The three rules of HIPAA: What small businesses need to know
Learn about our editorial policies
If your business has any contact with PHI, you need to understand HIPAA's requirements. Let's break it down to help you avoid penalties and protect your customers' privacy.
What are the components of HIPAA?
HIPAA is a comprehensive law that's divided into five sections. Understanding them helps you know which parts impact your business.
Health care access, portability, and renewability
Title I allows employees who change jobs or lose their positions to maintain health insurance coverage as they transition to new employment. It also secures patients’ private medical data and outlines how medical information flows between providers, insurance companies, and other authorized parties.
Administrative simplification
Title II requires national standards for healthcare transactions nationwide to improve processes and ensure consistency throughout the healthcare system. It also offers programs to prevent fraudulent healthcare practices. This section contains security standards for privacy, security, and breach notifications.
Title III focuses on tax issues with health insurance. It establishes rules that allow individuals and employers to take advantage of tax-advantaged accounts. It also includes the tax treatment of health insurance premiums and medical expenses. You'll need to understand Title III if your business provides health benefits or helps employees with health savings accounts (HSAs), medical savings accounts (MSAs), or flexible spending arrangements (FSAs).
Application and enforcement of group health plan requirements
Title IV outlines the requirements for group health plans serving individuals with pre-existing conditions. It also clarifies continuous coverage requirements and the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA). If you’re a small business owner who offers group health plans, you’ll need to understand Title IV, so you’ll know your obligations regarding employees with pre-existing conditions and those eligible for COBRA coverage after they leave your company.
Revenue offsets
Title V provides guidelines for business-owned life insurance policies. It also discusses the tax responsibilities for individuals who renounce their U.S. citizenship or residency.
What are the three patient rights under the HIPAA privacy rule?
As a small business owner, you may be wondering, "What are the three patient rights under the HIPAA privacy rule?" Patients have several rights under HIPAA, not just three. Many people confuse the number of rights with the three rules of HIPAA.
HIPAA gives patients strong rights over their health information. They have the right to:
- Access and review copies of their own medical records
- Ask providers to correct or update inaccurate or incomplete details
- Receive a written explanation of how their health information may be used or shared
- Request limits on how specific details are used or disclosed
- Ask that communications about their health be sent through private methods
- See a record of when and why their information has been shared with others
- Cancel previously granted permission to disclose their health information
Understanding the rights that people have under HIPPA is essential for small and micro businesses that handle healthcare information. If you aren't compliant, your business could face significant financial penalties. Your clients may also lose trust in your ability to safeguard their data, which could impact your revenue.
While HIPPA has five broad components, many people refer to the "HIPAA three rules" or "three components of HIPAA" when discussing compliance requirements. They state exactly how your business should handle and protect PHI and who should be notified if a breach occurs.
What are the three main rules of HIPAA?
Whether you've heard them called the Three Parts of HIPAA, the Three Components of HIPAA, or the Three Rules of HIPAA, they all refer to the same thing. It's important that your business is compliant with all three of these rules in order to avoid hefty penalties.
- Privacy Rule: States who can access PHI and how information can be used without patient authorization.
- Security Rule: States how electronic PHI should be safeguarded.
- Breach Notification Rule: If a breach of PHI occurs, this rule states who should be notified.
Rule 1: HIPAA privacy rule
The HIPAA privacy rule is a federal law that safeguards PHI. It establishes clear boundaries on how healthcare providers, insurers, and their business partners can use or share this information without patients’ consent.
The HIPAA privacy rule applies to healthcare providers, like doctors, hospitals, pharmacies, and nursing homes. Healthcare insurers must also comply. Additionally, business associates like billing companies and IT providers that handle PHI are also subject to HIPAA requirements.
The components of the HIPAA privacy rule establish several requirements for health records. Under the minimum necessary standard, PHI access and disclosure must be limited to only what's needed to accomplish the intended purpose. Organizations must provide patients with a Notice of Privacy Practices to explain how their health information will be used and disclosed. Patients also have the right to obtain, amend, and manage who has access to their medical records.
Rule 2: HIPAA security rule
The HIPAA security rule focuses on electronically protected health information (ePHI). It requires healthcare organizations and their business partners to put in place security policies for effective security management.
