Atlantic.Net Blog

What Are HIPAA Compliance Rules and Guidelines?

Editorial Team
by Atlantic.Net (263 posts) under HIPAA Compliant Hosting

If you’re looking at IT requirements for healthcare systems, a term that you will come across repeatedly is “HIPAA compliance.” This article talks about HIPAA, summarizes the basic HIPAA compliance rules, and briefly addresses a related act, HITECH.

  • HIPAA Explained
  • HIPAA Compliance Rules
  • What About HITECH Compliance?
  • HIPAA, HITECH, and Business Associates

HIPAA Explained

The Health Insurance Portability and Accountability Act (HIPAA) was passed by both houses of US Congress and signed into law by President Bill Clinton in 1996.

The act stated that regulations would be developed to serve a dual purpose:

  1. Streamline healthcare administration.
  2. Ensure that all US citizens’ health records are kept private and secure.

“The Act required Congress to enact laws implementing these goals by 1999,” said the Oregon Association of Hospitals and Health Systems (OAHHS). “When Congress failed to do so, DHHS stepped in and began promulgating regulations.”

When an IT service or healthcare organization describes itself as “HIPAA compliant,” that means that it is following the HIPAA compliance guidelines established within the law to safeguard the medical records (precisely the protected health information (PHI) delineated by HIPAA) of American patients.

Healthcare organizations must stay compliant because they are considered covered entities, while IT companies and others must be compliant as a business associate of healthcare organizations. Covered entities include healthcare providers (doctors, hospitals), healthcare plans (insurance carriers, company health plans), and health data clearinghouses. Meanwhile, business associates include organizations and individuals that contact the data, including technology service providers (e.g., web hosting firms), accountants, and shredding companies.

Covered entities and business associates must sign business associate agreements to solidify their relationship – the tasks to be performed by the business associate and its responsibilities about the protected health information. It should be noted that there is an exemption for certain companies, called the mere conduit exemption, that hosting companies and other organizations often wrongly believe applies to them. The exemption is for companies that temporarily store health data or make incidental contact with it while it is in transit, such as Internet service providers and paging businesses.

“The key difference between a conduit and a Business Associate is the transient versus persistent nature of the opportunity to view the PHI,” explained attorneys Linda McReynolds and Ronald Quirk. “To qualify as a conduit, a service provider must ensure that PHI is only temporarily stored.  It is irrelevant whether the service provider actually views the PHI.”

HIPAA Compliance Rules

There are three primary sections to the regulations, which are largely overseen by the Office for Civil Rights (OCR), an agency within the Department of Health and Human Services (DHHS or HHS):

  1. Standards for healthcare transactions
  2. The HIPAA Privacy Rule
  3. The HIPAA Security Rule.

Standards for healthcare transactions

These guidelines were essentially an effort to make transactions fit within a uniform framework. They became enforceable on October 16, 2000. However, the rules permitted that covered entities (the providers, plans, and clearinghouses described above) had until October 16, 2002, to develop an appropriate plan of action. The actual, final point at which HIPAA compliance became nonnegotiable was October 2003.

The HIPAA Privacy Rule

This rule, which is a broad set of guidelines, outlines the requirements of healthcare companies related to privacy, such as disclosure of health-related personally identifiable information and instructions for giving privacy notices to patients. According to OAHHS, it also detailed how organizations must “obtain consent and authorization for the use of information and tell how information is generally shared and how patients can access, inspect, copy, and amend their own medical record.”

These stipulations became binding on April 2001.

Here are a few of the most critical elements for providers:

  • Privacy notice guidelines
  • Rules related to patients opting out
  • “Requirements for minimum necessary.”
  • Administrative safeguards
  • The responsibilities of partner organizations (see HITECH information below).

The HIPAA Security Rule

Again, this rule (a set of regulations) specifically states what must be done administratively and what firms must implement HIPAA physical safeguards to maintain compliance. The objective of both the administrative and physical safeguards was to ensure that all PHI was of high integrity (i.e., not lost or manipulated) and was kept away from any unauthorized parties. April 2005 was when companies had to achieve compliance with this rule.

What About HITECH Compliance?

Similar federal legislation important to healthcare organizations is the Health Information Technology for Clinical and Economic Health Act of 2009 (HITECH). “It was passed as a monetary incentive plan for hospitals to begin converting to electronic health records,” explained the American Bar Association. Although “the idea was for any hospital to be able to access all of your medical records” – with the basic goal of interoperability – privacy and security concerns have limited that fundamental objective.

HIPAA, HITECH, and Business Associates

One section of HITECH that was particularly important created the HIPAA Omnibus Rule, which became effective in September 2013. That rule made business associates directly responsible for maintaining HIPAA compliance.

You will notice on our site that HIPAA-compliant solutions are a primary point of focus for Atlantic.Net. We have extensive experience related to healthcare IT systems. Also, note that we’re an American company based in Orlando, Florida, offering HIPAA Hosting Services and blazing fast VPS hosting.

By Moazzam Adnan

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award
Inc 500
Global Infosec 2021
28 Year logo
Ehla Badges 2021 Winner
Made In USA

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


Recent Posts

How to Install and Use Composer on Oracle Linux 8
How to Install Sails.js Framework with Nginx as a Reverse Proxy on Oracle Linux 8
Are Data Breaches In The Cloud Getting Better Or Worse?
How to setup HTTP Strict Transport Security (HSTS) for Apache on Oracle Linux 8
How to Install Kanban Kanboard on Oracle Linux 8

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2008 Lookout Dr,

Dallas, Texas 75044

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom