Lesson 2: What are the 3 major rules of HIPAA?

You must first complete Lesson 1: What is HIPAA before viewing this Lesson

Lesson Goal


For you to become familiar with the major components of HIPAA, including the Privacy Rule, The Security Rule and the Minimum Necessary Rule.

Lesson Summary


HIPAA contains many different parts. The parts most relevant to typical organizations are The Privacy Rule, The Security Rule and the Minimum Necessary Rule. The Privacy Rule establishes the proper way to handle data that is considered sensitive regardless of format of data. The Security Rule focuses on the proper ways to handle electronic health data. The Minimum Necessary Rule establishes a conservative approach to how much PHI is used for specific purposes.

The Big Topics in This Lesson


1- The Privacy Rule

The information under this topic covers general rules on what is considered Protected Health Information, who can access it, when patient authorization is needed.

2- The Security Rule

The information under this topic addresses rules related to the access, use and management of PHI in electronic formats.

3- The Minimum Necessary Rule

The information under this topic covers guidelines and rules related to using the least amount of PHI necessary.

Lesson Video


Lesson Q & A


Click on each question to learn more

Q1: What does the Privacy Rule do?


The HIPPA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) is used to regulate use and disclosure of any information held by a covered entity that concerns health status, provision of health care, or payment for health care that can be linked to an individual.

At a high level, the Privacy Rule includes:

  • Rules related to the use and disclosure of Protected Health Information (PHI)
  • Guidelines for electronic data transmission of patient data
  • Guidelines on limiting internal employee access to PHI (see also the Minimum Necessary rule)
  • Patient rights to their own medical records and ways they can make corrections to them
  • Rules requiring patience consent for use of their PHI in marketing communications


The Privacy Rule also requires that patients be notified of sharing and breaches. When the patient feels compliance with privacy standards has not been met, they also have a process they can use to file complaints.

In addition to responding to patient requests for PHI, covered entities must comply with written disclosure requests for legal enforcement purposes such court orders, court-ordered warrants, and subpoenas.

Q2: What is the Security Rule?


The HIPAA Security Rule focuses on electronic PHI (e-PHI). The Privacy rule covers all types of PHI (paper, electronic, oral).

There are 3 main parts to the Security Rule:

  • Administrative safeguards- Covered Entities must have security officers, appropriate training and policies
  • Physical safeguards- Data must be stored using secure equipment with the right backups and access controls
  • Technical safeguards- considered the “nuts and bolts” of the Security Rule. This includes things like access control, audit controls (for a record of access to data) and transmission security.
Q3: Who needs to comply with the Security Rule?



All Covered Entities and business associates must comply with the HIPAA Security Rule.

Q4: How is minimum necessary defined?


Over the course of utilizing the healthcare system, individuals provide a lot of different personal information, and a lot of diagnosis and procedure information is recorded. Some of this information is relevant to one covered entity, while not required for another to deliver services or care. The Minimum Necessary Rule or Minimum Necessary Standard is intended to limit the transfer and use of a patient’s personal information to that which is necessary to achieve approved objectives for use of the data. These standards limit the casual transfer of entire records internally or between covered entities, thus preventing the unintended disclosure or use of protected information.

The Minimum Necessary Standard does not apply under some situations. These include:

  • Disclosures to or requests by a health care provider for treatment purposes.
  • Disclosures to the individual who is the subject of the information.
  • Uses or disclosures made pursuant to an individual’s authorization.
  • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
  • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
  • Uses or disclosures that are required by other law.
Q5: How does an entity determine who should have access to PHI?


Under HIPAA, all covered entities should be aware of the Minimum Necessary Rule and recognize its value in protecting both their organization and the patient. Procedures and regulations should be established and implemented for both routine and non-routine handling of PHI. Each covered entity is expected to assess how to best protect patient information using professional judgement and standards.

Steps toward determining who should have access to patient health information include:

  • Formal process development
  • Job function assessments that identify the data required and frequency of access
  • Consolidation of job duties to minimize number of individuals needed to access the data
  • Installation of security protections on PHI by job function via passwords or physical access to files

It is essential to determine these sharing policies internally as well as between other covered entities and business associates. The Minimum Necessary Standard indicates liability can be placed on both the business associate and the covered entity when violations occur.


Ready for the Lesson Progress Quiz?


When you are ready to take the quiz, click the button below. You must pass the quiz to move onto the next lesson.

Back to: HIPAA Awareness Training > Course Lessons