ForgeAwareness
Get started
Healthcare HIPAA Security Awareness/Course player
0 of 6 complete0%
Module 14 min

What HIPAA actually requires of you

TL;DR

HIPAA is famously over-cited and under-understood. Quick guide to what the Privacy Rule and Security Rule actually require of regular workforce members — without the 200-page compliance manual.

Who HIPAA applies to

HIPAA applies to:

  • Covered Entities — providers, health plans, healthcare clearinghouses
  • Business Associates — vendors and contractors who handle PHI for covered entities
  • Subcontractors — anyone they hire who touches PHI

If your company is one of these, you handle PHI under HIPAA. The penalties scale to organization size; the obligations don't.

What PHI actually is

Protected Health Information (PHI) is any information that:

  1. Identifies an individual (directly or indirectly), AND
  2. Relates to health condition, healthcare provision, or payment for healthcare

This is broader than people realize:

  • Direct identifiers — name, address, DOB, SSN, MRN, account #
  • Indirect identifiers — zip code in small populations, dates of service, device identifiers
  • Combined data that re-identifies — anonymized data plus context can become PHI

Anything with an identifier AND a health context = PHI. Lab results without a name = often not PHI. Name + appointment date = PHI.

The two rules you actually care about

Privacy Rule (45 CFR Part 164 Subpart E)

Governs uses and disclosures of PHI:

  • Minimum necessary — only use/disclose what's needed
  • Patient rights — access, amend, accounting, restrict, request alternative communications
  • Authorizations for non-treatment/payment/operations use
  • Notice of Privacy Practices

Security Rule (45 CFR Part 164 Subpart C)

Governs electronic PHI (ePHI) security:

  • Administrative safeguards — workforce training, access management, risk analysis
  • Physical safeguards — facility access, workstation security, device controls
  • Technical safeguards — access control, audit, integrity, transmission security

What the rules require of you specifically

As a workforce member:

  1. Complete required training at hire and periodically
  2. Use minimum necessary PHI for the task — don't access more than you need
  3. Don't disclose PHI outside the permitted uses (treatment, payment, operations) without authorization
  4. Protect ePHI with the security controls your security team provides
  5. Report suspected violations through your sanctions/incident process
  6. Follow data handling policies specific to your role

A note on the 2025 proposed Security Rule update

In January 2025, HHS proposed major updates to the HIPAA Security Rule. Highlights:

  • Most "addressable" specifications becoming mandatory
  • Specific timelines for training (within 30 days of hire, annually after)
  • Encryption requirements becoming more specific
  • Network segmentation, MFA, and vulnerability management explicit
  • Incident response timeline specifics

The final rule is expected in 2025–2026. Many organizations are adopting it preemptively because the direction is clear.

Knowledge check

Knowledge check 1

Which of these is PHI?