Healthcare Privacy II: HIPAA Security, Breach & HITECH

Where the Privacy Rule governs all P-H-I, the Security Rule governs only electronic P-H-I, e-P-H-I, and the exam keeps that scope distinction sharp. The rule organizes protections into three safeguard families. Administrative safeguards are the policies and people: risk analysis, workforce training, access management, and a security officer.

Physical safeguards control the facilities and devices: locked server rooms, workstation security, and media disposal. Technical safeguards are the technology controls: access controls, audit logs, integrity checks, and transmission security like encryption. Crucially, the standards are scalable, a small clinic and a national insurer both comply but at different scales, and each spec is either required or addressable, meaning you implement it or document why an equivalent measure is reasonable.

If the Privacy Rule's keystone is T-P-O, the Security Rule's keystone is the risk analysis, and it's a frequent right-answer. Covered entities and business associates must conduct an accurate, thorough, ongoing assessment of the risks to their e-P-H-I, and that analysis is what tells them which safeguards are reasonable and appropriate for their size and threats. In the real world, the most common enforcement finding from the H-H-S Office for Civil Rights is a missing or inadequate risk analysis.

Note a subtlety the exam likes: encryption is an addressable specification, not strictly required, but if you don't encrypt, you must document an equivalent safeguard and a justification. So when a question asks where compliance starts, the risk analysis is usually the answer.

In two thousand nine, the HITECH Act reshaped HIPAA, and the exam expects you to know what it changed. Before HITECH, business associates were bound mainly through their contracts; HITECH made them directly liable under HIPAA's Security Rule and parts of the Privacy Rule, so the vendor itself can now be penalized, not just the covered entity. HITECH also created the federal Breach Notification Rule we're about to cover, and it raised the penalty tiers and pushed the Office for Civil Rights toward more active enforcement and audits.

When a scenario turns on whether a vendor, a business associate, is personally on the hook, HITECH is the reason the answer is yes.

The Breach Notification Rule has a structure the exam tests precisely. An impermissible use or disclosure of unsecured P-H-I is presumed to be a breach unless the entity shows a low probability that the data was compromised, using a four-factor assessment: the nature and extent of the P-H-I, who used or received it, whether it was actually acquired or viewed, and the extent to which the risk has been mitigated. If a breach is confirmed, individuals must be notified without unreasonable delay and no later than sixty days.

The thresholds matter: if fewer than five hundred individuals are affected, you log it and report to H-H-S annually; if five hundred or more, you must also notify H-H-S and prominent media in the area promptly. Note that properly encrypted data that's lost generally isn't an unsecured-P-H-I breach at all.

It's worth knowing what happens when HIPAA is breached, because the exam tests the enforcement structure. The Department of Health and Human Services, through its Office for Civil Rights, investigates complaints and breaches and can impose civil monetary penalties. Those penalties are tiered by culpability: a violation the entity didn't know about and couldn't have avoided sits at the lowest tier, while willful neglect that goes uncorrected sits at the highest, with much larger per-violation amounts.

Since HITECH, state attorneys general can also bring HIPAA enforcement actions, adding another enforcer. In practice, many matters resolve through a resolution agreement that pairs a settlement payment with a corrective action plan, the entity fixes the root cause under monitoring. So HIPAA enforcement mirrors the F-T-C pattern: investigate, penalize by culpability, and impose an ongoing program to prevent a repeat.

Let's keep the three rules straight, because the exam blends them. The Privacy Rule is about who may use and disclose P-H-I, all of it. The Security Rule is about safeguarding the electronic subset, e-P-H-I.

The Breach Notification Rule is about what happens after something goes wrong. A recurring trap mixes in a seventy-two-hour deadline, that's the GDPR, not HIPAA; HIPAA's individual-notification clock is up to sixty days. Another trap forgets the encryption safe harbor: lose an encrypted laptop and you generally have no unsecured-P-H-I breach to report.

So match the facts to the right rule, watch the sixty-day-not-seventy-two-hour clock, and remember the four-factor presumption. Recap: three safeguard families, risk analysis as keystone, HITECH's business-associate liability, and the breach timeline. Now go test yourself, then on to financial privacy.