There are three aspects of HIPAA security that work together to protect patient information:
Technical security requirements
These measures protect networks and devices from data breaches. Technical security requirements include:
- Encrypting sensitive files your organization sends via email and ensuring any cloud-based platform you use offers encryption
- Protecting your network from hackers and other cyber thieves with firewalls and intrusion detection and prevention systems
- Training your employees to identify and avoid phishing scams
- Backing up data in case of accidental deletion or changes
- Authenticating data transfers to third parties by requiring a password, a two- or three-way handshake, a token, or a callback
- Requiring employees to periodically change their passwords and ensure passwords contain a mix of letters, numbers, and special characters
- Preventing data entry mistakes by using double-keying, checksum, and other redundancy techniques
- Keeping updated documentation of your organization’s technology and network configurations
Encryption is an example of a technical safeguard that requires authentication. Encryption protects information by converting it into coded text that can only be deciphered with the proper key.
Physical security requirements
These HIPAA rules prevent physical theft and loss of devices that contain patient information. Physical security safeguards include:
- Limiting access to computers by keeping them behind counters, secured to desks, and away from the public
- Restricting access to secure areas, monitoring building safety, and requiring visitors to sign in
- Exercising caution and following best practices when upgrading or disposing of hardware and software, including securely wiping hard drives
- Training employees and contractors on physical safety best practices, including the importance of securing their cell phones and mobile devices
Access controls and secure workstations are examples of physical safeguards. A company could implement visitor controls and place workstations in areas that aren't accessible to unauthorized personnel.
Administrative security requirements
These policies and procedures ensure patient data is correct and accessible to authorized parties. Administrative security requirements include:
- Designating an executive to oversee data security and HIPAA compliance
- Identifying which employees have access to patient data
- Training employees on your organization’s privacy policy and how it applies to their job
- Requiring all outside parties who need to access protected patient data to sign contracts stating they’ll comply with HIPAA security rules
- Backing up data and having an emergency plan for disasters that could cause information loss
- Performing an annual data security assessment
- Creating a data breach response plan that addresses notifying affected patients and fixing compromised IT systems
Employee training and risk analysis are examples of administrative safeguards. Regular security training ensures staff understand their responsibilities in protecting ePHI. Risk analysis helps identify vulnerabilities in your systems and processes.
The importance of cybersecurity and employee awareness for small businesses
Cybersecurity is essential for small businesses as part of their risk management strategy. Be sure to invest in cybersecurity tools like firewalls, antivirus software, and secure backups to protect against security breaches. Cyber insurance also provides another layer of protection by covering the costs related to data breaches, ransomware attacks, and patient notifications.
Employees should be aware of potential risks and how to prevent them. Be sure to develop clear cybersecurity controls and procedures for passwords, handling ePHI, and system access. Also, consider working with IT professionals who specialize in healthcare security. Periodic reviews of your systems and procedures may reveal vulnerabilities.
Rule 3: HIPAA breach notification rule
Even with strong security measures in place, breaches can still occur. A breach is when PHI is used improperly or disclosed without authorization. For example, a breach might involve an unauthorized employee accessing patient files or a ransomware attack that locks down your computer network.
Under the HIPAA breach notification rule, healthcare providers and their business associates must notify anyone whose PHI was involved, as well as report the incident to the Department of Health and Human Services. If the breach affects a large number of individuals, the media may also need to be notified to help spread the word.
To prepare for potential breaches, small businesses should develop a data breach response plan. The plan should outline roles and responsibilities, procedures for responding to the breach, and notification requirements. Data breach insurance also provides important protection in case you’re sued after a data breach.
For small businesses involved in the healthcare industry, the cost of dealing with a PHI breach can be substantial, which is why having cyber liability insurance is essential. When obtaining coverage, it's important to understand the first-party vs. third-party difference. First-party coverage helps your business recover from a cyber event, while third-party coverage protects your business if you’re sued after a data breach. Many small businesses have both to ensure they’re fully protected.
