Looking for employee training content for your team? Browse the topics and courses available in The BizLibrary Collection, our award-winning content library for organizational learning & development!

Who and What HIPAA Protects

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI).

PHI is any demographic information – names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos, for example.

Any of this information that is transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards.

Who Needs to Be Compliant?
HIPAA regulation identifies two types of organizations that must be HIPAA compliant.

Covered entities are organizations that collect, create, or transmit PHI electronically. Examples include healthcare providers, healthcare clearinghouses, and health insurance providers.

Business associates are organizations that encounter PHI in any way over the course of its work. Common examples include billing companies, IT providers, shredding companies, and email hosting services.


HIPAA regulations are made up of several rules created between 1996 and now.

The HIPAA Rules that you should be aware of include:

HIPAA Privacy Rule
This rule is mainly concerned with providing parameters for safely handling PHI. To ensure this is done properly, the Privacy Rule defines how organizations and individuals can use and disclose PHI.

PHI can be disclosed without permission when it’s been properly de-identified by either the “safe harbor” method – stripping all PHI from a record– or the “expert determination” method – having a statistician apply statistical or scientific principles to determine the probability that the information couldn’t identify the patient.

HIPAA Security Rule
The HIPAA Security Rule sets national standards for the maintenance, transmission, and handling of electronic PHI (ePHI). It also outlines standards for the integrity and safety of ePHI, including physical, administrative, and technical safeguards that must be in place.

Specifics of the regulations must be documented in any organization’s HIPAA Policies and Procedures and staff must be trained on these annually, with documented results.

HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule is a set of standards that must be followed in the event of a data breach. There are two kids of breaches: major and minor. Organizations are required to report all breaches, but the steps for reporting change depending on the type of breach.

A minor breach is one that affects fewer than 500 individuals in a single event. The Rule requires businesses to gather data on all minor breaches that occur over the course of a year and report them within 60 days of the end of the calendar year in which they occurred.

A major breach is one that affects more than 500 individuals in a single event. The Rule requires that these be reported within 60 days of discovery. Any affected individuals must be notified upon discovery of the breach as well.

GINA, HITECH, and the Omnibus Rule

To fully understand HIPAA, it’s imperative to understand the updates that have been made to the law.

In 2008, the Genetic Information Nondiscrimination Act (GINA) was enacted by the Office for Civil Rights. GINA strengthens privacy rights and protects individuals against discrimination based on genetic information.

Under GINA Title II businesses are prohibited from discriminating based on genetic information to help protect employees. By prohibiting discrimination based on genetic information, GINA encourages people to receive genetic testing, which can help them receive early diagnoses for certain diseases.

The Health Information Technology for Economic and Clinical Health (HITECH) was created in 2009 and updated privacy requirements increased penalties for HIPAA violations, and formalizes a structured process for handling and reporting PHI breaches.

Furthermore, this Act confirms that business associates are required to comply with HIPAA and allows for auditing of covered entities and business associates to ensure they are compliant.

Omnibus Rule
The Omnibus Rule, which was created in 2013, focuses on updating privacy, security, and enforcement requirements by reinforcing limitations on uses and disclosures of PHI for things like marketing and fundraising. It also expanded patient rights for receiving electronic copies of their health information.

HIPAA Violations and Breaches

A breach is a violation of the HIPAA Privacy Rule through the illegal acquisition, access, use, or disclosure of PHI. It’s important to note that breaches can happen in a number of different ways and settings—intentionally or otherwise.

Some common causes of HIPAA violations are:

  • Stolen electronics
  • Malware attacks
  • Computer hacking
  • Office break-ins
  • Sharing wrong information with intended recipient
  • Posting information on social media

Impermissible Access, Acquisition, Use, and Disclosure

Impermissible access refers to the ability or means necessary to read, change, or communicate PHI or otherwise use a system resource in a manner not permitted by the Privacy Rule – looking up a friend or family member’s health record without authorization to do so.

Impermissible acquisition means the act of obtaining PHI when you aren’t authorized by your job to do so – getting the PHI of something not under your direct care or supervision.

Impermissible use involves sharing, giving employment, using, or analyzing PHI when your use extends beyond official business.

