what are the three rules of HIPAA guidelines

What Are the Three Rules of HIPAA? A Basic Overview

What are the HIPAA rules and regulations? Why is it necessary to abide by these rules? What do these rules imply when it comes to faxing documents online? Before you start faxing documents that contain PHI, you have to seek answers to these questions first.

In healthcare, protecting the patient’s privacy is a top priority. This is the exact reason why the HIPAA federal law has been issued in the US. Under such law, covered entities must abide by national standards and be held accountable for any violations.

Speaking of which, HIPAA also covers electronic activities such as transmitting patient health information through online fax. If you need to fax documents containing PHI, then learning the three basic rules of HIPAA is a must!


What are the three rules of HIPAA?

The 3 HIPAA rules are:

  1. Privacy Rule
  2. Security Rule
  3. Breach Notification Rule

Table of Contents

What Are the Three Rules of HIPAA? A Basic Overview

The HIPAA (Health Insurance Portability and Accountability Act of 1996) consists of three basic rules. These rules should be abided by at all costs by individuals and organizations. 

What Are the Three Rules of HIPAA? A Basic Overview

The HIPAA Privacy Rule 

What are the three rules of HIPAA? The first of the three rules would be the “HIPAA Privacy Rule.”

This rule applies to all health care providers and all covered entities that transmit PHI in any form (or media), whether paper, electronic, or oral. Under this rule, covered entities should protect and limit the circumstance of using or disclosing PHI. 

While there are exemptions to this rule, covered entities must carefully abide by the rules at all times. The use or disclosure of PHI may be permitted but only under approved circumstances. For example, when the individual who is the subject of the PHI makes the request. 

Should there be a need to use or disclose the PHI, the covered entity must seek written authorization from the subject of the information first. This rule also covers various subsets and provisions towards specific activities such as providing disclosures, privacy personnel, privacy practice notices, etc.

A covered entity that fails to comply with these rules will face penalties, including civil money penalties. Penalties usually vary depending on the severity of the violation. In addition, individuals who knowingly violate the Privacy Rule will face criminal penalties with a monetary fine of up to $250,000 and up to 10 years imprisonment.

The HIPAA Security Rule

The second rule, known as the HIPAA Security Rule, covers all forms of PHI, including electronic and paper. Under this rule, covered entities must carry out the requirements for security compliance based on three main aspects: administrative, physical, and technical.

This rule applies to all covered entities as well as their business associates. Moreover, this rule covers the protection of what it identifies as ePHI (electronically protected health information). Protected health information that is being transmitted or received electronically (ex. online fax) is considered ePHI.

Under this rule, all covered entities must apply appropriate and necessary measures to safeguard ePHI against anticipated threats. On top of this, the covered entity is also responsible for reviewing and updating its security measures. 

What Are the Three Rules of HIPAA? A Basic Overview

The HIPAA Breach Notification Rule

What are the three rules of HIPAA? This third rule completes the answer to the said question.

Under this rule, all covered entities and their business associates are required to report any form of breach incidents involving unsecured PHI. A breach is any form of access, use, or disclosure of unsecured PHI without due authorization. 

While there are certain exemptions to this definition, all covered entities must report the breach incident accordingly. This includes sending a notice to all affected individuals as well as to the Secretary of HHS OCR. In incidents where the breach affected more than 500 patients, the covered entity must also inform the media. 

Furthermore, all covered entities must send these notices within 60 days following the knowledge or discovery of the breach. If the breach involves 500 or more patients, the covered entity must inform the HHS OCR Secretary without any unreasonable delay.

What Are the Top 3 Causes of HIPAA Violations?

Since the question about “What are the three rules of HIPAA?” has been answered, it is also befitting to know the top 3 causes of HIPAA violations.

According to Calyptix, the most common violation is theft due to stolen hardware followed by unauthorized access or disclosure of protected records. Human error is also a common cause of HIPAA violations. Such incidents include forgetting to shred documents, misplacing files, and not logging out after a computer session. 

Hacking, on the other hand, is the third cause of HIPAA violations. Many healthcare facilities succumb to malware attacks. Such attacks have caused the healthcare industry to lose thousands in exchange for access to locked information.

What Are the Three Rules of HIPAA? A Basic Overview

Final Thoughts

What are the three rules of HIPAA? By knowing the answer to this question, you are doing your part as a responsible individual. Even if you are not a member of the healthcare sector, it still pays to know these rules. Being aware of what each of the three basic rules means also implies that you have responsibilities and duties to comply. 

It’s not just a matter of civil or corporate responsibility. It’s also a matter of moral responsibility. After all, the ultimate goal is to protect the patient’s privacy and well-being. The rules enforced under the HIPAA law merely stress the importance of an individual’s rights to private and secure health information.

In the same manner, abiding by these rules also protects covered entities. More specifically, these rules can safeguard covered entities against unprofessional conduct and false complaints. 

On another note, individuals and businesses faxing PHI online must always ensure that the Internet fax service they are using is secure and HIPAA-compliant. 

Having HIPAA compliance means that the Internet fax service has successfully met all requirements to safeguard and protect PHI. It also means that the said service is fully capable of securing sensitive patient health information against any possible cyber attacks.

Need to fax documents that contain protected health information? Make sure that your online fax service is HIPAA-certified! 

Start using iFax today and be guaranteed that your online faxes will be safe and secured 24/7! iFax offers enterprise-grade security with 256-bit AES HIPAA-compliant data encryption.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
hipaa violation in divorce
HIPAA Violation in Divorce: PHI Protection Amid Legal Proceedings

A HIPAA violation in divorce cases can have serious consequences. Find out how HIPAA applies to divorce proceedings, its potential…

Read Story
Guide to Maintaining HIPAA Compliance: Best Practices and Strategies
Guide to Maintaining HIPAA Compliance: Best Practices and Strategies

This article delves into how to maintain HIPAA compliance and the crucial elements needed to ensure the safety and integrity…

Read Story
hipaa rules for deceased patients
Understanding HIPAA Rules for Deceased Patients: Privacy After Death

In case you're wondering whether there are also HIPAA rules for deceased patients, the answer is yes.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.