Atlantic.Net Blog

What Are HIPAA Compliance Rules and Guidelines?

Editorial Team
by Atlantic.Net (212 posts) under HIPAA Compliant Hosting

If you’re looking at IT requirements for healthcare systems, a term that you will come across repeatedly is “HIPAA compliance.” This article talks about what HIPAA is, summarizes the basic HIPAA compliance rules, and briefly addresses a related act, HITECH.

  • HIPAA Explained
  • HIPAA Compliance Rules
  • What About HITECH Compliance?
  • HIPAA, HITECH, and Business Associates

HIPAA Explained

The Health Insurance Portability and Accountability Act (HIPAA) was passed by both houses of US Congress and signed into law by President Bill Clinton in 1996.

The act stated that regulations would be developed to serve a dual purpose:

  1. Streamline healthcare administration.
  2. Make sure that all health records of US citizens were kept private and secure.

“The Act required Congress to enact laws implementing these goals by 1999,” said the Oregon Association of Hospitals and Health Systems (OAHHS). “When Congress failed to do so, DHHS stepped in and began promulgating regulations.”

When an IT service or healthcare organization describes itself as “HIPAA compliant,” that simply means that it is following the HIPAA compliance guidelines established within the law to safeguard the medical records (specifically the protected health information (PHI) delineated by HIPAA) of American patients.

Healthcare organizations must stay compliant because they are considered covered entities, while IT companies and others must be compliant as business associate of healthcare organizations. Covered entities include healthcare providers (doctors, hospitals), healthcare plans (insurance carriers, company health plans), and health data clearinghouses. Meanwhile, business associates include any organizations and individuals that come into contact with the data, including technology service providers (e.g., web hosting firms), accountants, and shredding companies.

Covered entities and business associates must sign business associate agreements in order to solidify their relationship – the tasks to be performed by the business associate and its responsibilities pertaining to the protected health information. It should be noted that there is an exemption for certain companies, called the mere conduit exemption, that hosting companies and other organizations often wrongly believe applies to them. The exemption is for companies that only store health data temporarily or make incidental contact with it while it is in transit, such as Internet service providers and paging businesses.

“The key difference between a conduit and Business Associate is the transient versus persistent nature of the opportunity to view the PHI,” explained attorneys Linda McReynolds and Ronald Quirk. “To qualify as a conduit, a service provider must ensure that PHI is only temporarily stored.  It is irrelevant whether the service provider actually views the PHI.”

HIPAA Compliance Rules

There are three basic sections to the regulations, which are largely overseen by the Office for Civil Rights (OCR), an agency within the Department of Health and Human Services (DHHS or HHS):

  1. Standards for healthcare transactions
  2. The HIPAA Privacy Rule
  3. The HIPAA Security Rule.

Standards for healthcare transactions

These guidelines were essentially an effort to make transactions all fit within a uniform framework. They became enforceable on October 16, 2000. However, the rules permitted that covered entities (the providers, plans, and clearinghouses described above) had until October 16, 2002 to develop an appropriate plan of action. The true, final point at which HIPAA compliance became nonnegotiable was October 2003.

The HIPAA Privacy Rule

This rule, which is actually a broad set of guidelines, outlines the requirements of healthcare companies related to privacy, such as disclosure of health-related personally identifiable information and instructions for giving privacy notices to patients. According to OAHHS, it also detailed the manner in which organizations must “obtain consent and authorization for use of information and tell how information is generally shared and how patients can access, inspect, copy, and amend their own medical record.”

These stipulations became binding on April 2001.

Here are a few of the most important elements for providers:

  • Privacy notice guidelines
  • Rules related to patients opting out
  • “Requirements for minimum necessary”
  • Administrative safeguards
  • The responsibilities of partner organizations (see HITECH information below).

The HIPAA Security Rule

This rule (again, a set of regulations) specifically states what must be done administratively and what HIPAA physical safeguards must be implemented by firms in order to maintain compliance. The objective of both the administrative and physical safeguards was to make certain that all PHI was of high integrity (ie, not lost or manipulated) and was kept away from any unauthorized parties. April 2005 was the date by which companies had to achieve compliance with this rule.

What About HITECH Compliance?

Similar federal legislation that’s of importance to healthcare organizations is the Health Information Technology for Clinical and Economic Health Act of 2009 (HITECH). “It was passed as a monetary incentive plan for hospitals to begin converting to electronic health records,” explained the American Bar Association. Although “the idea was for any hospital to be able to access all of your medical records” – with the basic goal of interoperability – privacy and security concerns have limited that fundamental objective.

HIPAA, HITECH, and Business Associates

One section of HITECH that was particularly important created the HIPAA Omnibus Rule, which became effective in September 2013. That rule made business associates directly responsible for maintaining HIPAA compliance.

You will notice on our site that HIPAA compliant solutions are a primary point of focus for Atlantic.Net. We have extensive experience related to healthcare IT systems. Also, note that we’re an American company, based in Orlando, Florida offering HIPAA Hosting Services on blazing fast Virtual Private Servers.

By Moazzam Adnan

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Penalties for Non-Compliance of HIPAA: What Is the Fine? Can You Get Jail Time?
Major SMS Company Hacked
​​Fight the Phish
How to Install WordPress with SlickStack on Ubuntu 20.04
Top 10 Linux Distributions

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom