This outline helps you create foolproof, powerful, and effective HIPAA training across your organization. Whether starting from scratch or revising your current training, you can use this to improve.

This article highlights the following HIPAA topics:

  1. Who must comply with HIPAA?
  2. What is Protected Health Information (PHI)?
  3. The Minimum Necessary Standard
  4. The Patient Right of Access
  5. Risk Analysis – Risk Management
  6. HIPAA Breach Notification

Background and Enforcement

Federal Law

The Health Information Portability and Accountability Act, or HIPAA, originally passed in 1996. It has been updated frequently since then, most recently in 2024. The HIPAA Privacy Rule was modified to support reproductive health care privacy and coordinate better with substance abuse treatment regulations (SAMHSA), although enforcement of these changes is months away.*

There are three essential HIPAA Rules: the Privacy, Security, and Breach Notification Rules. The Privacy Rule is the fundamental rule.

State Law

State privacy laws also apply. HIPAA governs unless the state law is more strict (more protective for patients).

Enforcement by Government and the Courts

HIPAA is enforced by:

  • the U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) through audits and investigations.
  • the Federal Trade Commission (FTC) enforces HIPAA, its own Health Breach Notification Rule, and the FTC Act through investigations.
  • State Attorneys General can enforce HIPAA through investigations or lawsuits.
  • Lawsuits from individuals alleging breach of privacy and negligence. Although HIPAA does not provide a right for individuals to sue, more and more breach of privacy lawsuits are being filed under state laws. In many cases, HIPAA rules are held up as standards to prove whether the defendant was negligent or careless about protecting patient privacy.

Who Must Comply with HIPAA

  • HIPAA requires Covered Entities and Business Associates (third-party vendors that handle PHI ) to comply with HIPAA.
  • Employers, law enforcement, and schools are not subject to HIPAA, although other privacy laws and professional ethics apply.
  • Individuals (patients and their family members) are not required to follow HIPAA.

Everyone in the organization, from senior management to new hires, should receive HIPAA training and agree to follow the organization’s HIPAA policies.

What is Protected Health Information

  • Protected Health Information (PHI) is any one piece of personally identifying information that is connected to the provision of past, present, or future health care, e.g., a name, a phone number, a medical record number, etc.
  • PHI does not need to contain specific medical information or a diagnosis.
  • PHI may not be used or disclosed without the patient’s authorization, except PHI may be used or disclosed for purposes of treatment, payment or health care operations without authorization.
  • PHI may be on paper, in electronic format (sometimes called ePHI), on film or x-ray, or spoken.

The Minimum Necessary Standard

  • When using or disclosing PHI, only use or disclose the minimum amount necessary to accomplish the task.
  • Minimum necessary does not apply to covered entities disclosing PHI to other covered entities for the purpose of treatment.

The Right of Access Rule

  • HIPAA protects the right of patients to obtain their medical records.
  • Covered entities should fulfill patient records requests promptly (in 30 days or less) and at little or no cost.
  • OCR enforces the patient Right of Access rule through its Right of Access Initiative. It’s one of OCR’s highest priorities.

Risk Analysis – Risk Management

  • All covered entities and business associates must complete a HIPAA Risk Analysis and follow a Risk Management Plan. It’s required by HIPAA, and it’s also the best defense against cybersecurity risks and breaches.
  • Just this year, OCR has made Risk Analysis a high enforcement priority.
  • A complete HIPAA Risk Analysis is broader than a “security risk assessment” because it includes requirements from the Privacy and Breach Notification Rules, not just the Security Rule.
  • A separate Risk Analysis should be conducted at each location.
  • Managing business associates is a critical central part of HIPAA compliance, and the Risk Analysis helps accomplish this.

How to Prevent Breaches and What to Do if a Breach Happens

  • Your Security Official should review the most recent NIST Guidance and the new Cybersecurity Performance Goals (CPGs) and implement improvements where feasible.
  • Follow the HIPAA Security Rule.
  • Create a “culture of compliance” to foster questions and communication from staff. Encourage staff to report cybersecurity incidents and breaches without fear of reprisal. All potential breaches must be investigated immediately to understand what happened and determine next steps.
  • The Breach Notification Rule requires certain steps to be followed if a breach occurs.
  • Provide workforce training on general HIPAA compliance and cybersecurity awareness.
  • OCR presumes a ransomware attack to be a breach. If ransomware happens, treat it as a breach while you investigate whether the PHI has been compromised. Consult with a lawyer and report ransomware to the local FBI field office.

Trust The HIPAA E-Tool® for Expert Guidance

Stay confident with expert help. For detailed guidance, The HIPAA E-Tool® is the best choice.

Let us know if you have questions about HIPAA enforcement, policies, or training.

*Compliance with the modifications is not required until December 23, 2024, and the new language needed in the Notice of Privacy Practices will not be enforced until February 16, 2026, to match the SAMHSA compliance date.

Free HIPPA Checklist
What best describes you?