Impermissible disclosure is the release of information – if you accidentally faxed patient information to a gas station instead of a medical office.

Exceptions to the Rule

However, there are times when any of these are not a breach. They must fall under one of three conditions

  1. Unintentional Acquisition, Access, or Use
  2. Inadvertent Disclosure to an Authorized Person
  3. Inability to Retain PHI

The first exception is when an employee unintentionally acquires, accesses, or uses PHI within the scope of their authority, and they do not further disclose the information.

The second exception is when a person authorized to access PHI accidentally shares PHI with another authorized user at the same organization, and PHI is not further shared.

The third exception is when an organization disclosing PHI believes in good faith that the unauthorized person receiving the information wouldn’t have been able to retain it.

Result of Failure to Comply

Violating HIPAA can be a costly mistake. Ignoring the rules and not taking precautions puts your entire organization at risk.

Corrective Action

If noncompliance is discovered, the organization will be put through a deadline-driven corrective action plan. The plan works to bring the organization up to standards by working with the Office of Civil Rights. Corrective action plans typically require ePHI risk analysis, added encryption, documentation of policies and procedures related to privacy and breach notification, and added training all to be completed usually within 30 days.

Fines and Penalties for Civil Violations

HIPAA breaks the monetary penalties into four tiers:

  • First Tier: The covered entity did not know and could not have reasonably known of the breach. Cost between $100 to $50,000 per incident up to $1.5 million in penalties.
  • Second Tier: The covered entity knew or by could have known of the violation, though they did not act with willful neglect. Fines up to $1,000 to $50,000 per incident up to $1.5 million.
  • Third Tier: The covered entity “acted with willful neglect” and corrected the problems within 30 days of the breach. Penalties range from $10,000 – $50,000 per incident up to $1.5 million.
  • Fourth Tier: The covered entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident up to $1.5 million.

Criminal Violations

Criminal violations are handled by the Department of Justice and come with differing severity levels as well.

Covered entities that knowingly obtain or disclose health information face a up to a $50,000 fine as well as a 1-year jail sentence.

Any offence committed under false pretenses raises the possible fine to $100,000 with up to a 5-year jail sentence.

If an offense is committed with the intent to sell or use health information for commercial advantage, personal gain or malicious harm, fines grow to $250,000 and the prison sentences raises to 10 years.

HIPAA Compliance Requirements

HIPAA regulation outlines a set of national standards that all covered entities and business associates must address.

Policies, Procedures, and Employee Training: Covered entities and business associates must develop policies and procedures that meet HIPAA regulatory standards, and they must be regularly updated. Yearly employee training the policies and procedures is required, along with record of employees having read and understood them.

Self-Audits: HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess for any gaps in compliance with HIPAA standards.

Remediation Plans: Once organizations and business associates have identified their gaps in compliance through self-audits, they must implement remediation plans to close the gaps. These plans should be documented and include deadlines for completion.

Documentation: Organizations must document all their efforts to become HIPAA compliant. This documentation is critical during any investigations or audits.

Incident Management: If an organization or business associate has a data breach, they must have a process in place to document the breach and notify people that their data has been compromised.

Business Associate Management: Workplaces and business associates must document all vendors with whom they share PHI in any way to ensure PHI is handled securely and mitigate liability.

How Online Training Can Be Used for HIPAA Compliance

HIPAA compliance is vital for employees work with public health information in any way.

BizLibrary curates a large and diverse video training library with numerous courses focused on developing knowledge and awareness of HIPAA laws and regulations.

Explore more
of our compliance
training topics.


Online training is quickly becoming the best way to teach employees skills they need to do their jobs. Numerous studies have shown that online training is often more effective, and learners retain more information than with classroom training alone.

Our micro video format breaks content up into smaller, more manageable chunks, making it easier for employees to learn and apply this knowledge when they need it. These online courses can be viewed on an individual basis – where an employee learns by themselves at work or at home – or as part of a group training environment or discussion.

Help your employees be HIPAA compliant by utilizing modern, engaging training content in an easy-to-use platform. Talk with an expert to learn how our online learning solutions can transform training in your organization.

Learn how
BizLibrary’s online
learning solutions can
transform training in
your organization.