
Proposed changes to the Security Rule: New mandates may be coming, including enhanced requirements for risk analysis, incident response, and encryption standards.
Stay updated: Regularly check for new guidance from HHS and OCR.
Rule
What It Covers
Key Actions
Privacy Rule
PHI in all forms
Limit use/disclosure, patient rights
Security Rule
ePHI
Safeguards: admin, physical, technical
Breach Rule
Breaches of PHI
Notify affected parties, HHS
Enforcement Rule
Compliance & penalties
Investigations, fines, corrective action
Bookmark this guide for quick reference and always follow your organization’s HIPAA policies!