The main difference between the HIPAA privacy rule and the security rule is in what they protect and how it's protected. The privacy rule applies to all forms of PHI, whether it's written or electronic, and it gives individuals control over how their information is accessed, amended, and shared. In contrast, the security rule focuses on protecting ePHI. It requires healthcare providers and their partners to put administrative, physical, and technical safeguards in place to protect data from unauthorized access.
Why HIPAA compliance matters for small businesses
HIPAA compliance isn’t just for large healthcare facilities. It affects many small businesses, including telehealth providers, small medical practices, IT consultants, medical billing services, consulting professionals, and other healthcare professionals or service providers.
A HIPAA violation can have serious financial consequences. The Office for Civil Rights (OCR) may impose civil fines of $100 - $50,000 per violation, with a yearly cap of $1.5 million for repeated offenses.
The OCR enforces four tiers of civil penalties based on the nature of the violation:
Tier 1:
- Violation that occurs due to lack of awareness
- Fine: $100-$50,000 per incident
- Repeated violations can cost up to $1.5 million per year
Tier 2:
- HIPAA violation happens because of reasonable cause, but not willful neglect
- Fine: $1,000 - $50,000 per incident
- Repeated violations can cost up to $100,000 per year
Tier 3:
- Level three HIPAA violation is a serious breach due to an organization knowingly failing to comply with HIPAA requirements
- Repeated violations can cost up to $1.5 million per year
Tier 4:
- A violation is due to willful neglect and the organization takes steps to correct the issue
- Fine: $50,000 - $1.5 million per incident
- Repeated violations can cost up to $1.5 million per year
The Department of Justice (DOJ) may also pursue criminal charges, which can lead to fines as high as $250,000 and prison sentences of up to 10 years, depending on the nature of the violation.
DOJ criminal penalties may include:
- Unauthorized and willful disclosure of PHI may result in fines of up to $50,000 and imprisonment for as long as one year
- Illegally obtaining PHI under false pretenses is punishable by up to $100,000 in fines and up to five years in prison
- Using or selling PHI for personal or business profit can lead to fines of up to $250,000 and a prison sentence of up to 10 years
HIPAA violations can create additional problems for small businesses. Patients can sue businesses, which can result in a costly legal battle. Even if a business successfully defends against a lawsuit, it may suffer reputational damage that harms patient trust and results in a loss of business. Employees who intentionally violate HIPAA rules may also face disciplinary action, which may include termination.
Small business owners can manage risks with the right insurance:
- Cyber liability insurance covers costs related to data breaches, notification requirements, and cyber attacks that could expose patient information
- Professional liability insurance, which is also known as errors and omissions insurance, covers claims related to professional mistakes, which could include HIPAA compliance failures
- Medical malpractice insurance protects healthcare providers against claims of negligence, misdiagnosis, treatment errors, or omissions that result in patient harm
Do all small businesses need to follow HIPAA?
Small businesses must comply with HIPAA if they work in healthcare or deal with PHI or individually identifiable health information (IIHI). HIPAA regulations apply to covered entities, such as healthcare providers, health insurance plans, healthcare clearinghouses, and their business associates. The law applies regardless of the size of the organization.
How can small businesses afford HIPAA compliance?
Small businesses can manage the cost of HIPAA compliance by training staff in privacy practices, using free resources, and adopting essential security measures, like encryption and access controls. Businesses can also focus on risk assessment and remediation to address the most critical vulnerabilities instead of full compliance certification.
Get the right coverage with Insureon
It's easy to get insurance for your small business with Insureon. Just fill out our online application to receive quotes from trusted providers. Our expert insurance agents are available to answer any questions and help you find the best small business insurance for your needs.
Most small business owners can get same-day coverage and easily download a certificate of liability insurance as soon as they purchase a policy.
Cyrus Vanover, Contributing Writer
Cyrus is a finance and insurance writer who is passionate about helping people and businesses succeed. He is also the author of the book "Earn a Debt-Free College Degree." He has written for some of the largest financial institutions in the country including TD Bank, Citizens Bank, and many credit unions. Cyrus has also contributed to Newsweek. Based in the Blue Ridge Mountains of Virginia, he enjoys hiking the local trails and exploring old Civil War battlefields and other historical sites in his spare time.
